search for: challengeresponseauth

...rases beyond their original meaning, they lose shape and utility. > > 6-9 character password limits are *not* "security theatre?. Ok well I consider passwords that keep the dog out and probably most family members to be security theater. No fail2ban, no firewall rules, sshd by default, challengeresponseauth by default, and a 9 character (even random) passphrase, and that shit is going to get busted into. Against a targeted attack by a botnet, you need something stronger than a 9 character password, today. Let alone 6 years from now. Those other measures need to get better (PKA only, put it behind a V...

On 07/30/2015 12:35 PM, Chris Murphy wrote: > No fail2ban, no firewall rules, sshd by default, challengeresponseauth > by default, ChallengeResponseAuth is not on by default, on Red Hat derived systems. I'm pretty sure that was already clarified, much earlier in this thread. > and a 9 character (even random) passphrase, and that shit > is going to get busted into. Against a targeted attack by a b...

...a and CentOS lets you click Done twice and bypass the weak password complaint. > But as I have repeatedly pointed out here, the stock rules really are not that onerous. They basically encode best practices established 20 years ago. In order to protect a system that's Internet facing with challengeresponseauth (rather than PKA), the minimum password quality would need to be at least initially onerous. Whereas if things are properly configured such that ssh is only used internally, all you have to worry about are internal attacks which are hopefully rather rare. -- Chris Murphy

On 07/29/2015 07:40 PM, Chris Murphy wrote: > On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > >> Security is *always* opposed to convenience. > False. OS X by default runs only signed binaries, and if they come > from the App Store they run in a sandbox. User gains significant > security with this, and are completely unaware of it. There is

Once upon a time, Warren Young <wyml at etr-usa.com> said: > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. Since most of that crap comes from Windows hosts, the security of Linux SSH passwords seems hardly relevant. > Your freedom to use

On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > Security is *always* opposed to convenience. False. OS X by default runs only signed binaries, and if they come from the App Store they run in a sandbox. User gains significant security with this, and are completely unaware of it. There is no inconvenience. What is the inconvenience of encrypting your device