Re: Debian secure by default?
On Sat, May 17, 2008 at 06:42:57AM +0530, Raj Kiran Grandhi wrote:
> Rico Secada wrote:
> >Why is Debian not setup to be secure be default?
> >Not everyone is a security expert so imho the system should be fully
> >secured out-of-the-box.
> Please elaborate on what you consider to be the insecure parts of a
> default installation. Describe a process by which an etch system can be
> compromised remotely. Obviously, the ability to become root by tweaking
> the boot parameters from the grub screen does not count as a vulnerability.
> Raj Kiran Grandhi
One thing that I find rather hard to justify is that even on an Etch system
installed from scratch just a few weeks ago, /etc/pam.d/common-password has
password required pam_unix.so nullok obscure min=4 max=8 md5
so I can be confidently entering my 200 character uber password thinking
that it is hacker proof, when all the time debian is truncating it to
eight characters... :-/
Unless you require it for backward compatability (because you are importing
passwrds from an old (less secure) system) I don't see why you would want
to limit password length at all? (except, of course, to set a lower limit)
Something I always like to add to my systems when when I need to be able to ssh
from outside is an 'ssh' group (although debian has claimed that group name,
so I now use something less convenient) with sshd configured to allow
logins only to accounts in that group. That way I can limit the facility to
accounts which need it, and at least all of those thousands of daily login
attempts by script kiddies are to accounts which are bound to fail no matter
what password they try - even if I have forgotten to remove the upper limit
on password length...
A length restricted root password which can be entered from a remote ssh client
would be more of a concern to me than the occasional unnecessarily suided