Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Greg Woods sent: > I'm surprised no one has posted this yet: > > https://xkcd.com/936/ Virtually the same thing as I said, minus the illustrations. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Next time your service provider asks you to reboot your equipment, ask them to reboot theirs, first. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 21:27:51 +0100 Patrick O'Callaghan wrote: > Because modern CPUs already have hardware RNGs built-in, without > requiring an additional chip? But, but, but, they aren't quantum :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 01:55 PM, Andre Robatino wrote: Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. gnome-password-generator has a Character set option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be really nice if there was something where you could specify an exact set of characters to either include or exclude, to cope with certain websites that allow only some special characters. I use "apg". It lets you choose the character classes you want included in the password and you can also exclude specific characters if necessary. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On 19Jun2017 13:17, stanwrote: On Mon, 19 Jun 2017 16:48:40 +0100 Patrick O'Callaghan wrote: Bear in mind that by default Fedora allocates each user to his own private group. Presumably someone who intentionally shares group membership is expected to understand the implications and adjust umask if necessary. Another good point. It seems that my concerns about umask might be misguided. Dunno. I'm fairly private and like to end my umask in a 7 normally. Usually discussions revolve around the group bits. Normally you wouldn't share membership of your personal group - this arranges that 027 (or the like) in your home directory is essentially private. Instead, one makes other groups for shared work. For example, my partner and I have a group for "us"; both our personal accounts are in it (so it is a secondary group membership); we have a shared third account (for stuff to do with home and so on); its group has both our individual accounts as members, giving both of us read/write to it. Cheers, Cameron Simpson ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 15:54 -0400, Tom Horsley wrote: > I just want to know when we'll all have one of these built into > our computers? > > http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 > > (Doesn't look like it has been turned into a commercial product > yet which kind of surprises me - probably the researchers and the > university arguing about rights :-). Because modern CPUs already have hardware RNGs built-in, without requiring an additional chip? poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Mon, 19 Jun 2017 16:48:40 +0100 Patrick O'Callaghanwrote: > Bear in mind that by default Fedora allocates each user to his own > private group. Presumably someone who intentionally shares group > membership is expected to understand the implications and adjust umask > if necessary. Another good point. It seems that my concerns about umask might be misguided. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 15:54:25 -0400 Tom Horsleywrote: > http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 > > (Doesn't look like it has been turned into a commercial product > yet which kind of surprises me - probably the researchers and the > university arguing about rights :-). It might be that they are arguing about patent rights, but it could also be that the prototype is not robust enough to deal with everyday life. There is a huge junkyard between the bench and the shelf. It could also be that a government agency bought all the rights to the device, and is sitting on it because it is too secure. What would speculation be without conspiracy theories? :-) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
I just want to know when we'll all have one of these built into our computers? http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 (Doesn't look like it has been turned into a commercial product yet which kind of surprises me - probably the researchers and the university arguing about rights :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 17:35:10 - "Andre Robatino"wrote: > It seemed > to be a fairly sophisticated attack. When my PayPal account was > accessed, my email account was DoS'd by sending thousands of garbage > emails to it every hour, to prevent me from reading PayPal's email > notifications associated with account activity. It wasn't until later > in the day that I discovered independently what had happened, and > realized why my email was being DoS'd. Yes, that certainly seems sophisticated. Systems level thinking. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Mon, 19 Jun 2017 10:03:35 -0700 Gordon Messmerwrote: > As a minor point, I'd mention that Fedora's default umask is 002, not > 022, except for the root user. Thanks. > I think either is fine. umask governs how you share files with other > authorized users of the local computer system (where "local" is > defined as all hosts sharing the same user database). I only share > computing systems with people that I want to work with, so the > default umask of 002 is entirely appropriate. How much damage would it do to you if their accounts were compromised? > That > phrase brings to mind an increase in malware, which is a concern, but > not one that umask can affect in any way. If malware makes its way > on to your workstation, it's almost certainly running under your > account. It has exactly the same permission as any one of your other > processes. umask doesn't change that. Good point. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehlwrote: > Pwgen uses /dev/urandom, so the statement that those passwords are > less secure than "fully" random passwords (define "fully random"..) is > merely of academical nature. > > In case of any doubt, you can always do something like > > head /dev/random | tr -dc A-Za-z0-9 | head -c X > > where X is your password length. Tr also lets you tailor the > characterset used. Here's my shell hack to generate passwords using the above. It saves the passwords in the file devurandom_password.txt in the home directory. #! /bin/bash # generate a password using a character set, /dev/urandom, # and tr to select the characters included. # The three arguments are # the character class to use to generate the password (default alnum) # and # the length of the password (default 20) # and # the number of passwords to generate (default 10) DPW=/home/$USER/devurandom_password.txt if [ "$#" = 0 ]; then set an 20 10 elif [ "$#" = 1 ]; then set $1 20 10 elif [ "$#" = 2 ]; then set $1 $2 10 fi echo "Passwords from /dev/urandom with $1" > $DPW echo '' >> $DPW for ((x = 0 ; x < $3 ; x = x + 1)) ; do if[ "$1" = an ]; then echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = al ]; then echo $(head /dev/random | tr -dc [:alpha:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = cn ]; then echo $(head /dev/random | tr -dc [:cntrl:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = di ]; then echo $(head /dev/random | tr -dc [:digit:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = gr ]; then echo $(head /dev/random | tr -dc [:graph:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = lo ]; then echo $(head /dev/random | tr -dc [:lower:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = pr ]; then echo $(head /dev/random | tr -dc [:print:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = pu ]; then echo $(head /dev/random | tr -dc [:punct:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = sp ]; then echo $(head /dev/random | tr -dc [:space:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = up ]; then echo $(head /dev/random | tr -dc [:upper:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = xd ]; then echo $(head /dev/random | tr -dc [:xdigit:] | head -c $2) >> $DPW echo '' >> $DPW else echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW fi ; done exit 0 ; ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Postfix bug ...
On Mon, 19 Jun 2017 20:26:29 +0200 Walter H. wrote: > what is this? > header_checks tells this and I'm used to use pcre with postfix ... Perhaps postfix-pcre isn't installed? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Postfix bug ...
Hello, Jun 19 20:18:01 fedorabox postfix/smtp[4723]: error: unsupported dictionary type: pcre what is this? header_checks tells this and I'm used to use pcre with postfix ... /etc/postfix/main.cf: smtp_header_checks = pcre:/etc/postfix/smtp_hdr_chks.pcre smtp_mime_header_checks = smtp_nested_header_checks = /etc/postfix/smtp_hdr_chks.pcre: # remove 'Precedence: bulk' /^precedence:[[:cntrl:][:space:]](.*)$/ IGNORE Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
> How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, > couldn't they just capture the passwords when they were unhashed? > i.e. could it have been that they let paypal know they had been > compromised, so that a program they left on paypal's systems could > report the unhashed passwords when paypal told their users to reset > their passwords? I don't know how it was done, but I'm pretty sure they grabbed the password hashes, not the plaintext passwords. If the hashes weren't salted, they could have just used a standard lookup table. It seemed to be a fairly sophisticated attack. When my PayPal account was accessed, my email account was DoS'd by sending thousands of garbage emails to it every hour, to prevent me from reading PayPal's email notifications associated with account activity. It wasn't until later in the day that I discovered independently what had happened, and realized why my email was being DoS'd. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 08:49 PM, Andre Robatino wrote: Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up. A credit card that I recall, allows 56 character paswords. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firefox
On 06/18/2017 08:28 PM, Lawrence E Graves wrote: Not able to control the maximize control on my firefox web browser. If I unmaximize the browser and close it out. When I log back on, it automatically goes to maximize. Can anybody help with this matter? Am I reporting to the list? Unfortunately, Firefox (Mozilla in general) has no mailing list. They have a forum, which I personally disdain, as I prefer a mailing list myself. https://www.mozilla.org/en-US/about/forums/ ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On 06/18/2017 07:18 PM, stan wrote: On Mon, 19 Jun 2017 05:49:20 +0800 Ed Greshkowrote: You haven't described your environment. Home workstation with no web facing services. As a minor point, I'd mention that Fedora's default umask is 002, not 022, except for the root user. I think either is fine. umask governs how you share files with other authorized users of the local computer system (where "local" is defined as all hosts sharing the same user database). I only share computing systems with people that I want to work with, so the default umask of 002 is entirely appropriate. For single-user systems (workstations), umask has no practical effect. I don't believe there have been any changes in "today's security atmosphere" relevant to collaborative work, where umask applies. That phrase brings to mind an increase in malware, which is a concern, but not one that umask can affect in any way. If malware makes its way on to your workstation, it's almost certainly running under your account. It has exactly the same permission as any one of your other processes. umask doesn't change that. It seems to me that linux depends a lot on file permissions for security, particularly for root. If we're going to discuss general security practices and principals, I'd start with: Don't log in as root. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 8:42 AM, stanwrote: > The man page says they are modified to be more memorable, by > some definition, and so are less than compeletely random. > > ...generates passwords which are designed to be easily memorized by > humans, while being as secure as possible. > I'm surprised no one has posted this yet: https://xkcd.com/936/ --Greg ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 11:12:20 -0400 Matthew Millerwrote: > There are only a handful of commonly-used cryptographically-secure > hashes which are likely to be used, and they're relatively easy to > narrow down simply by looking at length. Or, if they're stored like > they are in /etc/shadow, the entire string actually includes an > identifier for the hash. > > If the passwords are hashed in a non-standard way or with some made-up > thing... there's probably something wrong that a skilled attacker can > exploit. (Rule one of crypto: don't write your own crypto.) Why not use RSA? Create a set of RSA keys, and don't publish them. Encrypt each password with one of the keys, and store it in a database. When needed, decrypt it with the other RSA key. Or encrypt with the original key to compare with the database contents. If an attacker gets the database without the RSA keys, they are trying to decrypt the encrypted message without knowing the composite number that generated the keys. That is, they are trying to break RSA for all composite numbers the product of two large primes. Horrendous. And because these RSA keys aren't published, they can be nonstandard sizes. 4023? 3084? 6173? Good luck with that if you are the cracker. :-) This is private key RSA instead of public key RSA, more secure. Not roll your own crypto, extensively attacked and tested crypto. Sure, if your system gets compromised, and someone gains the keys, they break the encryption easily, but that isn't a crypto problem. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 12:07 -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 16:44:25 +0100 > Patrick O'Callaghan wrote: > > > Exactly. It also makes me question the competence of whoever programmed > > the website. Can it be that they only know how to read alphanumeric > > input? > > I always suspect someone's nephew built the web site and > didn't know how to properly quote and unquote special > characters in HTTP messages :-). Indeed. It's often the same kind of site that breaks when I input my surname ... poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 16:44:25 +0100 Patrick O'Callaghan wrote: > Exactly. It also makes me question the competence of whoever programmed > the website. Can it be that they only know how to read alphanumeric > input? I always suspect someone's nephew built the web site and didn't know how to properly quote and unquote special characters in HTTP messages :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Tim: >> Really, what ought to get tightened up is the software accepting >> logons. There should be a limited number of attempts (3 goes and your >> out for a significant time limit). Any system that lets a cracker >> hammer away with repeated attempts is the thing that is broken. stan: > I don't think it has to be as low as 3. It could be 100 or 1000, a > restriction that a human will never hit, but a cracking program will > hit almost immediately. Three seems to be a common threshold, but I agree that it could be set higher for those reasons. I know that I've mistyped things three times in a row, and when you can't see what you're typing, it's easy to not notice you've made a mistake. Like you, I imagine a cracking attempt is going to try more than a person would. > This makes it easy to separate attackers from legitimate users, and > take appropriate action against the attackers. Ban their IP address? > Notify their ISP? Track their botnet and disable it? I'm not sure > there are effective defenses. > > An alternative is to look for frequency of login attempts. More than 1 > every second implies a bot, not a human. Again, I agree. It's not too hard for a person to make that kind of judgement call about what's a cracking attempt versus a human trying to deal with a poor interface, so it ought to be a programmable solution, too. I think you'd first want to block the source from further attempts. If multiple sources are trying, you know it's a crack attempt. No real user could be doing that. You could try banning all cracking sources, but if they're a zombied army of bots, you could be banning genuine users of your service who've no idea they're using a compromised computer. So the idea of notifying their ISP has merit, on a number of fronts (ISP can tell the user they need to fix up their PC, ISP can take action to check if their users are indulging in organised hacking, etc). Though there's still the problem of reporting things to ISPs that are a problem, in themselves. In my early days of using the net, I'd occasionally make a report to an ISP about spam from one of their users, only to get a bucketload more spam straight away. It was obvious that the ISP itself, or one of their staff, was involved in spamming; or they stupidly inform their user about the complaint, naming where the complaint came from. Either way, making a complaint was actually worse than useless. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Next time your service provider asks you to reboot your equipment, ask them to reboot theirs, first. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Mon, 2017-06-19 at 07:05 -0700, stan wrote: > On Mon, 19 Jun 2017 07:55:59 +1000 > Cameron Simpsonwrote: > > > As remarked elsewhere, it does depend on your environment. > > Well, yes, but it just seems that the default should be to the most > secure. > > > I like 027 myself. Combined with setgid directories it leaves things > > readable by the group of the working area, but otherwise private. > > Then one just arranges group ownership. An workable default. > > That seems reasonable, and would be better than the current default. Bear in mind that by default Fedora allocates each user to his own private group. Presumably someone who intentionally shares group membership is expected to understand the implications and adjust umask if necessary. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firefox
Allegedly, on or about 18 June 2017, Lawrence E Graves sent: > Not able to control the maximize control on my firefox web browser. If > I unmaximize the browser and close it out. When I log back on, it > automatically goes to maximize. Sometimes dopey things can stop that kind of problem, such as un-maximise the browser, then grab a window border and resize the window by some amount, then quit the program. I've done that kind of thing, before, to tame a web browser. Perhaps it's the window resizing that sets a parameter somewhere, clearing out some peculiar problem. It may depend on your desktop manager, too. I found the Gnome 3 (which I don't use anymore), it liked to behave like a tablet computer, with every program full screen, and a pain to use several programs simultaneously. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. If you are not the intended recipient, why are you reading their email? You bastard! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 08:36 -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 12:55:28 +0100 > Patrick O'Callaghan wrote: > > > One > > of them even disallows cut-and-paste, which tempts the user to have a > > password simple enough to remember and type by hand. > > One of the keepassx features is the ability to simulate > typing to teach the annoying web designers who is boss :-). I just use the X buffer copy-and-paste, which they don't seem to be aware of. > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. Exactly. It also makes me question the competence of whoever programmed the website. Can it be that they only know how to read alphanumeric input? poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote: > > That works as long as the website isn't hacked. If it is, even if the > > passwords are hashed (which they often aren't), the hash can be > > cracked if the password is weak. > How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, There are only a handful of commonly-used cryptographically-secure hashes which are likely to be used, and they're relatively easy to narrow down simply by looking at length. Or, if they're stored like they are in /etc/shadow, the entire string actually includes an identifier for the hash. If the passwords are hashed in a non-standard way or with some made-up thing... there's probably something wrong that a skilled attacker can exploit. (Rule one of crypto: don't write your own crypto.) -- Matthew MillerFedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 02:49:30 - "Andre Robatino"wrote: > Many websites don't allow even 30 chars. One of the important ones I > use allows only 16 characters (and no 2FA option), but happens to > allow special characters. Using the largest possible character set is > the only way to shore that up. Good point. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 04:48:16 - "Andre Robatino"wrote: > That works as long as the website isn't hacked. If it is, even if the > passwords are hashed (which they often aren't), the hash can be > cracked if the password is weak. How? Don't the attackers have to know the password hashing algorithm to do that? If they have enough penetration into the system to know that, couldn't they just capture the passwords when they were unhashed? i.e. could it have been that they let paypal know they had been compromised, so that a program they left on paypal's systems could report the unhashed passwords when paypal told their users to reset their passwords? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 12:51:30 +0930 Timwrote: > Really, what ought to get tightened up is the software accepting > logons. There should be a limited number of attempts (3 goes and your > out for a significant time limit). Any system that lets a cracker > hammer away with repeated attempts is the thing that is broken. I don't think it has to be as low as 3. It could be 100 or 1000, a restriction that a human will never hit, but a cracking program will hit almost immediately. This makes it easy to separate attackers from legitimate users, and take appropriate action against the attackers. Ban their IP address? Notify their ISP? Track their botnet and disable it? I'm not sure there are effective defenses. An alternative is to look for frequency of login attempts. More than 1 every second implies a bot, not a human. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehlwrote: > Pwgen uses /dev/urandom, so the statement that those passwords are > less secure than "fully" random passwords (define "fully random"..) is > merely of academical nature. The man page says they are modified to be more memorable, by some definition, and so are less than compeletely random. ...generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memorable passwords are never going to be as secure as completely random passwords. ... I suppose if someone knew I had used pwgen, and incorporated that pattern knowledge into their attack, that might be true. But to an ignorant attacker, these are effectively random passwords. Or more importantly, crpytographically secure passwords, since 'password' is a perfectly legitimate random 8 character string, but not a crpytographically secure 8 character string. I'm glad to learn that pwgen uses /dev/urandom. That is probably the best solution on a linux system, especially if a hardware random number generator is feeding entropy into /dev/random, as excess entropy will be fed into /dev/urandom, enhancing its unpredictability. > In case of any doubt, you can always do something like > > head /dev/random | tr -dc A-Za-z0-9 | head -c X > > where X is your password length. Tr also lets you tailor the > characterset used. Neat solution. I like all the predefined character classes for tr. And it lends itself nicely to a script. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 11:33:00AM +0930, Tim wrote: > Matthew Miller: > > This seems... unnecssary. > Though, I'd say it's accurate. Maybe, but *entirely* unrelated to the situation here. So I don't see the value. -- Matthew MillerFedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Is default umask of 022 still reasonable for Fedora?
On Mon, 19 Jun 2017 07:55:59 +1000 Cameron Simpsonwrote: > As remarked elsewhere, it does depend on your environment. Well, yes, but it just seems that the default should be to the most secure. > I like 027 myself. Combined with setgid directories it leaves things > readable by the group of the working area, but otherwise private. > Then one just arranges group ownership. An workable default. That seems reasonable, and would be better than the current default. Thanks. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/19/2017 03:14 AM, Blaz Kalan wrote: > I added these two lines to 99user.ldif: > > ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: > object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI > ) > AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: > Uniform Resource Identifier with optional label' EQUALITY caseExactMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > And looks fine. > > But for > AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change > sequence number of the entry content' EQUALITY CSNMatch ORDERING > CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE > NO-USER-MODIFICATION USAGE directoryOperation ) > > I get an error: > (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID > "1.3.6.1.4.1.4203.666.11.2.1" Well, you can change the syntax to 1.3.6.1.4.1.1466.115.121.1.15, or remove entryCSN from the user ldif. entryCSN is only used by Openldap's replication protocol, it serves no purpose in 389 and can be removed if you want to. Regards, Mark > > BR, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Re: Firefox
On Sun, 18 Jun 2017 20:28:28 -0600 Lawrence E Graveswrote: > Not able to control the maximize control on my firefox web browser. > If I unmaximize the browser and close it out. When I log back on, it > automatically goes to maximize. Can anybody help with this matter? > Am I reporting to the list? > This seems like it should be simple, but a search found that it is anything but. One recommendation was to install an addon: The solution is to install Minimize On Start And Close Firefox Add-On. Other solutions were only applicable when starting from a script using xdotool, #!/bin/bash #launch the program in the background, with all command-line options passed to it. firefox "$@" & #grab its process id. pidno=$! #wait for a second so that the window has time to fully register. sleep 1 #use xdotool to make sure that window is raised to the top. #this is necessary because it won't directly accept xdotool keypresses otherwise. #matches both the pid and the class, to ensure we have the right window. xdotool search --all --pid $pidno --class firefox windowactivate #use xdotool again to simulate your hotkey combo. Adjust as necessary. xdotool key alt+F9 exit 0 or configuring the window manager if it allowed it, like KDE. In KDE KWin can do things like that. Bring Firefox window to the front, then hit Alt+F3 and on the menu select 'Advanced' > 'Special Window Settings'. At least here you could make it so that (certain) Firefox windows are initially minimized. And for the System Tray, you need to create/modifiy an application starter, where the option "Place in System Tray" is checked. In 'kmenuedit', for instance. These were all pretty old, so I'm not sure they still work. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Video editing disaster
Allegedly, on or about 26 May 2017, Wade Hampton sent: > I am trying out multiple video editors on Fedora, with very poor > results and a ton of crashes. When I tried this, long ago, I came across the same thing. As well as; all the video formats you need are encumbered, and probably not even available for purchase, and a lot of transcoding was required (which is not only an awful lot of time wasting, but you lose quality doing that). I gave up, and used Final Cut Pro on my friend's Mac. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Patrick O'Callaghan sent: > I have a number of bank accounts in several countries (for perfectly > legitimate reasons, I hasten to add) and in my experience each bank > has its own rules which as often as not mitigate *against* good > security practice, e.g. forcing you to change the password every 3 > months (which invites password1, password2, password3 ...) or having > their own peculiar Javascript which blocks you from using a password > manager. One of them even disallows cut-and-paste, which tempts the > user to have a password simple enough to remember and type by hand. Yes, I'm tired of hosts with special rules, and they often are the opposite of security. Such as your password has to be 6 to 8 characters long. My long passphrase is far more secure than a 6 to 8 character sequence, and far easier to type than mixed case and symbols. I wish these dunderheads would get it through their thick skulls that hard-to-type passwords does not equal hard-to-crack. Long ago, I set a password on something, but must have mistyped it in, the first time around. It took me ages to try out all the possible typing errors that might have occurred. I loathe password entry boxes that don't let you see what you're typing in. After one site gave me the runaround with their stupid rules, I set a passphrase that was my low opinion of the service. Later on, I had to say the password to one of their phone help people to resolve a problem. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. I reserve the right to treat other people in exactly the same way that they treat me. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Tom Horsley sent: > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. I can guess two reasons: Some special characters might get interpreted by their software, rather than accepted as-is. Some special characters can't by typed on all computers, or their users can't type them properly. e.g. How many times do you see the Brits mis-use the backtick as an apostrophe? -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Just because nobody complains, it doesn't mean that all parachutes are perfect. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 08:36:35AM -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 12:55:28 +0100 > Patrick O'Callaghan wrote: > > > One > > of them even disallows cut-and-paste, which tempts the user to have a > > password simple enough to remember and type by hand. > > One of the keepassx features is the ability to simulate > typing to teach the annoying web designers who is boss :-). > > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. possibly of brain-dead underlying systems that will accept only those characters. -- Fred Smith -- fre...@fcshome.stoneham.ma.us - Show me your ways, O LORD, teach me your paths; Guide me in your truth and teach me, for you are God my Savior, And my hope is in you all day long. -- Psalm 25:4-5 (NIV) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 12:55:28 +0100 Patrick O'Callaghan wrote: > One > of them even disallows cut-and-paste, which tempts the user to have a > password simple enough to remember and type by hand. One of the keepassx features is the ability to simulate typing to teach the annoying web designers who is boss :-). The sites that crack me up are the ones which have rules like "you can only use letters and numbers" in your password. Why? That just means anyone trying to guess passwords has a much simpler job. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote: > On 06/18/2017 08:21 PM, Tim wrote: > > I completely agree, it's just as impossible to guess that a password is > > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to > > remember and type. With the peculiar password rules, I have no choice > > to but to do the insecure and write down passwords somewhere (whether > > that's on paper or on file). You're not supposed to write passwords > > down anywhere. > > I may have mentioned this before, but I have a friend who uses (roughly) > ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just > as hard to guess as the type of gibberish that most security "experts" > recommend, and a lot easier to remember. The problem with many of these "rules" is that they don't apply universally. A password suitable for a banking site is one thing, and a password for your home Wifi network is another. Never write down the first one (use a password manager), but feel free to write down the second one and keep it in a drawer. And where possible, use your router to configure a guest network with a different password and more restricted access for those times when you have visitors. I have a number of bank accounts in several countries (for perfectly legitimate reasons, I hasten to add) and in my experience each bank has its own rules which as often as not mitigate *against* good security practice, e.g. forcing you to change the password every 3 months (which invites password1, password2, password3 ...) or having their own peculiar Javascript which blocks you from using a password manager. One of them even disallows cut-and-paste, which tempts the user to have a password simple enough to remember and type by hand. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Video editing disaster
On 27/05/17 08:53, Wade Hampton wrote: I am trying out multiple video editors on Fedora, with very poor results and a ton of crashes. There is also LightWorks (https://www.lwks.com). There's an RPM available for Fedora, although the software does require you to have a lightworks account but it's free. -- Ian Chapman. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 06:03:08 -0400 Tom Horsleywrote: > I use keepassx to not only generate, but also store passwords. I was using the same, but now find (qt)pass more pleasant to use. Sincerely, Gour -- As the ignorant perform their duties with attachment to results, the learned may similarly act, but without attachment, for the sake of leading people on the right path. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
I use keepassx to not only generate, but also store passwords. It has lots of rules you can select about how to generate passwords, which is useful, because lots of web sites have idiotic requirements for passwords, and you can plug those idiot requirements into the password generator. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 08:21 PM, Tim wrote: I completely agree, it's just as impossible to guess that a password is "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to remember and type. With the peculiar password rules, I have no choice to but to do the insecure and write down passwords somewhere (whether that's on paper or on file). You're not supposed to write passwords down anywhere. I may have mentioned this before, but I have a friend who uses (roughly) ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just as hard to guess as the type of gibberish that most security "experts" recommend, and a lot easier to remember. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
I added these two lines to 99user.ldif: ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) And looks fine. But for AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I get an error: (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID "1.3.6.1.4.1.4203.666.11.2.1" BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, yes I find all these attributes and class in openLDAP schema files, there is: olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Br, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org