[CentOS] Fedora change that will probably affect RHEL

Tue Jul 28 20:46:29 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Tue, Jul 28, 2015 at 1:06 PM, Chris Adams <linux at cmadams.net> wrote:
> Once upon a time, Warren Young <wyml at etr-usa.com> said:
>> Much of the evil on the Internet today — DDoS armies, spam spewers, phishing botnets — is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
> Since most of that crap comes from Windows hosts, the security of Linux
> SSH passwords seems hardly relevant.

Botnets are terrible, it doesn't matter how many of them there are or
on what platform. The reason why they exist is bad practices. So there
needs to be better application of best practices, and best practices
need to be easier and default and automatic whenever possible. That
applies to all platforms. So I'm not opposed to changes in Fedora, and
by extension eventually to CentOS and RHEL, but they have to be
balanced out.

Windows Server has power shell disabled by default. The functional
equivalent, sshd, is typically enabled on Linux servers. So I think
it's overdue that sshd be disabled on Linux servers by default,
especially because the minimum password quality under discussion is
still not good enough for forward facing servers on the Internet with
static IPv4 addresses. They will get owned eventually if they use even
the new minimum pw quality, and that's why I see pw quality as the
wrong emphasis - at least for workstations.

>> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people’s machines.
> Your freedom to dictate terms to me stops at my system, which you cannot
> access even if I set the password to "12345".  You are making an
> assumption that every Fedora/CentOS install is on the public Internet,
> and then applying rules based on that (false) assumption.

Exactly. My dad will absolutely stop using his iPad if it ever
requires him to use anything more than 4 numeric digits for his
password. The iPad never leaves the house.

Future concern is IPv6 stuff, now that Xfinity has forcibly changed
their hardware to include full IPv6 support. I have no idea if this is
NAT'd or rolling IPs or what. But the iPad has no remote services
enabled. And the Mac has SSH PKA required. So I'm not that concerned
about their crappy login passwords. Their online services are another
matter, those I've made very clear they will be strong or they don't
get to play.

Chris Murphy