[security-discuss] Password strength indicator (Was Re: [install-discuss] Comments on mockup...)
Dave Miner
Dave.Miner at Sun.COM
Wed Jul 19 07:15:46 PDT 2006
James Carlson wrote:
> Gary Winiger writes:
>> Hummm, does the installer now use PAM here? I don't recall.
>> It used to use a private implementation of "unix" crypt. I
>> believe it now at least uses crypt(3C). In terms of password
>> strength, it might be nice to have the installer ask about parameters
>> as well as algorithm, then sites could choose and not have to
>> configure post CD install. For jumpstart, it probably doesn't
>> matter.
>
> No more baffling three-headed-dog install questions, please. If we've
> got a best practice for algorithms (sha256?), then make that the
> default, and require the use of some sort of "expert mode" to allow
> bit-fiddling.
>
No worries, somebody would have to make a convincing case that there is
absolutely no way that we can set a reasonably secure password without
asking for algorithms and other parameters before they'd get into the
common interface. I don't consider that a likely outcome. Whether
there'll be an advanced interface for pieces like this is an unresolved
issue - the question is whether there's sufficient need beyond the
pre-configuration that's possible with something like sysidcfg(4) to
justify the effort.
To answer some of the earlier discussion in the thread, sysidtool (where
the root password setting is done) uses a basic crypt_gensalt()/crypt()
sequence at present. As we'll be replacing that implementation, we'll
have some discussion with the experts on whether there's a better solution.
Dave
More information about the install-discuss
mailing list