2017-11-28 21:59 GMT-02:00 Ian Sutton <i...@ce.gl>: > This is a highly theoretical and experimental mitigation which stops the > root password on newly upgraded/installed systems from being an empty > string. The thinking is that by not shipping an operating system with a > known root password, certain classes of attacks involving logging into > the root account might be avoided. I would like some feedback from the > cryptography team as well as NIST finalists in order to better ascertain > the implications of this behaviour. >
I could install a system with empty root password, but with a ssh key
