| View previous topic :: View next topic |
| Author |
Message |
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2956
Location: Edge of marsh USA
|
 Posted: Sat Feb 27, 2021 4:25 am Post subject: |
 |
|
Everyone should expect Gentoo to have sane defaults. Weak, lame passwords by default would be dumb.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9675
Location: almost Mile High in the USA
|
| Posted: Mon Mar 01, 2021 1:48 am Post subject: |
|
|
Thanks I was wondering about this, apparently this was part of the pam change that locked me out when pambase didn't get updated because of spidermonkey failing. But anyway as I was setting up a new machine, I had been using password <redacted> for a while and it no longer meets the new requirements where it had before but no longer does because of <redacted>. Perhaps there's a way to accept <redacted> but not allow dictionary or all numeric passwords? (appears not exactly, while all numeric passwords can be banned, there appears to be no more dictionary checks at least as it currently stands?)
Luckily despite being under constant openssh dictionary attacks, doesn't appear to be any successful connects, they haven't got the username correct yet either...
hmm...
setting appears to allow root to choose bad passwords (with warning) but not allow regular users to be lax with passwords. I'll probably just leave it like this...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
metapsyborg
n00b
Joined: 28 Sep 2011
Posts: 20
|
| Posted: Fri Jan 21, 2022 11:31 pm Post subject: |
|
|
Thanks. I'm trying to create an account for a game server and this ridiculous password check was being a pita.
This policy of forcing a strong user password is foolish because it only gives an illusion of security; it seems more like someone checking a box on their security vulnerability checklist while leaving other gaping holes open. Anyone can just walk up to your computer and boot into an OS on a flash drive to read the hdd or take out the hard drive and read it from another machine and it's way easier than guessing your password. So, if you don't enforce home partition encryption then don't enforce bs "security" like password rules. Obviously a remote attack is not even possible because no default system is running sshd, and if you enable sshd then you will know what you are doing and give a white list of users and ips. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sat Jan 22, 2022 12:18 am Post subject: |
|
|
| Anyone can just walk up to my computer? No. First they have to break into my house. |
|
| Back to top |
|
|
ShadowCat8
Apprentice
Joined: 07 Oct 2008
Posts: 173
Location: San Bernardino, CA, USA
|
| Posted: Sat Jan 22, 2022 1:53 am Post subject: |
|
|
| Ant P. wrote: | | I, too, remember the utter horror show an internet-connected Windows 98 PC was. |
LOL. 
You beat me to the punch, Ant!
_________________
________________________
"As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality."
-- Albert Einstein |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sat Jan 22, 2022 3:47 am Post subject: |
|
|
| metapsyborg wrote: | | I'm trying to create an account for a game server and this ridiculous password check was being a pita. |
If you're creating a faceless account, why bother setting a weak password at all? Make the account locked with no password, or roll a long random password that you don't bother to remember or record, because the only users to ever run as that uid will get there via setuid, not via logging in. | metapsyborg wrote: | | Anyone can just walk up to your computer and boot into an OS on a flash drive to read the hdd or take out the hard drive and read it from another machine and it's way easier than guessing your password. |
Either of those require halting the current system, which is fairly noticeable. For me, an unexpected drop in uptime would be a major red flag. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Sat Jan 22, 2022 5:21 pm Post subject: |
|
|
| metapsyborg wrote: |
Thanks. I'm trying to create an account for a game server and this ridiculous password check was being a pita.
This policy of forcing a strong user password is foolish because it only gives an illusion of security; it seems more like someone checking a box on their security vulnerability checklist while leaving other gaping holes open. Anyone can just walk up to your computer and boot into an OS on a flash drive to read the hdd or take out the hard drive and read it from another machine and it's way easier than guessing your password. So, if you don't enforce home partition encryption then don't enforce bs "security" like password rules. Obviously a remote attack is not even possible because no default system is running sshd, and if you enable sshd then you will know what you are doing and give a white list of users and ips. |
Yikes. Security is not about ignoring vulnerabilities until you can solve all of them at once. Threat models are important as well. You know, the part where some organizations have been encrypting systems "at greater risk" (aka mobile) for many years.
Since your use case is the exception, it makes sense that you would need to make adjustments, not that every one else should make adjustments to accommodate your unusual circumstance. And similar to enabling ssh, if someone doesn't know any better and would prefer weak or even no passwords, then they should know what they are doing. Exposing an inexperienced person's system to a weak password by default is obviously the worse default. We can leave specifics about what it means for a password to be strong as a separate discussion.
Security also includes dealing with slow transfer of knowledge. And that transfer of knowledge only relatively recently informed everyone that long, hard to remember passwords were secure. As far as I know, there is no new "best practice" that enough people agree on to transfer new knowledge into a new common practice.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
forrestfunk81
Guru
Joined: 07 Feb 2006
Posts: 565
Location: münchen.de
|
| Posted: Fri Feb 11, 2022 3:15 pm Post subject: |
|
|
| pjp wrote: |
We can leave specifics about what it means for a password to be strong as a separate discussion.
Security also includes dealing with slow transfer of knowledge. And that transfer of knowledge only relatively recently informed everyone that long, hard to remember passwords were secure. As far as I know, there is no new "best practice" that enough people agree on to transfer new knowledge into a new common practice. |
We (the IT guys) trained everyone to use hard to remember and insecure / less-secure passwords (e.g. G3n%T0O#). Whereas more secure and easy to remember passwords have been frowned upon (e.g. gentooissupergreatandmayliveforever)
And we even made this mandatory and enforced it with password rules. Many of this silly rules are still in place, iirc also the enforcement of passwdqc does not allow a 35 lowercase letter password. This is absolutely ridiculous.
https://xkcd.com/936/
_________________
# cd /pub/
# more beer |
|
| Back to top |
|
|
Tickeldi
n00b
Joined: 17 Mar 2009
Posts: 43
Location: Norddeutschland
|
| Posted: Mon Feb 14, 2022 11:07 pm Post subject: |
|
|
| pjp wrote: | | Exposing an inexperienced person's system to a weak password by default is obviously the worse default. |
Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision. Especially for this distribution. In my opinion, it should warn but not prevent you from setting it up however you please. This setting has been annoyingly hard to change.
Want to always accept all licenses when installing software? Bad idea, but if you really want to do it, you can do it easily.
You want to rm -rf / ? It's your call. You want to use dd to flash an iso to a usb stick? Better use the right drive letters.
Want to make every package bleeding edge and use -O3 for everything? Whatever floats your boat.
Want to use the name of your ex girlfriend as a password? No! NO! BAD USER! BAD!
_________________
"Linux basiert doch auf DOS oder nicht?" *schüttel* |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Mon Feb 14, 2022 11:46 pm Post subject: |
|
|
| Tickeldi wrote: | | pjp wrote: | | Exposing an inexperienced person's system to a weak password by default is obviously the worse default. |
Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision. |
An arguable one, but an argument that you are not likely to win, since the restriction can be changed readily enough. Upstream ships with a preference for security. This preference does not notably impede users who choose good passwords. Personally, I hadn't even noticed this limitation, because my first choice satisfied the quality rules.
I could see an argument for changing the error message to more directly tell the administrator how to change this. | Tickeldi wrote: | | In my opinion, it should warn but not prevent you from setting it up however you please. |
Warn "you" the root user or "you" the unprivileged user? On multi-user systems, these are different people. The administrator should be given secure defaults, with the discretion to override them where needed. When running a multi-user system with password authentication, I want to trust that, by default, my users are required to use quality passwords. On a single user system with good physical security, I can see allowing root to override the rule, on the basis that root could go change the rule, so enforcing it does not appreciably increase security. | Tickeldi wrote: | | Want to always accept all licenses when installing software? Bad idea, but if you really want to do it, you can do it easily. |
This was historically not so easy. It is easy now because autounmask was created to simplify making such changes. | Tickeldi wrote: | | You want to rm -rf / ? It's your call. You want to use dd to flash an iso to a usb stick? Better use the right drive letters. |
Neither of these commands enforces any sanity checks on input. Once a sanity check exists at all, it ought to have sane rules. I like having a sanity check on passwords. | Tickeldi wrote: | | Want to make every package bleeding edge and use -O3 for everything? Whatever floats your boat. |
Again, there is no specific sanity check here, so there are no default rules for it. | Tickeldi wrote: | | Want to use the name of your ex girlfriend as a password? No! NO! BAD USER! BAD! |
Let this be a lesson to you. Only date women with names that satisfy the password complexity requirements. This may require you to break up and find someone new if industry best practice about minimum quality changes. Or it might require you to stay with the first woman you date who has a simple name, since you can never let her become your ex. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4123
Location: Bavaria
|
| Posted: Tue Feb 15, 2022 9:33 am Post subject: |
|
|
| Hu wrote: | | Let this be a lesson to you. Only date women with names that satisfy the password complexity requirements. |
Hu, you are the greatest and made my day ... |
|
| Back to top |
|
|
Tickeldi
n00b
Joined: 17 Mar 2009
Posts: 43
Location: Norddeutschland
|
| Posted: Tue Feb 15, 2022 12:58 pm Post subject: |
|
|
My examples aimed to show that you're allowed to do a lot of dangerous stuff as a user even without a warning or sanity checks but when it comes to choosing a password you have to comply to strict rules someone chose for you. It's uncharacteristic for what my experience has been in this environment is what I wanted to say.
I guess it very much depends on your specific situation. If you're responsible for a multi user system, weak passwords chosen by one of the users will affect others because they jeopardize the security of the whole system by being an easy point of entry. So you'll be glad for the enforcement of rules like this. But if you're booting from the gentoo install media and want to ssh into it real quick from a physically connected machine next to the one you're installing to it's really annoying.
| Hu wrote: | | I could see an argument for changing the error message to more directly tell the administrator how to change this. |
That would be good enough I think. Because for me, the restriction couldn't be changed "readily enough". I needed longer than I'm comfortable admitting to circumvent it. It's why I'm here having this wonderful conversation.
| Hu wrote: | | Warn "you" the root user or "you" the unprivileged user? |
The root user. An unprivileged user can be made to authorize via anal probe for all I care.
| Hu wrote: | | Let this be a lesson to you. Only date women with names that satisfy the password complexity requirements. This may require you to break up and find someone new if industry best practice about minimum quality changes. Or it might require you to stay with the first woman you date who has a simple name, since you can never let her become your ex. |
That's the sole reason I've been trying to meet Russian women as most systems accept Cyrillic letters as special characters. Great people to break up with too.
| Hu wrote: | | Personally, I hadn't even noticed this limitation, because my first choice satisfied the quality rules. |
Personally, I've been digging spike pits in my front yard and put an indiana jones sized boulder behind my front door to ward of solicitors and get faster delivery people via evolutionary selection but I still feel that it's a good thing this has not as of yet become a mandatory standard practice for others.
_________________
"Linux basiert doch auf DOS oder nicht?" *schüttel* |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Tue Feb 15, 2022 7:50 pm Post subject: |
|
|
| forrestfunk81 wrote: | | We (the IT guys) trained everyone to use hard to remember and insecure / less-secure passwords |
I don't mean to cast aspersions, but I believe it was a decision based primarily on the Windows ecosystem with a rather significant blast radius. In general, it was a good thing to recognize that 'password', 'Password123', etc. shouldn't be used, but the cost was pretty high. And for seemingly little gain.
| forrestfunk81 wrote: | | Many of this silly rules are still in place, iirc also the enforcement of passwdqc does not allow a 35 lowercase letter password. This is absolutely ridiculous. |
I agree, and that was partly the point of my comment. I had a short discussion with a Windows Admin about password policy and how someone had mathematically proven that easier alternatives to the random password with minimum character content requirements were no less secure. it was a short discussion not worth continuing; the individual wasn't willing to consider anything contradicting The Standard Way to Do It (unrelated to implementing any changes).
| Tickeldi wrote: | | Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision. Especially for this distribution. In my opinion, it should warn but not prevent you from setting it up however you please. This setting has been annoyingly hard to change. |
I've not tried to make that change, so i can't comment on its difficulty. I thought I had read something indicating it seemed pretty simple, but again, haven't tried. As long as you recognize that my comment that you did quote specifically mentioned inexperienced users, then we'll just have to agree to disagree. I don't think it should be easy for someone who doesn't understand the implication of their decision to easily make it happen. I'm not saying it shouldn't be possible. However, for an experienced person, I think it should be possible and the default expectation that their unique situation be the one requiring extra effort.
| Tickeldi wrote: | | Want to ... |
None of your examples are in my opinion remotely close to the password issue. The rm issue had been mitigated somewhere, but I don't recall where... maybe not Linux or GNU, but that isn't really a Linux issue. I personally favor the change of preventing it. For that, there are only two good solutions. Backups, which aren't likely to be frequent enough to catch all rm accidents, and an undelete mechanism. While performing a lot of manual data manipulation, I managed to remove a small amount of files due to an errant 'cd'. Fortunately i was able to recreate the important files and live without the other 1 or 2. Anyone choosing 'bleeding edge' should by definition expect some blood. Hopefully at some point they learn and realize the error of their ways.
Those issues only result in a possible ideological conflict; missing data due to human error and not flossing the data you want to keep; and misguided enthusiasm. A weak password can have negative consequences beyond the local system in which the weak password was allowed.
On a related note, can a better secure password policy be implemented? Random, non-repeatable characters with a minimum representation of special characters is relatively easy to test.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Tue Feb 15, 2022 8:13 pm Post subject: |
|
|
| Tickeldi wrote: | | My examples aimed to show that you're allowed to do a lot of dangerous stuff as a user even without a warning or sanity checks but when it comes to choosing a password you have to comply to strict rules someone chose for you. It's uncharacteristic for what my experience has been in this environment is what I wanted to say. |
Is the password policy one implemented by Gentoo, or is it an upstream decision? Gentoo generally follows upstream pretty closely. I don't have the knowledge of specific instances where they diverged and why. So this most likely isn't (directly) a Gentoo issue at all.
| Tickeldi wrote: | | But if you're booting from the gentoo install media and want to ssh into it real quick from a physically connected machine next to the one you're installing to it's really annoying. |
I can remember being annoyed at similar issues, though not that specific one. I guess I've gotten used to it such that it isn't an issue any more. When I use boot media, I start sshd and either copy keys or create a user. If I'm installing, then I get a minimally installed system to boot and switch to that for the remainder of the install. I haven't seen an environment that didn't use passwords or network connectivity in a very long time, so I do have that "bias." Dealing with the initial change? Not fun. But a (relatively) long time ago.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Tickeldi
n00b
Joined: 17 Mar 2009
Posts: 43
Location: Norddeutschland
|
| Posted: Sat Apr 09, 2022 6:50 am Post subject: |
|
|
If anyone visits this discussion in search for a quick solution:
| Code: | | sed -i "s/enforce=everyone/enforce=none/g" /etc/security/passwdqc.conf |
works for me.
_________________
"Linux basiert doch auf DOS oder nicht?" *schüttel* |
|
| Back to top |
|
|
lekto
Apprentice
Joined: 20 Sep 2014
Posts: 170
Location: Ancient Rome
|
| Posted: Sat Apr 09, 2022 4:06 pm Post subject: |
|
|
| My solution for this problem is running openssl passwd and pasting hash you get between first and second colon in /etc/shadow |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2956
Location: Edge of marsh USA
|
| Posted: Sat Apr 09, 2022 6:32 pm Post subject: |
|
|
This thread seems to be deteriorating into unwise solutions.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
vladimir1986
n00b
Joined: 09 Dec 2010
Posts: 72
|
| Posted: Fri Jun 10, 2022 12:09 pm Post subject: |
|
|
Thanks for the passwdqc tip!
enforce=none should be default. ffs, I am installing gentoo on a personal computer, not a bloody mainframe with access to nuclear missile launch codes. Last thing I need is to memorize 304 character passwords with multiple symbols and numbers. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Fri Jun 10, 2022 3:04 pm Post subject: |
|
|
As noted up thread, Gentoo normally propagates upstream's defaults. If you don't like the default, contact the maintainers and present a reason to have it changed. Posting here is unlikely to result in a change no matter how good an argument you present.
Having used passwords shorter than 100 characters, I think you are engaged in a bit of hyperbole to complain about needing 304 characters. This does not bode well for your argument overall.  |
|
| Back to top |
|
|
vladimir1986
n00b
Joined: 09 Dec 2010
Posts: 72
|
| Posted: Sat Jun 11, 2022 9:51 am Post subject: |
|
|
| Hu wrote: | As noted up thread, Gentoo normally propagates upstream's defaults. If you don't like the default, contact the maintainers and present a reason to have it changed. Posting here is unlikely to result in a change no matter how good an argument you present.
Having used passwords shorter than 100 characters, I think you are engaged in a bit of hyperbole to complain about needing 304 characters. This does not bode well for your argument overall. |
I love exaggeration, but I was trying to make a point!
This is a bit of a sucky situation: Gentoo' s policy is to use upstream's policies. The passwd rules are actually good practice, so I don't think they should be relaxed, as they are tough off to work out of the box on environments which require higher security, which is good.
However, Gentoo is not a distro which main goal is security (even if that can be strengthened and made very secure). It is a distro aimed for desktop usage.
Those stringent security measures, while they have a place for some cases, are extremely inconvenient and can cause problems for normal Desktop usage. I do think it is Gentoo' s duty to change the defaults (which are designed for a completely different usecase) at its best, or just mention how to relax the rules in the install handbook at a minimum.
I only know that I used to be able to use passw with no problems, now I can't. Had to get a second device and find the solution on a random forum in order to be able to complete the installation. This is not very friendly.
Also, the solution of editing passwdqc with enforce=none is quite simple, but not documented anywhere (didn't even knew that file existed!). It should just take an one line mention in the install handbook! that will leave the decision of how much security the user will want to the same user's responsibility. |
|
| Back to top |
|
|
shimbob
Tux's lil' helper
Joined: 13 Sep 2003
Posts: 136
|
| Posted: Thu Oct 20, 2022 4:27 am Post subject: |
|
|
| figueroa wrote: | | This thread seems to be deteriorating into unwise solutions. |
I went with USE=-passwdqc emerge -C passwdqc myself. This is for a portable game gizmo, though. |
|
| Back to top |
|
|
|
Networking & Security
