On Wed, 11 Jul 2012, James Harper <james.harper@bendigoit.com.au> wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
I recently installed a Ubuntu 12.04 on my test network and it whinged about the password.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
I think that most of them enable passwords by default.
For my kids at home, I just used their name as a password (a 2 year old can easily learn to type their name (or a shortened version of), but probably not a password that anyone would consider secure), but I separated that machine from anything that could attack it. Someone without any network knowledge wouldn't be able to do that.
For such systems the best thing to do is use AllowUsers or one of the related options. Young kids don't need to ssh in to a system. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/