On ke, 14 joulu 2016, Petr Spacek wrote:
On 13.12.2016 22:57, Tom Hughes wrote:
On 13/12/16 21:32, Simo Sorce wrote:
On Tue, 2016-12-13 at 18:52 +0000, Tom Hughes wrote:
The main goal of long random passwords after all is about a combination
of making them hard to brute force and ensuring that every service has a
unique password to guard against credential reuse attacks when one of
the many services everybody has logins for experiences the inevitable
loss of their poorly secured database.
I always find it somewhat depressing that the more sophisticated a login
system becomes the worse my security on it seems to get because I wind
up having to use weaker passwords. Banks are the classic example because
they rarely have a straightforward password even as one part of their
authentication but anything that means I have to remember a password
hits the same problem.
Don't remember it if it bothers you, why do you use a double standard if
the password is not sent via browser but through a CLI ?
It's an interesting question, and the first thing I'd say is that there are
actually very few passwords that I enter at a CLI at all. Once I've unlocked
gnome keyring by logging into my laptop or desktop it's mostly only when I
want to sudo as other things tend to be by ssh public key auth from my keyring.
I think the threat model is very different as well, at least for me, as the
environments where I am entering a password for sudo for example are all ones
which I control and where I know how the password database is stored while for
web based logins I operate on the basis that I have no idea whether any given
site has the sense to hash it's passwords or to adequately protect it's user
database.
Obviously I'm sure the FAS database is properly protected but the ways of
working I have developed are based around not assuming that for web logins
hence why I switched to random passwords and a password manager many years ago.
Anyway, it looks like like GOA with the realmd fix likely does what I want,
which is good news.
Theoretically, if you really really want random password and never type it,
you can retrieve keytab for your account. The keytab file can contain e.g.
random 256 bit AES key so you will as safe as you can, assuming no attacker
can gain access to that file (which you assume already).
In Kerberized world this is usually done for machine/service accounts but
technically nothing prevents you from using the same method for your own
account.
See man page for command ipa-getkeytab from package freeipa-client (or use
command kpasswd).
We don't have access to FreeIPA LDAP or kpasswd interface in Fedora
Infrastructure. These aren't exposed publicly.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
