Quoting Joey Hess ([EMAIL PROTECTED]):
Steve Langasek wrote:
Arguably if the consensus is that the default minimum password length should
be raised in the users' best interests, we would want to change the
makepasswd package's default at the same time.
And we might also want to make d-i
On Tue, Sep 04, 2007 at 08:26:41PM +, Oleg Verych: gmane reading wrote:
I.e *i don't care* about entering passwords on middle ground, without
knowing, WTF this installer may do with them, not having comfortable
environment for that _important_ action.
Thus i have silly, empty passwords
05-09-2007, Gabor Gombas:
On Tue, Sep 04, 2007 at 08:26:41PM +, Oleg Verych: gmane reading wrote:
I.e *i don't care* about entering passwords on middle ground, without
knowing, WTF this installer may do with them, not having comfortable
environment for that _important_ action.
Thus i
I apologize if my meaning was unclear; it was not meant to be rude. I
think that looking at only the power of modern CPUs - how long it
takes to crack a password - misses the point. If you enforce longer
passwords than people are comfortable with, you get weaker passwords
(or poor password
Right, I know there are going to be use cases where 6 is too long for the
minimum length, and users will need to lower the setting in
/etc/pam.d/common-password. Do you think we need to provide some hook for
these Debian Edu users to change the setting automatically, via preseeding
or
04-09-2007, John Kelly:
On Sep 3, Lars Wirzenius wrote:
ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
If the system is excessively anal about what passwords it will let you
use, people will just start writing them down...
That is arguably better than having passwords which can be
[Steve Langasek]
Right, I know there are going to be use cases where 6 is too long
for the minimum length, and users will need to lower the setting in
/etc/pam.d/common-password. Do you think we need to provide some
hook for these Debian Edu users to change the setting automatically,
via
On Tue, 4 Sep 2007 07:53:08 + (UTC), Oleg Verych
[EMAIL PROTECTED] wrote:
What about having more secure Debian's sshd_config by default?
PermitRootLogin no
DenyUsers *
Doing remote ssh installations without any console access will make
you unhappy with that default.
--
Internet
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/04/07 03:10, Petter Reinholdtsen wrote:
[snip]
Some schools even use the same password for all lower grade users
instead of providing very easy passwords, and I am not sure if that is
better.
That's just stupid.
Since first grade, my
ma, 2007-09-03 kello 23:40 -0400, John Kelly kirjoitti:
On Sep 3, Lars Wirzenius wrote:
That is arguably better than having passwords which can be guessed by
doing brute-force attackes over ssh.
I stop brute force attacks by sending auth log messages to a FIFO which I
read with a perl
On Mon, Sep 03, 2007 at 11:40:07PM -0400, John Kelly wrote:
I stop brute force attacks by sending auth log messages to a FIFO which I
read with a perl script. After 10 login failures, your IP is firewalled for
24 hours.
I have a rate-limiting iptables ruleset for SSH (and HTTP). In my
Steve Langasek [EMAIL PROTECTED] writes:
For years, the Debian pam packages have by default had a weaker password
length requirement than upstream. I can think of no reason for this to be
the case, especially when upstream doesn't support a configurable minimum
password length and Debian
On Tue, 04 Sep 2007 12:31:15 +0300, Lars Wirzenius [EMAIL PROTECTED] wrote:
I stop brute force attacks by sending auth log messages to a FIFO which I
read with a perl script. After 10 login failures, your IP is firewalled for
24 hours.
I'm sure it does work great. Can you work on making
Roger Leigh [EMAIL PROTECTED] writes:
Having enabled the cracklib stuff in pam_unix while testing the new
PAM, I agree that this should remain disabled. Many users (including
myself) find the enforcement of all those extra checks annoying, and I
agree with other comments that extra checks
Steve Langasek wrote:
Arguably if the consensus is that the default minimum password length should
be raised in the users' best interests, we would want to change the
makepasswd package's default at the same time.
And we might also want to make d-i do the same checks, currently it
enforces no
On Tue, 2007-09-04 at 07:53 +, Oleg Verych wrote:
[...]
What about having more secure Debian's sshd_config by default?
PermitRootLogin no
You'll have to convince the openssh package maintainers first - see
#105571, #298138 and #431627 for their opinions on whether that change
is more
04-09-2007, Adam D. Barratt:
On Tue, 2007-09-04 at 07:53 +, Oleg Verych wrote:
[...]
What about having more secure Debian's sshd_config by default?
PermitRootLogin no
You'll have to convince the openssh package maintainers first - see
#105571, #298138 and #431627 for their opinions
On Tue, Sep 04, 2007 at 12:31:15PM +0300, Lars Wirzenius wrote:
I'm sure it does work great. Can you work on making sure [fail2ban] is the
default in lenny if openssh-server is installed?
Keep in mind that, by design, fail2ban opens up a denial-of-service
vulnerability, especially with the
On Mon, Sep 03, 2007 at 05:45:49PM +0300, Lars Wirzenius wrote:
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
Especially when the most common response I've seen to a system saying
that a
password is not long enough is to start adding easily guessable extension
strings to the
On Tue, Sep 04, 2007 at 02:50:25PM -0600, Dwayne C. Litzenberger wrote:
How about a Debian policy that enumerates the specific cases where
passwords are allowed to be used for authentication, and states that
password authentication must be disabled by default for everything else?
If you
On Tue, 4 Sep 2007 14:50:25 -0600, Dwayne C. Litzenberger
[EMAIL PROTECTED] wrote:
On most of my boxes, passwords are useless for anything except local
authentication, and even for that, they aren't used much.
How about a Debian policy that enumerates the specific cases where
passwords are
On Mon, Sep 03, 2007 at 07:01:38AM +0200, Christian Perrier wrote:
It seems you disagree, but don't really give a rationale for it except
some other programs we have in Debian default to 6 chars. Am I right?
(BTW, this makepasswd doesn't seem to be isntalled by default)
And can also be
Hi Christian!
You wrote:
I don't really understand the need for turning your comment this way,
which indeed doesn't make your point clear, whether you agree or
disagree with the idea of default enforcement of 8 characters length
for passwords.
It seems you disagree, but don't really give
On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
And what's the rationale to change the minimum length to 8? It won't
help security, as people who pick weak passwords now, will still pick weak,
but longer, passwords.
I agree with Bas here: I'm all for removing the Debian deviation from
[Steve Langasek]
Does anyone else have a reasoned argument why Debian should have a
weaker password length check than upstream (4 chars instead of 6)?
If not, this will be changed in the next upload of pam.
I've been told that the schools using Debian Edu in lower grades pick
very simple and
ma, 2007-09-03 kello 09:30 +0200, Petter Reinholdtsen kirjoitti:
I've been told that the schools using Debian Edu in lower grades pick
very simple and short passwords for the kids, and this will become
harder if the minimum lenght is increased. Thought it was best to
bring that up publicly.
On Monday 03 September 2007 01:07:15 Thijs Kinkhorst wrote:
On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
And what's the rationale to change the minimum length to 8? It won't
help security, as people who pick weak passwords now, will still pick
weak, but longer, passwords.
I
I agree with Bas here: I'm all for removing the Debian deviation from
upstream, so please go ahead with that, but raising it further is not
necessarily a useful thing to do. I can easily think of a 6-char password
that is a lot more difficult to guess than an 8 char one.
Especially when
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
Especially when the most common response I've seen to a system saying
that a
password is not long enough is to start adding easily guessable extension
strings to the password the user already picked, NOT to sit back down and
On Sun, Sep 02, 2007 at 10:29:31PM -0400, Daniel Jacobowitz wrote:
How about modern brain availability? You'll just get a lot of annoyed
people changing it back; for example, makepasswd still uses a minimum
length of six.
And pwgen defaults to eight... the length recommended by IETF RFC
4086
On Sun, Sep 02, 2007 at 10:29:31PM -0400, Daniel Jacobowitz wrote:
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
Does anyone else have a reasoned
On Mon, Sep 03, 2007 at 09:30:34AM +0200, Petter Reinholdtsen wrote:
[Steve Langasek]
Does anyone else have a reasoned argument why Debian should have a
weaker password length check than upstream (4 chars instead of 6)?
If not, this will be changed in the next upload of pam.
I've been
On Mon, Sep 03, 2007 at 07:01:38AM +0200, Christian Perrier wrote:
Given modern processor power availability, I can't think of one;
How about modern brain availability? You'll just get a lot of annoyed
people changing it back; for example, makepasswd still uses a minimum
length of
Daniel Jacobowitz [EMAIL PROTECTED] writes:
If you enforce longer passwords than people are comfortable with, you
get weaker passwords (or poor password management practices). It's
the humans that matter, not the machines.
Exactly.
If the system is excessively anal about what passwords it
ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
If the system is excessively anal about what passwords it will let you
use, people will just start writing them down...
That is arguably better than having passwords which can be guessed by
doing brute-force attackes over ssh.
--
On Sep 3, Lars Wirzenius wrote:
ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
If the system is excessively anal about what passwords it will let you
use, people will just start writing them down...
That is arguably better than having passwords which can be guessed by
doing
On Mon, 03 Sep 2007, John Kelly wrote:
I stop brute force attacks by sending auth log messages to a FIFO
which I read with a perl script. After 10 login failures, your IP is
firewalled for 24 hours.
fail2ban is an easy way to do this (for ssh and optionally anything
else that people will try
Hi folks,
For years, the Debian pam packages have by default had a weaker password
length requirement than upstream. I can think of no reason for this to be
the case, especially when upstream doesn't support a configurable minimum
password length and Debian does.
Does anyone else have a
su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
Does anyone else have a reasoned argument why Debian should have a weaker
password length check than upstream (4 chars instead of 6)? If not, this
will be changed in the next upload of pam.
What's the justification of not using a
On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
Does anyone else have a reasoned argument why Debian should have a weaker
password length check than upstream (4 chars instead of 6)? If not, this
will be changed in
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
The upstream default of 6 has been around for at least 5 years, possibly as
long as a decade; and the code in question is inactive when pam_unix is
linked to cracklib, which I think most distributors other than Debian are
doing
On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
The upstream default of 6 has been around for at least 5 years, possibly as
long as a decade; and the code in question is inactive when pam_unix is
linked to
On Sun, Sep 02, 2007 at 05:20:42PM -0700, Steve Langasek wrote:
On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
Just curious, what is the rationale for wanting to keep cracklib out of
base?
Size and complexity. Adding libpam-cracklib to base would be a 2MB increase
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
Does anyone else have a reasoned argument why Debian should have a weaker
password length check than
Given modern processor power availability, I can't think of one;
How about modern brain availability? You'll just get a lot of annoyed
people changing it back; for example, makepasswd still uses a minimum
length of six.
My weak English makes me think your comment is rude. Please excuse
45 matches
Mail list logo
