[CentOS] Fedora change that will probably affect RHEL

Thu Jul 30 22:27:31 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 07/30/2015 12:35 PM, Chris Murphy wrote:
> No fail2ban, no firewall rules, sshd by default, challengeresponseauth
> by default,

ChallengeResponseAuth is not on by default, on Red Hat derived systems.  
I'm pretty sure that was already clarified, much earlier in this thread.

> and a 9 character (even random) passphrase, and that shit
> is going to get busted into. Against a targeted attack by a botnet,
> you need something stronger than a 9 character password, today. Let
> alone 6 years from now.

6 years from now, the maximum speed of guessing passwords against an ssh 
server will be exactly the same as it is today.  The server imposes 
delays on failure and maximum connection numbers.  With those 
mechanisms, the rate is constant.

> Diceware puts the minimum for large botnet protection
> at 5 word passphrases. 6 word passphrases for protection against a
> government entity. Your idea of strong thus far is 9 characters which
> seems to be b.s. today and certainly laughable in 6 years when we do
> the autopsy on today's policy successes and failures.

I've read your references to diceware here and earlier in this thread, 
and I'm pretty sure you don't understand it.  Their page makes the 
purpose clear: "Short passwords are OK for logging onto computer system 
that are programmed to detect multiple incorrect guesses and protect the 
stored passwords properly, but they are not safe for use with encryption 
systems."

Diceware is intended to help you generate passphrases that you will use 
to protect an encryption key, such that an offline attack against that 
passphrase is unfeasible.

You appear to be advocating for significantly longer passwords for 
authentication, but as diceware makes clear, online attacks are already 
mitigated by rate limits enforced by the server.  Offline attacks, such 
as diceware is intended to thwart, are only possible if the attacker has 
your password file.  In which case they already have root.  In which 
case they don't really need to crack your passwords.

So, unless I misread you, can we let this thread die out?