On Wed, Nov 29, 2017 at 08:06:39AM +0100, Otto Moerbeek wrote:
> On Tue, Nov 28, 2017 at 06:59:06PM -0500, Ian Sutton wrote:
>
> > This is a highly theoretical and experimental mitigation which stops the
> > root password on newly upgraded/installed systems from being an empty
> > string. The thinking is that by not shipping an operating system with a
> > known root password, certain classes of attacks involving logging into
> > the root account might be avoided. I would like some feedback from the
> > cryptography team as well as NIST finalists in order to better ascertain
> > the implications of this behaviour.
>
> Hmm, but afaiks, this is already done on install. What does you diff change?
>
> -Otto
>
> >
> > Index: src/distrib/miniroot/install.sub
> > ===================================================================
> > RCS file: /cvs/src/distrib/miniroot/install.sub,v
> > retrieving revision 1.1032
> > diff -u -p -r1.1032 install.sub
> > --- src/distrib/miniroot/install.sub 8 Aug 2017 07:14:05 -0000
> > 1.1032
> > +++ src/distrib/miniroot/install.sub 28 Nov 2017 23:43:56 -0000
> > @@ -2732,12 +2732,6 @@ do_install() {
> >
> > echo
> >
> > + while :; do
> > + ask_password "Password for root account?"
> > + _rootpass="$_password"
> > + [[ -n "$_password" ]] && break
> > + echo "The root password must be set."
> > + done
> >
> > # Ask for the root user public ssh key during autoinstall.
> > _rootkey=
This is the exact code, that is already in install.sub.
So I don't understand this proposal.
--
-=[rpe]=-
