[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] offers users MD5, SHA-256, or SHA-512

On Tue, 19 Feb 2008 17:28:29 -0500
Bill Nottingham <notting redhat com> wrote:

> David Cantrell (dcantrell redhat com) said: 
> > This feature was requested in the RHEL-5 product line, so it only makes
> > sense to have it in rawhide.  In rawhide, I've modified the root
> > password screens in the text and gtk interfaces to let the user select
> > the password algorithm.  The default is MD5.
> Why not default to whichever is deemed 'most secure', and have it only
> frobbable via kickstart for paranoid^Wpower users?

I thought about that, but it seems like a reasonable setting to have in the UI.  There may be instances where a Fedora users wants to stick with an algorithm other than our default for one reason or another (I have no idea, but there's got to be a reason...copying shadow files among distributions maybe or among different operating systems, using some service that can't--for whatever reason--deal with anything but, say, SHA-256).

Also, forcing one particular choice on users seems to go against the whole choice thing in Fedora.  I don't think it's wise to take any sides on security issues, especially saying, "we default to X because it's the most secure."

It is a battle of not wanting to expose too many choices vs. exposing the choices that make sense.

My thought was that if it's only in kickstart, that will annoy Fedora users.  They will want the UI method since almost all Fedora users are using the interactive installer.

In addition, we get some extra advertisement regarding F-9's secure-isms.  Encrypted file systems, more than MD5 for password encodings.  Since Linux distribution reviews are only based on the installer anyway, this could help the Fedora image?

David Cantrell <dcantrell redhat com>
Red Hat / Honolulu, HI

Attachment: pgpU8mYZL4ifC.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]