CentOS - Jul 2015 - Fedora change that will probably affect RHEL

Once upon a time, Warren Young <wyml at etr-usa.com>
said:
> Much of the evil on the Internet today ? DDoS armies, spam spewers,
phishing botnets ? is done on pnwed hardware, much of which was compromised by
previous botnets banging on weak SSH passwords.
Since most of that crap comes from Windows hosts, the security of Linux
SSH passwords seems hardly relevant.
> Your freedom to use any password you like stops at the point where
exercising that freedom creates a risk to other people?s machines.
Your freedom to dictate terms to me stops at my system, which you cannot
access even if I set the password to "12345".  You are making an
assumption that every Fedora/CentOS install is on the public Internet,
and then applying rules based on that (false) assumption.

When root can override a password policy after install, forcing a policy
during install is nothing but stupid and irritating.  Despite what was
said on the Fedora list, this was an active change taken by anaconda
developers (to take out the "click again to accept anyway" option), so
they should expect people to complain to them and be prepared to handle
the response.

-- 
Chris Adams <linux at cmadams.net>

On 07/28/2015 02:06 PM, Chris Adams wrote:
> Once upon a time, Warren Young <wyml at etr-usa.com> said:
>> Much of the evil on the Internet today ? DDoS armies, spam spewers,
phishing botnets ? is done on pnwed hardware, much of which was compromised by
previous botnets banging on weak SSH passwords.
> 
> Since most of that crap comes from Windows hosts, the security of Linux
> SSH passwords seems hardly relevant.
> 
>> Your freedom to use any password you like stops at the point where
exercising that freedom creates a risk to other people?s machines.
> 
> Your freedom to dictate terms to me stops at my system, which you cannot
> access even if I set the password to "12345".  You are making an
> assumption that every Fedora/CentOS install is on the public Internet,
> and then applying rules based on that (false) assumption.
> 
> When root can override a password policy after install, forcing a policy
> during install is nothing but stupid and irritating.  Despite what was
> said on the Fedora list, this was an active change taken by anaconda
> developers (to take out the "click again to accept anyway"
option), so
> they should expect people to complain to them and be prepared to handle
> the response.
> 
Well, you are welcome to your opinion and Warren is welcome to his.

But in relationship to CentOS Linux, this discussion is completely
irrelevant.

If RHEL releases source code that does not accept weak passwords, then
we will rebuild that source code for CentOS Linux.  If they later change
the source code to add back weak password support, we will rebuild that too.

Whether we like or dislike the policy doesn't matter in the slightest ..
we don't make those kind of choices in CentOS Linux .. we rebuild the
RHEL source code.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150728/ec4d54b8/attachment-0001.sig>

On Tue, Jul 28, 2015 at 02:20:06PM -0500, Johnny Hughes
wrote:
> If RHEL releases source code that does not accept weak passwords, then
> we will rebuild that source code for CentOS Linux.  If they later change
> the source code to add back weak password support, we will rebuild that
too.
> 
> Whether we like or dislike the policy doesn't matter in the slightest
..
> we don't make those kind of choices in CentOS Linux .. we rebuild the
> RHEL source code.
For what it's worth, at the Fedora level, we are extremely, extremly
unlikely to ship code which does not allow relatively-easy site-local
configuration of password policy, regardless of whatever defaults we
choose. It's also likely that Red Hat will choose different defaults
from Fedora for RHEL. That's not my department, but I would certainly
be surprised if *that* comes out in a way that doesn't make setting
your own policy simple as well, because that's something people want
and need.


-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader

On Tue, Jul 28, 2015 at 1:06 PM, Chris Adams <linux at cmadams.net>
wrote:
> Once upon a time, Warren Young <wyml at etr-usa.com> said:
>> Much of the evil on the Internet today ? DDoS armies, spam spewers,
phishing botnets ? is done on pnwed hardware, much of which was compromised by
previous botnets banging on weak SSH passwords.
>
> Since most of that crap comes from Windows hosts, the security of Linux
> SSH passwords seems hardly relevant.
Botnets are terrible, it doesn't matter how many of them there are or
on what platform. The reason why they exist is bad practices. So there
needs to be better application of best practices, and best practices
need to be easier and default and automatic whenever possible. That
applies to all platforms. So I'm not opposed to changes in Fedora, and
by extension eventually to CentOS and RHEL, but they have to be
balanced out.

Windows Server has power shell disabled by default. The functional
equivalent, sshd, is typically enabled on Linux servers. So I think
it's overdue that sshd be disabled on Linux servers by default,
especially because the minimum password quality under discussion is
still not good enough for forward facing servers on the Internet with
static IPv4 addresses. They will get owned eventually if they use even
the new minimum pw quality, and that's why I see pw quality as the
wrong emphasis - at least for workstations.

>> Your freedom to use any password you like stops at the point where
exercising that freedom creates a risk to other people?s machines.
>
> Your freedom to dictate terms to me stops at my system, which you cannot
> access even if I set the password to "12345".  You are making an
> assumption that every Fedora/CentOS install is on the public Internet,
> and then applying rules based on that (false) assumption.
Exactly. My dad will absolutely stop using his iPad if it ever
requires him to use anything more than 4 numeric digits for his
password. The iPad never leaves the house.

Future concern is IPv6 stuff, now that Xfinity has forcibly changed
their hardware to include full IPv6 support. I have no idea if this is
NAT'd or rolling IPs or what. But the iPad has no remote services
enabled. And the Mac has SSH PKA required. So I'm not that concerned
about their crappy login passwords. Their online services are another
matter, those I've made very clear they will be strong or they don't
get to play.


-- 
Chris Murphy

On 07/28/2015 01:46 PM, Chris Murphy wrote:
> Future concern is IPv6 stuff, now that Xfinity has forcibly changed
> their hardware to include full IPv6 support. I have no idea if this is
> NAT'd or rolling IPs or what.
All of the routers I've seen merely firewall inbound traffic, allowing 
none.  There's no need for NAT or rolling IPs.

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Chris Murphy
Sent: Tuesday, July 28, 2015 3:46 PM
To: CentOS mailing list
Subject: Re: [CentOS] Fedora change that will probably affect RHEL

[...]

What you said:

"Windows Server has power shell disabled by default. The functional
equivalent, sshd, is typically enabled on Linux servers. So I think it's
overdue that sshd be disabled on Linux servers by default, especially because
the minimum password quality under discussion is still not good enough for
forward facing servers on the Internet with static IPv4 addresses. They will get
owned eventually if they use even the new minimum pw quality, and that's why
I see pw quality as the wrong emphasis - at least for workstations."

And my reply:

For things like SSH and RDP I use two-factor authentication using DUO.  For the
machines that I absolutely have to have these kinds of access two (my BBS for
RDP and my mail server for SSH), this works well I think at providing an extra
layer of security for both protocols and is quite affordable and is easy to
administer.

Thank you,

Robert Wolfe, Systems Administrator
Malco Theatres, Inc.
5851 Ridgeway Center Parkway
Memphis, TN 38120
Phone: 1-901-761-3480 EXT 135
Fax: 1-901-681-2058

On 7/28/2015 1:46 PM, Chris Murphy wrote:
> Windows Server has power shell disabled by default. The functional
> equivalent, sshd, is typically enabled on Linux servers.
to be pedantic about it, the equivalent of PowerShell is NOT sshd, its 
bash/ksh/csh/zsh/sh ...   PowerShell does not by itself allow external 
connections, you'd need to configure a telnetd or sshd server to allow 
that (or remote desktop or vnc or ...).



-- 
john r pierce, recycling bits in santa cruz

On Jul 28, 2015, at 1:06 PM, Chris Adams <linux at cmadams.net>
wrote:
> 
> Once upon a time, Warren Young <wyml at etr-usa.com> said:
>> Much of the evil on the Internet today ? DDoS armies, spam spewers,
phishing botnets ? is done on pnwed hardware, much of which was compromised by
previous botnets banging on weak SSH passwords.
> 
> Since most of that crap comes from Windows hosts
Cite?

Not that it?s relevant, since even if the skew were 9:1, that?s no excuse for
not trying to clean up our 10%.
>> Your freedom to use any password you like stops at the point where
exercising that freedom creates a risk to other people?s machines.
> 
> Your freedom to dictate terms to me stops at my system
That sounds an awful lot like the old canard, ?Your right to swing your fist
stops at the tip of my nose.?  Go down to the local drinking hole tonight and
start swinging your fist to within a millimeter of peoples? noses, and see how
far that legal defense gets you.

The only reason we don?t have specific laws that allow the government to force
specific password quality policies is that we?ve been trying to self-govern.  If
you fight our efforts at self-government, you open the door to heavy-handed
external government.
> You are making an
> assumption that every Fedora/CentOS install is on the public Internet,
No, I am making the assumption that the vast majority of CentOS installs are
racked up in datacenters, VPS hosts, etc.  I am further assuming that most of
those either have a public IP, or are SSH-accessible once you get past a LAN/WAN
border firewall.

A border gateway doesn?t help you with weak SSH passwords if a box on the LAN
gets pwned and turned into an SSH password guesser.

The effort to get stronger password minima into Fedora goes back at least four
years:

  https://fedoraproject.org/wiki/Features/PasswordQualityChecking

If it?s finally time to get it into Fedora, it?s *long* past time to get it into
RHEL/CentOS, since those boxes are statistically far more likely to be directly
exposed to the Internet.
> When root can override a password policy after install, forcing a policy
> during install is nothing but stupid and irritating.
That?s only true if the majority of people will in fact override the default
policy.  But as I have repeatedly pointed out here, the stock rules really are
not that onerous.  They basically encode best practices established 20 years
ago.

On Tue, Jul 28, 2015 at 4:34 PM, Warren Young <wyml at etr-usa.com> wrote:
> That?s only true if the majority of people will in fact override the
default policy.
The current behavior in Fedora and CentOS lets you click Done twice
and bypass the weak password complaint.
>  But as I have repeatedly pointed out here, the stock rules really are not
that onerous.  They basically encode best practices established 20 years ago.
In order to protect a system that's Internet facing with
challengeresponseauth (rather than PKA), the minimum password quality
would need to be at least initially onerous. Whereas if things are
properly configured such that ssh is only used internally, all you
have to worry about are internal attacks which are hopefully rather
rare.


-- 
Chris Murphy

On Jul 28, 2015, at 2:46 PM, Chris Murphy <lists at colorremedies.com>
wrote:
> 
> My dad will absolutely stop using his iPad if it ever
> requires him to use anything more than 4 numeric digits for his
> password. The iPad never leaves the house.
iPads can?t be coopted into a botnet.  The rules for iPad passwords must
necessarily be different than for CentOS.
> the Mac has SSH PKA required.
True, but more on-point here is that OS X ships with sshd disabled by default. 
You have to dig into the pref panes and tick an obscurely-named checkbox to
enable it.
> Their online services are another
> matter, those I've made very clear they will be strong or they
don't
> get to play.
The Apple ID password rules are a fair bit stronger than the libpwquality rules
we?ve been discussing here, and have been so for some time:

  https://support.apple.com/en-us/HT201303

Given that recent OS X releases want to use your Apple ID as the OS login
credentials, that effectively makes these the OS password quality rules, too.

Fedora is late to the party, and CentOS consequently even later.

Warren Young wrote:

> No, I am making the assumption that the vast majority of CentOS installs
> are racked up in datacenters, VPS hosts, etc. 
Is that true, I wonder?
For some reason Fedora and CentOS seem reluctant to find out anything
about their users (or what their users want).

Is anything known about the ratio of RHEL to CentOS machines?

-- 
Timothy Murphy  
gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin

On Tue, 2015-07-28 at 14:46 -0600, Chris Murphy wrote:
> Windows Server has power shell disabled by default. The functional
> equivalent, sshd, is typically enabled on Linux servers. So I think
> it's overdue that sshd be disabled on Linux servers by default,
> especially because the minimum password quality under discussion is
> still not good enough for forward facing servers on the Internet with
> static IPv4 addresses. They will get owned eventually if they use even
> the new minimum pw quality, and that's why I see pw quality as the
> wrong emphasis - at least for workstations.
Oh no they will not if incoming sshd is restricted to a very few IP
addresses. A properly configured firewall always helps; selinux too.
Closing down or moving ports also helps.

-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.