Displaying 6 results from an estimated 6 matches for "challengeresponseauth".
2015 Jul 30
2
Fedora change that will probably affect RHEL
...rases beyond their original meaning, they lose shape and utility.
>
> 6-9 character password limits are *not* "security theatre?.
Ok well I consider passwords that keep the dog out and probably most
family members to be security theater.
No fail2ban, no firewall rules, sshd by default, challengeresponseauth
by default, and a 9 character (even random) passphrase, and that shit
is going to get busted into. Against a targeted attack by a botnet,
you need something stronger than a 9 character password, today. Let
alone 6 years from now.
Those other measures need to get better (PKA only, put it behind a
V...
2015 Jul 30
0
Fedora change that will probably affect RHEL
On 07/30/2015 12:35 PM, Chris Murphy wrote:
> No fail2ban, no firewall rules, sshd by default, challengeresponseauth
> by default,
ChallengeResponseAuth is not on by default, on Red Hat derived systems.
I'm pretty sure that was already clarified, much earlier in this thread.
> and a 9 character (even random) passphrase, and that shit
> is going to get busted into. Against a targeted attack by a b...
2015 Jul 28
1
Fedora change that will probably affect RHEL
...a and CentOS lets you click Done twice
and bypass the weak password complaint.
> But as I have repeatedly pointed out here, the stock rules really are not that onerous. They basically encode best practices established 20 years ago.
In order to protect a system that's Internet facing with
challengeresponseauth (rather than PKA), the minimum password quality
would need to be at least initially onerous. Whereas if things are
properly configured such that ssh is only used internally, all you
have to worry about are internal attacks which are hopefully rather
rare.
--
Chris Murphy
2015 Jul 30
1
Fedora change that will probably affect RHEL
On 07/29/2015 07:40 PM, Chris Murphy wrote:
> On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:
>
>> Security is *always* opposed to convenience.
> False. OS X by default runs only signed binaries, and if they come
> from the App Store they run in a sandbox. User gains significant
> security with this, and are completely unaware of it. There is
2015 Jul 28
11
Fedora change that will probably affect RHEL
Once upon a time, Warren Young <wyml at etr-usa.com> said:
> Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
Since most of that crap comes from Windows hosts, the security of Linux
SSH passwords seems hardly relevant.
> Your freedom to use
2015 Jul 29
4
Fedora change that will probably affect RHEL
On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:
> Security is *always* opposed to convenience.
False. OS X by default runs only signed binaries, and if they come
from the App Store they run in a sandbox. User gains significant
security with this, and are completely unaware of it. There is no
inconvenience.
What is the inconvenience of encrypting your device