Your message dated Fri, 3 May 2024 21:42:01 +0200
with message-id <20240503214201.b0b389be5197d4a9d1253...@mailbox.org>
and subject line Uploading user-setup: update password selection advice
has caused the Debian Bug report #868869,
regarding debian-installer should not recommend to change password periodically
(and more)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
868869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868869
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-installer
Severity: wishlist
Tags: patch
Hi,
>> A good password will contain a mixture of letters, numbers and punctuation
>> and should be changed at regular intervals.
Now debian-installer recommends to change root password periodically, however,
nowadays it SHOULD NOT. e.g. NIST publishes Digital Identity Guidelines,
in "5.1.1.2 Memorized Secret Verifiers" it says
> Verifiers SHOULD NOT impose other composition rules (e.g., requiring
> mixtures of different character types or prohibiting consecutively
> repeated characters) for memorized secrets. Verifiers SHOULD NOT
> require memorized secrets to be changed arbitrarily (e.g., periodically).
see https://pages.nist.gov/800-63-3/sp800-63b.html
We should follow it to provide secure environment for users, at least.
Patch attached.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
>From 0cbb696c3a3bde3cb9f32f6778396eb341a0f137 Mon Sep 17 00:00:00 2001
From: Hideki Yamane <henr...@debian.org>
Date: Wed, 19 Jul 2017 20:15:03 +0900
Subject: [PATCH] Do not recommend insecure password customs
see Digital Identity Guidelines by NIST
https://pages.nist.gov/800-63-3/sp800-63b.html
> Verifiers SHOULD NOT impose other composition rules (e.g., requiring
> mixtures of different character types or prohibiting consecutively
> repeated characters) for memorized secrets. Verifiers SHOULD NOT
> require memorized secrets to be changed arbitrarily (e.g., periodically).
---
debian/user-setup-udeb.templates | 3 ---
1 file changed, 3 deletions(-)
diff --git a/debian/user-setup-udeb.templates b/debian/user-setup-udeb.templates
index 45e16b4..df58475 100644
--- a/debian/user-setup-udeb.templates
+++ b/debian/user-setup-udeb.templates
@@ -40,9 +40,6 @@ _Description: Root password:
that is not easy to guess. It should not be a word found in dictionaries,
or a word that could be easily associated with you.
.
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
- .
The root user should not have an empty password. If you leave this
empty, the root account will be disabled and the system's initial user
account will be given the power to become root using the "sudo"
--
2.13.2
--- End Message ---
--- Begin Message ---
Version: 1.97
Forgot to mention bug closure in changelog before uploading, so closing now
manually.
--
Holger Wansing <hwans...@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076
--- End Message ---
