> Some schools even use the same password for all lower grade users
> instead of providing very easy passwords, and I am not sure if that is
> better. I am convinced the schools will come up with some new an
> innovative insecure way to work around any enforced password policy,
> so it might not
05-09-2007, Gabor Gombas:
> On Tue, Sep 04, 2007 at 08:26:41PM +, Oleg Verych: gmane reading wrote:
>
>> I.e *i don't care* about entering passwords on middle ground, without
>> knowing, WTF this installer may do with them, not having comfortable
>> environment for that _important_ action.
>>
On Tue, Sep 04, 2007 at 08:26:41PM +, Oleg Verych: gmane reading wrote:
> I.e *i don't care* about entering passwords on middle ground, without
> knowing, WTF this installer may do with them, not having comfortable
> environment for that _important_ action.
>
> Thus i have silly, empty passwo
Quoting Joey Hess ([EMAIL PROTECTED]):
> Steve Langasek wrote:
> > Arguably if the consensus is that the default minimum password length should
> > be raised in the users' best interests, we would want to change the
> > makepasswd package's default at the same time.
>
> And we might also want to m
On Tue, 4 Sep 2007 14:50:25 -0600, "Dwayne C. Litzenberger"
<[EMAIL PROTECTED]> wrote:
>On most of my boxes, passwords are useless for anything except local
>authentication, and even for that, they aren't used much.
>How about a Debian policy that enumerates the specific cases where
>passwords
On Tue, Sep 04, 2007 at 02:50:25PM -0600, Dwayne C. Litzenberger wrote:
>
> How about a Debian policy that enumerates the specific cases where
> passwords are allowed to be used for authentication, and states that
> password authentication must be disabled by default for everything else?
>
> If
On Mon, Sep 03, 2007 at 05:45:49PM +0300, Lars Wirzenius wrote:
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
Especially when the most common response I've seen to a system saying
that a
password is not long enough is to start adding easily guessable extension
strings to the
On Tue, Sep 04, 2007 at 12:31:15PM +0300, Lars Wirzenius wrote:
I'm sure it does work great. Can you work on making sure [fail2ban] is the
default in lenny if openssh-server is installed?
Keep in mind that, by design, fail2ban opens up a denial-of-service
vulnerability, especially with the pro
04-09-2007, Adam D. Barratt:
> On Tue, 2007-09-04 at 07:53 +, Oleg Verych wrote:
> [...]
>> What about having more secure Debian's sshd_config by default?
>> "
>> PermitRootLogin no
>
> You'll have to convince the openssh package maintainers first - see
> #105571, #298138 and #431627 for their
On Tue, 2007-09-04 at 07:53 +, Oleg Verych wrote:
[...]
> What about having more secure Debian's sshd_config by default?
> "
> PermitRootLogin no
You'll have to convince the openssh package maintainers first - see
#105571, #298138 and #431627 for their opinions on whether that change
is "more
Steve Langasek wrote:
> Arguably if the consensus is that the default minimum password length should
> be raised in the users' best interests, we would want to change the
> makepasswd package's default at the same time.
And we might also want to make d-i do the same checks, currently it
enforces n
Roger Leigh <[EMAIL PROTECTED]> writes:
> Having enabled the cracklib stuff in pam_unix while testing the new
> PAM, I agree that this should remain disabled. Many users (including
> myself) find the enforcement of all those extra checks annoying, and I
> agree with other comments that extra chec
On Tue, 04 Sep 2007 12:31:15 +0300, Lars Wirzenius <[EMAIL PROTECTED]> wrote:
>> I stop brute force attacks by sending auth log messages to a FIFO which I
>> read with a perl script. After 10 login failures, your IP is firewalled for
>> 24 hours.
>I'm sure it does work great. Can you work on m
Steve Langasek <[EMAIL PROTECTED]> writes:
> For years, the Debian pam packages have by default had a weaker password
> length requirement than upstream. I can think of no reason for this to be
> the case, especially when upstream doesn't support a configurable minimum
> password length and Debia
On Mon, Sep 03, 2007 at 11:40:07PM -0400, John Kelly wrote:
> I stop brute force attacks by sending auth log messages to a FIFO which I
> read with a perl script. After 10 login failures, your IP is firewalled for
> 24 hours.
I have a rate-limiting iptables ruleset for SSH (and HTTP). In my
exp
ma, 2007-09-03 kello 23:40 -0400, John Kelly kirjoitti:
> On Sep 3, Lars Wirzenius wrote:
> >That is arguably better than having passwords which can be guessed by
> >doing brute-force attackes over ssh.
>
> I stop brute force attacks by sending auth log messages to a FIFO which I
> read with a pe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/04/07 03:10, Petter Reinholdtsen wrote:
[snip]
>
> Some schools even use the same password for all lower grade users
> instead of providing very easy passwords, and I am not sure if that is
> better.
That's just stupid.
Since first grade, my c
On Tue, 4 Sep 2007 07:53:08 + (UTC), Oleg Verych
<[EMAIL PROTECTED]> wrote:
>What about having more secure Debian's sshd_config by default?
>PermitRootLogin no
>DenyUsers *
Doing remote ssh installations without any console access will make
you unhappy with that default.
--
Internet
[Steve Langasek]
> Right, I know there are going to be use cases where 6 is too long
> for the minimum length, and users will need to lower the setting in
> /etc/pam.d/common-password. Do you think we need to provide some
> hook for these Debian Edu users to change the setting automatically,
> vi
04-09-2007, John Kelly:
> On Sep 3, Lars Wirzenius wrote:
>
>>ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
>
>>> If the system is excessively anal about what passwords it will let you
>>> use, people will just start writing them down...
>
>>That is arguably better than having passwords
> Right, I know there are going to be use cases where 6 is too long for the
> minimum length, and users will need to lower the setting in
> /etc/pam.d/common-password. Do you think we need to provide some hook for
> these Debian Edu users to change the setting automatically, via preseeding
> or ot
> I apologize if my meaning was unclear; it was not meant to be rude. I
> think that looking at only the power of modern CPUs - how long it
> takes to crack a password - misses the point. If you enforce longer
> passwords than people are comfortable with, you get weaker passwords
> (or poor passw
On Mon, 03 Sep 2007, John Kelly wrote:
> I stop brute force attacks by sending auth log messages to a FIFO
> which I read with a perl script. After 10 login failures, your IP is
> firewalled for 24 hours.
fail2ban is an easy way to do this (for ssh and optionally anything
else that people will try
On Sep 3, Lars Wirzenius wrote:
ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
If the system is excessively anal about what passwords it will let you
use, people will just start writing them down...
That is arguably better than having passwords which can be guessed by
doing brute
ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
> If the system is excessively anal about what passwords it will let you
> use, people will just start writing them down...
That is arguably better than having passwords which can be guessed by
doing brute-force attackes over ssh.
--
Happi
Daniel Jacobowitz <[EMAIL PROTECTED]> writes:
> If you enforce longer passwords than people are comfortable with, you
> get weaker passwords (or poor password management practices). It's
> the humans that matter, not the machines.
Exactly.
If the system is excessively anal about what passwords i
On Mon, Sep 03, 2007 at 07:01:38AM +0200, Christian Perrier wrote:
> > > Given modern processor power availability, I can't think of one;
> >
> > How about modern brain availability? You'll just get a lot of annoyed
> > people changing it back; for example, makepasswd still uses a minimum
> > len
On Mon, Sep 03, 2007 at 09:30:34AM +0200, Petter Reinholdtsen wrote:
> [Steve Langasek]
> > Does anyone else have a reasoned argument why Debian should have a
> > weaker password length check than upstream (4 chars instead of 6)?
> > If not, this will be changed in the next upload of pam.
> I've
On Sun, Sep 02, 2007 at 10:29:31PM -0400, Daniel Jacobowitz wrote:
> On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> > On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> > > su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > > > Does anyone else have a
On Sun, Sep 02, 2007 at 10:29:31PM -0400, Daniel Jacobowitz wrote:
> How about modern brain availability? You'll just get a lot of annoyed
> people changing it back; for example, makepasswd still uses a minimum
> length of six.
And pwgen defaults to eight... the length recommended by IETF RFC
408
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:
> Especially when the most common response I've seen to a system saying
> that a
> password is not long enough is to start adding easily guessable extension
> strings to the password the user already picked, NOT to sit back down and
>> I agree with Bas here: I'm all for removing the Debian deviation from
>> upstream, so please go ahead with that, but raising it further is not
>> necessarily a useful thing to do. I can easily think of a 6-char password
>> that is a lot more difficult to guess than an 8 char one.
>
> Especiall
On Monday 03 September 2007 01:07:15 Thijs Kinkhorst wrote:
> On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
> > And what's the rationale to change the minimum length to 8? It won't
> > help security, as people who pick weak passwords now, will still pick
> > weak, but longer, passwords.
>
ma, 2007-09-03 kello 09:30 +0200, Petter Reinholdtsen kirjoitti:
> I've been told that the schools using Debian Edu in lower grades pick
> very simple and short passwords for the kids, and this will become
> harder if the minimum lenght is increased. Thought it was best to
> bring that up publicly
[Steve Langasek]
> Does anyone else have a reasoned argument why Debian should have a
> weaker password length check than upstream (4 chars instead of 6)?
> If not, this will be changed in the next upload of pam.
I've been told that the schools using Debian Edu in lower grades pick
very simple an
On Mon, September 3, 2007 08:37, Bas Zoetekouw wrote:
> And what's the rationale to change the minimum length to 8? It won't
> help security, as people who pick weak passwords now, will still pick weak,
> but longer, passwords.
I agree with Bas here: I'm all for removing the Debian deviation from
Hi Christian!
You wrote:
> I don't really understand the need for turning your comment this way,
> which indeed doesn't make your point clear, whether you agree or
> disagree with the idea of default enforcement of 8 characters length
> for passwords.
>
> It seems you disagree, but don't really
On Mon, Sep 03, 2007 at 07:01:38AM +0200, Christian Perrier wrote:
> It seems you disagree, but don't really give a rationale for it except
> "some other programs we have in Debian default to 6 chars". Am I right?
>
> (BTW, this "makepasswd" doesn't seem to be isntalled by default)
And can also b
> > Given modern processor power availability, I can't think of one;
>
> How about modern brain availability? You'll just get a lot of annoyed
> people changing it back; for example, makepasswd still uses a minimum
> length of six.
My weak English makes me think your comment is rude. Please exc
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> > su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > > Does anyone else have a reasoned argument why Debian should have a weaker
> > > password length che
On Sun, Sep 02, 2007 at 05:20:42PM -0700, Steve Langasek wrote:
> On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
>
> > Just curious, what is the rationale for wanting to keep cracklib out of
> > base?
>
> Size and complexity. Adding libpam-cracklib to base would be a 2MB inc
On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
> On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> > The upstream default of 6 has been around for at least 5 years, possibly as
> > long as a decade; and the code in question is inactive when pam_unix is
> > link
On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
>
> The upstream default of 6 has been around for at least 5 years, possibly as
> long as a decade; and the code in question is inactive when pam_unix is
> linked to cracklib, which I think most distributors other than Debian are
> do
On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote:
> su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> > Does anyone else have a reasoned argument why Debian should have a weaker
> > password length check than upstream (4 chars instead of 6)? If not, this
> > will be chang
su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti:
> Does anyone else have a reasoned argument why Debian should have a weaker
> password length check than upstream (4 chars instead of 6)? If not, this
> will be changed in the next upload of pam.
What's the justification of not using a m
45 matches
Mail list logo
