On Sat, May 17, 2008 at 06:42:57AM +0530, Raj Kiran Grandhi wrote: > Rico Secada wrote: > >Hi. > > > >Why is Debian not setup to be secure be default? > > > >Not everyone is a security expert so imho the system should be fully > >secured out-of-the-box. > > Please elaborate on what you consider to be the insecure parts of a > default installation. Describe a process by which an etch system can be > compromised remotely. Obviously, the ability to become root by tweaking > the boot parameters from the grub screen does not count as a vulnerability. > > > -- > Raj Kiran Grandhi > --
One thing that I find rather hard to justify is that even on an Etch system installed from scratch just a few weeks ago, /etc/pam.d/common-password has password required pam_unix.so nullok obscure min=4 max=8 md5 so I can be confidently entering my 200 character uber password thinking that it is hacker proof, when all the time debian is truncating it to eight characters... :-/ Unless you require it for backward compatability (because you are importing passwrds from an old (less secure) system) I don't see why you would want to limit password length at all? (except, of course, to set a lower limit) Something I always like to add to my systems when when I need to be able to ssh from outside is an 'ssh' group (although debian has claimed that group name, so I now use something less convenient) with sshd configured to allow logins only to accounts in that group. That way I can limit the facility to accounts which need it, and at least all of those thousands of daily login attempts by script kiddies are to accounts which are bound to fail no matter what password they try - even if I have forgotten to remove the upper limit on password length... A length restricted root password which can be entered from a remote ssh client would be more of a concern to me than the occasional unnecessarily suided application... Regards, DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]