Bug#195716: Fixing Bug Info
severity 195716 important
--
After watching my external access logs for a while, I saw numerous
attempts to log in to different accounts with password guessing. I try
to keep user passwords pretty secure, but there's always a chance of it
not being that way or being guessed anyway.
For the time being, I'll remove the ability to log in with only a
password, but that's not ideal either as I cannot control the strength
of the pass-phrase attached to an SSH key and it a user's home machine
were to be breached or his/her laptop stolen, then there is always
possible access this way.
The only way around this that I can see is to require users to use both
a public key (can be stored, forwarded, etc.) AND their login password
(which may be weak but is not stored).
Brian
( bcwhite@precidia.com )
-------------------------------------------------------------------------------
Treat someone as they are and they will remain that way. Treat someone
as they can be and they will become that way.
Reply to: