On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote: > There is another very important case where this falls down: the computer is > enrolled into AD/IPA and the password is used throughout the organization. > Just looking at a local machine does not necessarily tell you what the needed > password strength is. > > This is of course not an argument in favor of making the policy stricter, but > it does mean that _every_ way to change the password should respect the > system-wide libpwsafe configuration. If the site administrator, along with > enrolling into IPA/AD, sets up libpwquality to set up password strength > restriction they deem appropriate, _all_ of Workstation should enforce these > restrictions. Now perhaps the right default is to _have_ no restrictions but > they need to be enforced the moment someone sets them up.
I doubt anyone will argue against this. :) > Um, “we can’t do $this so we need to leave other parts of the system > insecure” is really not sound logic. At the very least we have the option of > giving up on VNC instead. And I don’t really see why it would be impossible > to add a password strength check for VNC at all; in the worst case we could > just store the libpwquality score when the password is set / changed > somewhere, and use this stored score to decide whether to warn the user > before enabling VNC (storing the scores like this, and telling the attacker > which accounts are weak, would be bad on multi-user desktops, but those are > rare nowadays and the admin wouldn’t want individual users to go enabling > services on such machines anyway). What am I missing? Eh, well by my logic they are both so closely-related that it's nonsense to treat them differently... but that comment was more a wishful "somebody please fix VNC or rewrite history" than anything. I have no clue why VNC passwords are limited/truncated to eight characters, but it seems like that limitation makes the protocol not worth supporting at all, let alone worth promoting in System Settings. I wonder how well FreeRDP is coming along.... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct