Re: Root Forced to Comply With Password Complexity Requirements
This problem seems to have been identified as a bug. That answers my original question. But... On Sunday, November 3, 2019 9:59:10 AM EST D. Hugh Redelmeier wrote: > | From: Tim via users > > | Samuel Sieb: > | >> 3 retries is the usual thing. > > | Ignoring your particular case, it may stop a bad keyboard, or a typist > | who needs to type slower to accurately enter their password. > > It also makes brute-forcing a little harder. Not a lot. Doesn't anyone read any more. I was *changing* a password -- not entering one to login. What possible purpose could be served by limiting my tries to get one conforming to the silly rules serve? Brut-force what? I am not logging in. -- Garry T. Williams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
| From: Tim via users | If any user should need the enforcement of good passwords, it's the | root user. If your PC was on a LAN where crackers can have a go at | you, this could be very important. It does not take long for someone | to mess up a system if they can get in. It's better to be safe than | sorry. To me the obvious thing is to simply pick a better password. | e.g. Just make it two words long instead of one. In my opinion, best practice is to not allow an SSH login to root. So the root password isn't directly relevant in the LAN (or wider internet) case. For internet-exposed boxes, I don't let SSH use password authentication at all, for any user. Boy is there a lot of bogus SSH traffic that tries brute-forcing SSH. I have physical security for most of my boxes (less so for wanderers like notebooks). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
| From: Tim via users | Samuel Sieb: | >> 3 retries is the usual thing. | Ignoring your particular case, it may stop a bad keyboard, or a typist | who needs to type slower to accurately enter their password. It also makes brute-forcing a little harder. Not a lot. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On 11/2/19 5:19 PM, jdow wrote: +1 - with the asininities being reported for Centos 8 and now Fedora it's probably time to look for me on some other distribution. If this is the way you're going to react, then it probably is. If I want an all text no caps no punctuation no numbers password 102 characters long let me do it. *I* am the one who suffers not you dweebs. Doing it my way I have gone online since 1980 without any problems and on computers since 1962* without being hacked. I must be doing something right. If I arrange the computer so that it requires a minute between password trials how long would it take to guess "grimreap" and hack my system? How long do you think that source of hacking attempts would have enough access to get to a password prompt. THAT is security not stupid password rule enforcement which leads to forgotten passwords. There was a bug that messed up the root user setting passwords that has apparently already been fixed (update on the way). If you don't like users having password quality rules, then disable that. It's up to you, nobody is forcing you to do anything. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
+1 - with the asininities being reported for Centos 8 and now Fedora it's probably time to look for me on some other distribution. If I want an all text no caps no punctuation no numbers password 102 characters long let me do it. *I* am the one who suffers not you dweebs. Doing it my way I have gone online since 1980 without any problems and on computers since 1962* without being hacked. I must be doing something right. If I arrange the computer so that it requires a minute between password trials how long would it take to guess "grimreap" and hack my system? How long do you think that source of hacking attempts would have enough access to get to a password prompt. THAT is security not stupid password rule enforcement which leads to forgotten passwords. {^_^} Joanne * At University of Michigan as a freshman taking the Michigan Arden Decoder class er 'scuse me - Michigan Algorithm Decoder. On 20191102 08:05:28, Garry T. Williams wrote: On Saturday, November 2, 2019 5:56:53 AM EDT Tim via users wrote: On Fri, 2019-11-01 at 12:38 -0400, Garry Williams wrote: The root user cannot set whatever password he wants on his machine? Since when? I wanted to assign a temporary password for a new user and then do sudo passwd -e ppatel to force it to be changed. For the new user, enforcing password complexity is, I guess, OK. But for root? If any user should need the enforcement of good passwords, it's the root user. If your PC was on a LAN where crackers can have a go at you, this could be very important. It does not take long for someone to mess up a system if they can get in. It's better to be safe than sorry. To me the obvious thing is to simply pick a better password. e.g. Just make it two words long instead of one. I was setting a (temporary) password for another user -- not setting the root password. But I guess your comment helps me to understand why these changes happen. I cannot be trusted to operate my machine safely without someone else's help. I may harm myself, so I am not allowed to set a (temporary) password to whatever I want. I probably shouldn't be allowed to type the rm command without some sort of "are you sure?" warning either. Sigh. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
Hi, Garry Williams wrote: > When did this start? > > garry@ifr$ sudo passwd ppatel > Changing password for user ppatel. > New password: > BAD PASSWORD: The password is shorter than 8 characters > New password: > BAD PASSWORD: The password is shorter than 8 characters > New password: > BAD PASSWORD: The password fails the dictionary check - it is based on a > dic > tionary word > passwd: Have exhausted maximum number of retries for service > garry@ifr$ It appears to be a bug in libpwquality 1.4.1. A 1.4.2 package which fixes the unintentional regression is pending: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0031fdfac6 https://src.fedoraproject.org/rpms/libpwquality/c/8d95d17e -- Todd signature.asc Description: PGP signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On Saturday, November 2, 2019 5:56:53 AM EDT Tim via users wrote: > On Fri, 2019-11-01 at 12:38 -0400, Garry Williams wrote: > > The root user cannot set whatever password he wants on his machine? > > Since when? > > > > I wanted to assign a temporary password for a new user and then do > > > > sudo passwd -e ppatel > > > > to force it to be changed. For the new user, enforcing password > > complexity is, I guess, OK. But for root? > > If any user should need the enforcement of good passwords, it's the > root user. If your PC was on a LAN where crackers can have a go at > you, this could be very important. It does not take long for someone > to mess up a system if they can get in. It's better to be safe than > sorry. To me the obvious thing is to simply pick a better password. > e.g. Just make it two words long instead of one. I was setting a (temporary) password for another user -- not setting the root password. But I guess your comment helps me to understand why these changes happen. I cannot be trusted to operate my machine safely without someone else's help. I may harm myself, so I am not allowed to set a (temporary) password to whatever I want. I probably shouldn't be allowed to type the rm command without some sort of "are you sure?" warning either. Sigh. -- Garry T. Williams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On Fri, 2019-11-01 at 12:38 -0400, Garry Williams wrote: > The root user cannot set whatever password he wants on his machine? > Since when? > > I wanted to assign a temporary password for a new user and then do > > sudo passwd -e ppatel > > to force it to be changed. For the new user, enforcing password > complexity is, I guess, OK. But for root? If any user should need the enforcement of good passwords, it's the root user. If your PC was on a LAN where crackers can have a go at you, this could be very important. It does not take long for someone to mess up a system if they can get in. It's better to be safe than sorry. To me the obvious thing is to simply pick a better password. e.g. Just make it two words long instead of one. -- uname -rsvp Linux 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
Samuel Sieb: >> 3 retries is the usual thing. Garry T. Williams: > But for choosing a new password? Please. What on earth does that > accomplish? My guess is a simple failure count, with it not caring what kind of failure there was. If you've failed to type it in three times in a row, probably there's something that you need to fix, so that you don't end up with an unusable login. Ignoring your particular case, it may stop a bad keyboard, or a typist who needs to type slower to accurately enter their password. -- uname -rsvp Linux 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On Friday, November 1, 2019 12:57:51 PM EDT Samuel Sieb wrote: > On 11/1/19 9:38 AM, Garry Williams wrote: > > When did this start? > > > > garry@ifr$ sudo passwd ppatel > > Changing password for user ppatel. > > Have you changed your sudo settings? Why didn't it ask for your > user password? Because just before that I typed sudo useradd ... and gave the password. > > The root user cannot set whatever password he wants on his > > machine? Since when? > > You don't say what Fedora version you are running. This doesn't > happen for me on F30. I get the warnings about short or otherwise > bad passwords, but it lets it happen anyway. Oops, sorry. Yes, upgraded a week or two ago to F31. And yes, I used to get warnings as well. > > to force it to be changed. For the new user, enforcing password > > complexity is, I guess, OK. But for root? And why bail after > > three tries to get a compliant password? That seems capricious > > (not to mention irritating) to me. > > 3 retries is the usual thing. But for choosing a new password? Please. What on earth does that accomplish? -- Garry T. Williams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On Fri, 1 Nov 2019 09:57:51 -0700 Samuel Sieb wrote: > You don't say what Fedora version you are running. This doesn't happen > for me on F30. I get the warnings about short or otherwise bad > passwords, but it lets it happen anyway. Same here, no restrictions on fedora 30 or 31 (just installed fedora 31 today). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Root Forced to Comply With Password Complexity Requirements
On 11/1/19 9:38 AM, Garry Williams wrote: When did this start? garry@ifr$ sudo passwd ppatel Changing password for user ppatel. Have you changed your sudo settings? Why didn't it ask for your user password? The root user cannot set whatever password he wants on his machine? Since when? You don't say what Fedora version you are running. This doesn't happen for me on F30. I get the warnings about short or otherwise bad passwords, but it lets it happen anyway. to force it to be changed. For the new user, enforcing password complexity is, I guess, OK. But for root? And why bail after three tries to get a compliant password? That seems capricious (not to mention irritating) to me. 3 retries is the usual thing. Oct 31 16:59:26 ifr sudo[130692]: pam_unix(sudo:session): session opened for user root by garry(uid=0) Oct 31 16:59:26 ifr passwd[130694]: pam_pwquality(passwd:chauthtok): pam_par se: unknown or broken option; local_users_only Oct 31 16:59:26 ifr passwd[130694]: pam_pwquality(passwd:chauthtok): pam_par se: unknown or broken option; retry=3 There is something wrong with your authentication setup. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org