[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords

Alberto Bursi alberto.bursi at outlook.it
Fri Feb 17 03:35:49 PST 2017



On 02/17/2017 12:26 PM, John Crispin wrote:
>
>
> On 17/02/2017 12:16, Dan Lüdtke wrote:
>> Hi David,
>>
>> thanks for the fast response!
>>
>>> On 17 Feb 2017, at 11:54, David Lang <david at lang.hm> wrote:
>>> But deciding that you know better than the admin of the system is not.
>>
>> Not that I am a fan of telling admins what to do, but do you see any chance that we  can get an consistent and enforceable approach to *minimum* requirements, e.g. minimum password length? Maybe by using a configuration variable? Havon only the GUI enforce minimum password length and not the CLI is rather inconsistent (some may say useless or even confusing).
>>
>>>
>>> you don't have any idea what the security environment is for the system, or why the admin is selecting that password.
>>>
>>> It's not just a busybox thing to allow the root user to select a password that is shorter than 'recommended', that's normal behavior on *nix systems and has been for decades, even as the 'recommendations' have changed.
>>
>> I rather see this as a "LEDE" system not a standard *nix system, even though it is based on Linux and runs a Linux kernel. The question is, is this a more a "product" or just another Linux system?
>>
>> "has been for decades" is not a good argument. The others are. But that one is just not.
>>
>>
>> Cheers,
>>
>> Dan
>
> i agree with david lang, i regularly use "a" as a passwd on test units.
>
> 	John
>

I don't use a password in test units at all and there is no issue (shows 
the warning on login but not much else), so I think the "I need short 
passords for testing" is a weak argument here.

-Alberto



More information about the Lede-dev mailing list