James Harper wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
Last time I looked, in d-i Ubuntu checked password strength (but not enforce it); Debian did not check it. I cannot comment on ubiquity. This is for the initial user. Once install has completed, it would depend on how you were adding accounts (e.g. adduser, or LDAP, or what?) and whether strength checking was enabled in e.g. /etc/pam*. I don't know offhand. As at lucid, RFC2307 accounts in slapd do not have password strength checking when setting passwords with exop. There is an option for it in the slapo_ppolicy overlay, but you must write your own C function to perform the check.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
I am repeatedly annoyed that "apt-get install openssh-server" results in a daemon binding to *:22 by default. IMO it should behave like all other daemons and either not run, or bind only to lo by default. Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.