Re: gnome-password-generator replacement?
On 18.06.2017, stan wrote: > It doesn't have a gui that I know of, but I use pwgen from the Fedora > repositories. It warns that the passwords are less secure than fully > random passwords Pwgen uses /dev/urandom, so the statement that those passwords are less secure than "fully" random passwords (define "fully random"..) is merely of academical nature. In case of any doubt, you can always do something like head /dev/random | tr -dc A-Za-z0-9 | head -c X where X is your password length. Tr also lets you tailor the characterset used. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Andre Robatino: > If you use a password manager, you can use a different strong random > password for each site, and copy and paste it. Fifty characters is > just as easy as 8, and means you don't have to worry about changing > the password again (unless a website like Socialsecurity.gov forces > you to, and they should eventually stop doing that). That's all very well as long as you only use one device. When you have several computers, devices, using other people's equipment, etc., password managers soon become their own pain. So people use an on-line password manager, and create a single-point of failure for multiple accounts. Tim: >> Really, what ought to get tightened up is the software accepting logons. >> There should be a limited number of attempts (3 goes and your out for a >> significant time limit). Any system that lets a cracker hammer away >> with repeated attempts is the thing that is broken. > That works as long as the website isn't hacked. A different problem. Though perhaps related, it depends on how the site was hacked. If they let someone peck away at it, it's down to the same problem. Sites really need to stop storing your passwords, then need to keep something that can only be used to confirm correct authentication, and not be reverse engineerable to discover the password. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
> On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > > I completely agree, it's just as impossible to guess that a password is > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier > to > remember and type. With the peculiar password rules, I have no choice > to but to do the insecure and write down passwords somewhere (whether > that's on paper or on file). You're not supposed to write passwords > down anywhere. If you use a password manager, you can use a different strong random password for each site, and copy and paste it. Fifty characters is just as easy as 8, and means you don't have to worry about changing the password again (unless a website like Socialsecurity.gov forces you to, and they should eventually stop doing that). > Really, what ought to get tightened up is the software accepting logons. > There should be a limited number of attempts (3 goes and your out for a > significant time limit). Any system that lets a cracker hammer away > with repeated attempts is the thing that is broken. That works as long as the website isn't hacked. If it is, even if the passwords are hashed (which they often aren't), the hash can be cracked if the password is weak. This actually happened to my PayPal account in 2002. At the time, I was using a weak password vulnerable to a dictionary attack (but not to only several login attempts). PayPal sent me an email asking me to change my password, claiming it was just a random request and had nothing to do with a specific attack. Since I knew my password was secure against a handful of login attempts, I just changed the password and then immediately changed it back to the original one. Shortly after, my account was hacked and money was withdrawn from my bank account. PayPal admitted in a later email that there actually had been an attack where the password hashes were stolen (implying that they were lying the first time). PayPal did eventually reimburse me for the money. The point is that it's good if a website limits login attempts, but yo u can't rely on that. I always assume that the hash could become public, and choose my password accordingly. (Of course, many websites store passwords in plain text, in which case the only thing that helps is not using the same or similar password anywhere else.) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > I think it isn't necessary to have all those special characters in > order to have strong passwords. I completely agree, it's just as impossible to guess that a password is "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to remember and type. With the peculiar password rules, I have no choice to but to do the insecure and write down passwords somewhere (whether that's on paper or on file). You're not supposed to write passwords down anywhere. About the only benefit of stupid character rules is to try and stop people putting in guessable things, like their child's birthday. But the usual rules won't stop people using "John1983$". What these rulemakers forget is that password cracking is an all or nothing venture. You have to get it exactly right to crack it, you don't get hints that you're almost correct. Really, what ought to get tightened up is the software accepting logons. There should be a limited number of attempts (3 goes and your out for a significant time limit). Any system that lets a cracker hammer away with repeated attempts is the thing that is broken. > I think the real danger with passwords is that people use the same one > (usually weak) on multiple sites, so if a site gets cracked, they are > endangered in other places. I quite agree. Along with other stupidities, such as a website telling users to login with their email address and password. Instead, it ought to ask people to login with their account name and *this* site's password. People stupidly give their credentials away to all and and sundry with prompts like that. The account creation process should specifically say not to use the same password as they use anywhere else. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Firefox
Not able to control the maximize control on my firefox web browser. If I unmaximize the browser and close it out. When I log back on, it automatically goes to maximize. Can anybody help with this matter? Am I reporting to the list? -- All things are workable but don't all things work. Prov. 3:5 & 6 ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 07:03 PM, Tim wrote: 1. Used to be able to customise GDM, can't anymore without serious hacking. 2. Used to be able to have screensavers, now you have to bodge in something else. 3. Used to have decent control of the audio mixer, now there's none. 4. Used to be able to customize your desktop without installing third party add-ons that might break without warning at the next update. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Mon, 19 Jun 2017 05:49:20 +0800 Ed Greshkowrote: > You haven't described your environment. Without that knowledge any > advice on umask is questionable. Remember, umask isn't, and never > was, intended to be a high security mechanism. Home workstation with no web facing services. I could probably get away with a umask of 000. Even for root. But it just seems wrong to give world read access to home files for a user, by default. I think of security as layers, and good practices. While umask might not be a high security mechanism, there is no need to leave it weaker than it has to be. It seems to me that linux depends a lot on file permissions for security, particularly for root. Thanks for your thoughts. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 18 Jun 2017 20:55:08 - "Andre Robatino"wrote: > Thanks. I had actually installed pwgen a few months ago, but it > looked like the passwords weren't strong enough. > gnome-password-generator has a Character set option "All printable > (excluding space)". It appears that "pwgen -sy 30 1", for example, > does just that, and "pwgen -s 30 1" is the same as "Alphanumeric > (a-z, A-Z, 0-9)". I use a password manager, so only care about > maximum entropy. It would be really nice if there was something where > you could specify an exact set of characters to either include or > exclude, to cope with certain websites that allow only some special > characters. ___ users I think it isn't necessary to have all those special characters in order to have strong passwords. Open an xterm, and start python by typing python. Then paste the following into the command line and hit enter. (62**30) // (864 * 366) There are 62 unique possibilities with upper and lower case letters and numerals. This is the number of years that a million brute force attempts per second would take to crack that 30 character password with only letters and numbers. With 9 alphanumerics instead of 30, its about 400 years, which seems more than adequate. The special characters add another 30 possibilities, so the passwords can be shorter for the same strength, but a 33 character alphanumeric password is ~ the same as a 92 possibility 30 character password. People cracking strong passwords don't know that you haven't used 92 characters instead of 62, so they have to check all 92. :-) Control-D exits the python interpreter. When I hit pwgen -y, it generates columns of 8 character passwords with a number, a capital, and a special character. If you need specific special characters, just grab a few of those with the special characters you need and concatenate them(4 would be 32 character), or change the special character(s) to the one(s) you need. I think the real danger with passwords is that people use the same one (usually weak) on multiple sites, so if a site gets cracked, they are endangered in other places. You've already finessed that by using a password manager, so you can easily have unique, strong passwords at every site. But these are just my opinions, you have to do what makes you feel comfortable with your security. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
JD wrote: >> gnome project keeps doing things that disable the user. Matthew Miller: > This seems... unnecssary. Though, I'd say it's accurate. You could build up a list of things that keep getting removed from your control in Gnome. I'm not going to attempt to build up an extensive one, but as someone who's used Gnome on Fedora since Fedora began, and Red Hat Linux beforehand, I have definitely noticed things being removed from user control. Here's just a few, and I'm sure others could add quite a few more, if they wanted: 1. Used to be able to customise GDM, can't anymore without serious hacking. 2. Used to be able to have screensavers, now you have to bodge in something else. 3. Used to have decent control of the audio mixer, now there's none. Others have commented that if they try to bring up user-configuration of Gnome in the Gnome arena, it always gets howled down. The evidence is against your assertion. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. I reserve the right to be as hypocritical as the next person. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
makepasswd also looks useful. It's clumsier to use, but more flexible. You use the -c option followed by a string to specify the exact set of allowed characters. The following prints all of the 94 non-space printable characters: for (( c=33; c<=126; c++ )); do printf "\x$(printf %x $c)"; done which you can use to construct a makepasswd command using all of those characters (putting all the special chars at the end, and backquoting each of them) makepasswd -c 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~ -l 30 (for a 30-character password) and you can remove special chars depending on what a particular website allows. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Sun, 18 Jun 2017 17:11:11 -0400 Jon LaBadiewrote: > Minor correction, a umask 022 will set execute on new directories > (drwxr-xr-x), but not new files. They would be -rw-r--r--. Not so minor! Thanks. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On 18Jun2017 13:24, stanwrote: I recently became aware that the default umask for Fedora is 022 when it caused problems for me that I had a different umask. This seems like an anachronism, a relic of a kinder, gentler time, when the computing atmosphere was more collegiate. Is it really appropriate that new files be created for a user with permissions of rwxr-xr-x in today's security atmosphere? I set my umask to 077, so that no one can access anything. I'm interested in other people's opinions, especially those arguing in favor of continuing to have a umask of 022. Am I overlooking something? As remarked elsewhere, it does depend on your environment. I like 027 myself. Combined with setgid directories it leaves things readable by the group of the working area, but otherwise private. Then one just arranges group ownership. An workable default. Cheers, Cameron Simpson ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On 06/19/17 04:24, stan wrote: > I recently became aware that the default umask for Fedora is 022 when > it caused problems for me that I had a different umask. This seems like > an anachronism, a relic of a kinder, gentler time, when the computing > atmosphere was more collegiate. Is it really appropriate that new > files be created for a user with permissions of rwxr-xr-x in today's > security atmosphere? > > I set my umask to 077, so that no one can access anything. > > I'm interested in other people's opinions, especially those arguing in > favor of continuing to have a umask of 022. Am I overlooking something? You haven't described your environment. Without that knowledge any advice on umask is questionable. Remember, umask isn't, and never was, intended to be a high security mechanism. -- Fedora Users List - The place to go to speculate endlessly signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
BTW, just noticed a bug. pwgen doesn't have an option to use numbers only (for creating PINs) so I tried to use "pwgen -n 1" to generate a sequence of random digits. But all of the 1-character passwords are lower-case letters, no digits. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1462557 . ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Sun, Jun 18, 2017 at 01:24:17PM -0700, stan wrote: > I recently became aware that the default umask for Fedora is 022 when > it caused problems for me that I had a different umask. This seems like > an anachronism, a relic of a kinder, gentler time, when the computing > atmosphere was more collegiate. Is it really appropriate that new > files be created for a user with permissions of rwxr-xr-x in today's > security atmosphere? > Minor correction, a umask 022 will set execute on new directories (drwxr-xr-x), but not new files. They would be -rw-r--r--. > I set my umask to 077, so that no one can access anything. > > I'm interested in other people's opinions, especially those arguing in > favor of continuing to have a umask of 022. Am I overlooking something? > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org >>> End of included message <<< -- Jon H. LaBadie jo...@jgcomp.com ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. gnome-password-generator has a Character set option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be really nice if there was something where you could specify an exact set of characters to either include or exclude, to cope with certain websites that allow only some special characters. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, Jun 18, 2017 at 12:19:46PM -0600, JD wrote: > gnome project keeps doing things that disable the user. This seems... unnecssary. No one in GNOME is "disabling the user". Remember that Fedora — like GNOME, for that matter — is maintained by volunteers. For whatever reason, this package is marked as an "orphan". This means that there is not currently anyone volunteering to take care of it. If you'd like to help, see the process for claimin an orphaned package: https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure -- Matthew MillerFedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Is default umask of 022 still reasonable for Fedora?
I recently became aware that the default umask for Fedora is 022 when it caused problems for me that I had a different umask. This seems like an anachronism, a relic of a kinder, gentler time, when the computing atmosphere was more collegiate. Is it really appropriate that new files be created for a user with permissions of rwxr-xr-x in today's security atmosphere? I set my umask to 077, so that no one can access anything. I'm interested in other people's opinions, especially those arguing in favor of continuing to have a umask of 022. Am I overlooking something? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 18 Jun 2017 17:25:41 - "Andre Robatino"wrote: > gnome-password-generator will not be available in the Fedora repos > for F26 and later. Do the repos contain a good replacement? It doesn't have a gui that I know of, but I use pwgen from the Fedora repositories. It warns that the passwords are less secure than fully random passwords, but it allows passwords to be required to have a capital, a number, and a special character. When I put a 16 or 18 character password into a strength checker, it always comes out as highly secure. Of course, I don't remember those, I keep them in an encrpyted file and cut and paste them where needed. Not sure how secure using the paste buffer would be on a shared system. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 11:25 AM, Andre Robatino wrote: gnome-password-generator will not be available in the Fedora repos for F26 and later. Do the repos contain a good replacement? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org gnome project keeps doing things that disable the user. That is why I do not use it anymore. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
gnome-password-generator replacement?
gnome-password-generator will not be available in the Fedora repos for F26 and later. Do the repos contain a good replacement? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
[389-users] Re: Issues enabling SSL/TLS for config DS
Nice one! Happy to be of help and thanks for being so responsive to the initial query. Dave ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Issues enabling SSL/TLS for config DS
On 06/18/2017 07:41 AM, Mark Reynolds wrote: > > On 06/17/2017 10:46 PM, dave_horton2...@hotmail.com wrote: >> Hi Mark, >> >> I can confirm removing it from adm.conf prevents it working. Adding it >> back, it works again. >> >> Possibly there's another means that normally ensures the correct range is >> set for the config DS connection? >> >> The function returning the error that shows up in the log with the debug >> build is this 'ssl3_CheckRangeValidAndConstrainByPolicy' in >> 'nss/lib/ssl/sslsock.c'. >> >> Following the call stack, ADMSSL_Init calls initNSS which in turn calls >> SSL_VersionRangeSetDefault (again in 'nss/lib/ssl/sslsock.c'). This takes >> an initial range as input and checks and constrains it (calling >> ssl3_CheckRangeValidAndConstrainByPolicy which generates the error). >> >> That initial range passed to SSL_VersionRangeSetDefault comes from the >> following in initNSS: >> >> range.min = admldapGetSSLMin(info); >> range.max = admldapGetSSLMax(info); > My bad, yeah it's in the 389-adminutil package source code. I was > previously looking in the 389-admin source. > > Updating the wiki... The following wiki pages now contain the complete SSL version range information: http://www.port389.org/docs/389ds/howto/howto-ssl.html http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html http://www.port389.org/docs/389ds/administration/adminserver.html Thanks Dave, Mark > > Thanks, > Mark >> Tracing back, that info was the AdmldapInfo constructed for the config >> connection which came from adm.conf. So that was what led me to attempt >> adding the entries to adm.conf which seemed to do the trick. >> >> Hope that helps. >> David >> ___ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Issues enabling SSL/TLS for config DS
On 06/17/2017 10:46 PM, dave_horton2...@hotmail.com wrote: > Hi Mark, > > I can confirm removing it from adm.conf prevents it working. Adding it back, > it works again. > > Possibly there's another means that normally ensures the correct range is set > for the config DS connection? > > The function returning the error that shows up in the log with the debug > build is this 'ssl3_CheckRangeValidAndConstrainByPolicy' in > 'nss/lib/ssl/sslsock.c'. > > Following the call stack, ADMSSL_Init calls initNSS which in turn calls > SSL_VersionRangeSetDefault (again in 'nss/lib/ssl/sslsock.c'). This takes an > initial range as input and checks and constrains it (calling > ssl3_CheckRangeValidAndConstrainByPolicy which generates the error). > > That initial range passed to SSL_VersionRangeSetDefault comes from the > following in initNSS: > > range.min = admldapGetSSLMin(info); > range.max = admldapGetSSLMax(info); My bad, yeah it's in the 389-adminutil package source code. I was previously looking in the 389-admin source. Updating the wiki... Thanks, Mark > > Tracing back, that info was the AdmldapInfo constructed for the config > connection which came from adm.conf. So that was what led me to attempt > adding the entries to adm.conf which seemed to do the trick. > > Hope that helps. > David > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Re: Strange mouse issue in VirtualBox
On 17/06/17 20:17, Tom Horsley wrote: I wonder if it is remotely related to this bug? https://bugzilla.redhat.com/show_bug.cgi?id=1350390 If I happen to cross over a virt-viewer window on my way to some other window, the virt-viewer keeps the keyboard focus. (Probably not the same, other than obviously screwed up grabbing in some app). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org That bugreport does not mention wayland or not. But I get as well the keyboard problem, but it is much less sever as no other app is affected and a simple focus switch fixes it. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org