On Mon, February 2, 2015 4:17 pm, Warren Young wrote:>> On Jan 31, 2015, at 8:04 AM, James B. Byrne <byrnejb at harte-lyne.ca> >> wrote: >> >> 1. The password strength decision is driven by RH corporate. > > So who do you believe is driving RH corporate? Why are they expending the > effort to do this? > > The answer is clear to me: general security principles. By the time EL8 > comes out, we???ll have had ~3 years of warnings under EL7 that weak > passwords would not be tolerated, and they???re finally disallowing them. > Good! > > (More like 6 years, actually, because EL6 gives a red warning bar for weak > passwords.) > > Let???s flip it around: what???s your justification *for* weak passwords? > > We use them here temporarily during setup, but we lock the system down > with a secure unique password before deployment. Switching to something > more secure really is not that burdensome. > >> 2. There is not going to be any back-off by the developers. > > Why would there be? The trend in security is clear: keep up or get run > over. > > The only question is how quickly forward we proceed, not which direction > ???forward??? is. > > RHEL has been moving forward pretty darn slowly. The current system in > EL7 allows *appallingly* bad passwords. Passwords that can be cracked in > reasonable time scales even with SSH???s existing rate-limiting. > >> 4. There is absolutely no rational argument that can be made to anyone >> alter any of this. > > That could be because there is no rational reason. > > Got one? Lay it on me. Please include a description of the threat model > where a password like byrnej123 should be allowed, which *is* allowed in > EL7, as long as root is setting it and says ???Yes, I really am sure I > want such a dreadfully easy to crack password.??? > >> 5. Protesting there is evidently meaningless as well. > > While I???ve got the floor, I would like to encourage everyone to send > mail to god at universe.org to protest tomorrow???s sunrise. > > Rationale: Melanoma is bad. > >> This change was not discussed > > Hmm, yes, let???s hold public committee hearings for every technical > change. The resulting bureaucratic mire will surely usher in the Year of > Linux! > >> ( Odd, is it not, that Mr. Williamson professes that there is no >> secret motive but cannot actually provide one when asked. ) > > What secret motive *could* there be?? The current security policy is > weak, and this change fixes that. End of story.It's hard to not endorse everything you are saying. As far as motive is concerned, it is not that secret. Security. RedHat doesn't like poorly administered machined with RHEL linux get hacked, then many voices saying saying in the internet: RHEL Linux is not secure, RHEL Linux machines are getting hacked. Even though the reason is not what it sounds like. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Mon, 2015-02-02 at 16:30 -0600, Valeri Galtsev wrote:> RedHat doesn't like poorly administered machined with RHEL linux get > hacked, then many voices saying saying in the internet: RHEL Linux is > not secure, RHEL Linux machines are getting hacked. Even though the > reason is not what it sounds like.What is the reason RHEL machines are being hacked ? -- Regards, Paul. England, EU. Je suis Charlie.
On Mon, February 2, 2015 5:34 pm, Always Learning wrote:> > On Mon, 2015-02-02 at 16:30 -0600, Valeri Galtsev wrote: > >> RedHat doesn't like poorly administered machined with RHEL linux get >> hacked, then many voices saying saying in the internet: RHEL Linux is >> not secure, RHEL Linux machines are getting hacked. Even though the >> reason is not what it sounds like. > > What is the reason RHEL machines are being hacked ? >I assume, you may have your own list but once you asked I'll mention off the top of my head what I've seen (no, these are not happened on machine I administer - knocking on wood ): 1. machine compromised elsewhere, user password (via keylogger or malicious ssh client) or secret key gets stolen; cyber criminal connects to my server with credentials on my user 2. after he is in: elevation of privileges through some local exploit. As I tend to have nothing to be exploited on multi-user machines (and run them under assumption bad guy is already in), this normally doesn't happen to me, but I help sometimes to sweep up mess and do forensics when that happened to someone 3. Independent on the above: just blunder when you are doing administration. I have seen admin helping a user (who was on the phone) change his password. And he accidentally in passwd username stuck enter between the above two words (!). Which ended up in changing root password on machine to very weak one he passed that person over the phone. When that didn't work (good hint that that was not that user's password that was changed!), he just changed it again. Then intruder just walked as root through open door (that weak password was one of the top four in cracker's dictionary). 4. Not updating the system, or having vulnerable services - I have seen these as well 5. Weak root password should be on the list, but practically only the ones on the top of password cracking dictionary are... Anyway, I do (or I like to think that I do) have strong root passwords. Nevertheless, I always have measures to thwart dictionary attacks from the network (as some of my users may have weak passwords, not the ones on the top of dictionary though I bet) ... This list goes on, someone can continue. Most of what I see (like the list above) I would classify as poor system administration. The last has nothing to do with how well RedHat puts together and patches their system. So I can understand them being less than willing to have RHEL hacked due to that. However, to think that you can force one to maintain his system well is utopia. So, even though I understand their reasons, I am sceptical they will find panacea. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:>> What secret motive *could* there be?? The current security policy is >> weak, and this change fixes that. End of story. > > It's hard to not endorse everything you are saying. As far as motive is > concerned, it is not that secret. Security. RedHat doesn't like poorly > administered machined with RHEL linux get hacked, then many voices saying > saying in the internet: RHEL Linux is not secure, RHEL Linux machines are > getting hacked. Even though the reason is not what it sounds like.While I admire RedHat, and use CentOS on my home servers, I would expect RH to give priority to those paying for their services, who I imagine are almost all sysadmins of systems with many users. My interests as a tiny user may not coincide with theirs. This does not mean that I think there are evil spirits at RH trying to disrupt my life. But it does mean that the inconvenience of strong passwords may outweigh any additional security in my case. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin