On Jul 30, 2015, at 4:27 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > > On 07/30/2015 12:35 PM, Chris Murphy wrote: >> No fail2ban, no firewall rules, sshd by default, challengeresponseauth >> by default, > > ChallengeResponseAuth is not on by default, on Red Hat derived systems. I'm pretty sure that was already clarified, much earlier in this thread. I think Chris is using “challenge response auth” as a synonym for “everything except public key auth” since CRA can be an umbrella auth method for just about every type of authentication, via PAM. At bottom, I blame OpenSSH for this confusion. They should have named the pref something else, like TunneledAuth or RFC4256Auth. Then we could use the term “challenge/response” in the narrow way I defined it earlier in the thread. >> Diceware puts the minimum for large botnet protection >> at 5 word passphrases. > > I've read your references to diceware here and earlier in this thread, and I'm pretty sure you don't understand it. I’ve only been talking about the online attack scenario, but Chris keeps wanting to go back to the offline scenario. Basically, he’s assuming attackers will have a copy of /etc/shadow. > Diceware is intended to help you generate passphrases that you will use to protect an encryption key It’s also useful on public web sites, since you don’t know if there might someday be a SQL injection attack that can pull the users table, which may not even be salted, much less run through a KDF. Since that is not what this proposed Fedora change is trying to address, I don’t see why we need to even be talking about Diceware in this thread.