On Tue, Jul 28, 2015 at 3:10 PM, Robert Wolfe <robert.wo...@malco.com> wrote: > -----Original Message----- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf > Of Chris Murphy > Sent: Tuesday, July 28, 2015 3:46 PM > To: CentOS mailing list > Subject: Re: [CentOS] Fedora change that will probably affect RHEL > > [...] > > What you said: > > "Windows Server has power shell disabled by default. The functional > equivalent, sshd, is typically enabled on Linux servers. So I think it's > overdue that sshd be disabled on Linux servers by default, especially because > the minimum password quality under discussion is still not good enough for > forward facing servers on the Internet with static IPv4 addresses. They will > get owned eventually if they use even the new minimum pw quality, and that's > why I see pw quality as the wrong emphasis - at least for workstations." > > And my reply: > > For things like SSH and RDP I use two-factor authentication using DUO. For > the machines that I absolutely have to have these kinds of access two (my BBS > for RDP and my mail server for SSH), this works well I think at providing an > extra layer of security for both protocols and is quite affordable and is > easy to administer.
OK but imagine making that the default, and how many workflows that don't need that level of authentication will be bothered in one form or another: a.) change workflow b.) learn how to revert the behavior. It's one thing to disable sshd by default because pretty much everyone familiar with a particular distribution will be familiar with console/OOB enabling of sshd, or eventually being used to initially accessing a web interface to enable such a service. -- Chris Murphy _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
