15:00:30 <sgallagh> #startmeeting Server SIG Weekly Meeting (2015-03-24)
15:00:31 <zodbot> Meeting started Tue Mar 24 15:00:30 2015 UTC.  The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:31 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:31 <sgallagh> #chair sgallagh mizmo nirik stefw adamw simo tuanta mitr danofsatx
15:00:31 <zodbot> Current chairs: adamw danofsatx mitr mizmo nirik sgallagh simo stefw tuanta
15:00:31 <sgallagh> #topic roll call
15:00:38 <sgallagh> .hello sgallagh
15:00:39 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
15:00:41 <stefw> .hello stefw
15:00:41 <danofsatx> .hello dmossor
15:00:41 * nirik waves
15:00:42 <zodbot> stefw: stefw 'Stef Walter' <stefw@redhat.com>
15:00:45 <zodbot> danofsatx: dmossor 'Dan Mossor' <danofsatx@gmail.com>
15:01:18 <mizmo> .hello duffy
15:01:19 <zodbot> mizmo: duffy 'Máirín Duffy' <fedora@linuxgrrl.com>
15:01:28 <sgallagh> 'lo Mo
15:01:33 <mizmo> hi :)
15:01:57 <sgallagh> tuanta sent an email with his regrets
15:02:27 <adamw> .hello adamwill
15:02:28 <zodbot> adamw: adamwill 'Adam Williamson' <adamw+fedora@happyassassin.net>
15:02:42 * adamw came to air his regrets in person
15:02:45 <danofsatx> oh yeah, email
15:02:54 * danofsatx hurries up and fires up thunderbird
15:03:09 <junland> .hello junland
15:03:10 <zodbot> junland: junland 'John Unland' <opensourcejohn2112@gmail.com>
15:03:14 <sgallagh> OK, I need to leave about 10 minutes early today, so I'm going to try to keep this meeting fairly short.
15:03:18 <sgallagh> #topic Agenda
15:03:30 <sgallagh> #info Agenda Item: Anaconda Password Policy
15:03:43 <sgallagh> Other agenda items?
15:04:29 <danofsatx> I believe package sets are already settled, correct?
15:04:38 <sgallagh> danofsatx: What package sets?
15:04:49 <danofsatx> the default server package set
15:05:25 <sgallagh> That's an ongoing process, sure. I pushed the comps changes mentioned on the list
15:05:37 <sgallagh> ok, shall we start?
15:05:39 <danofsatx> yeah, I was going to say that...
15:05:43 <junland> Mhm
15:05:48 <sgallagh> #topic Anaconda Password Policy
15:06:04 <simo> .hello simo
15:06:05 <zodbot> simo: simo 'Simo Sorce' <ssorce@redhat.com>
15:06:06 <nirik> so I guess with this each product + base will set their own?
15:06:06 <sgallagh> #link https://bugzilla.redhat.com/show_bug.cgi?id=1191842#c14
15:06:20 <adamw> nirik: at least 'can'. i assume there's still a  default.
15:06:24 <sgallagh> nirik: That's the way anaconda upstream chose to go about it, yes.
15:06:38 <nirik> right, ok.
15:06:56 <sgallagh> Right, the default matches the current behavior that FESCo asked be changed.
15:07:33 <simo> so the default still try to force the admin to set a "good" password ?
15:07:44 <sgallagh> My personal opinion is that I don't really care as long as the click-twice-to-override is turned back on.
15:07:57 * mizmo sighs
15:07:59 <sgallagh> Since that makes it stay in line with the kickstart behavior
15:08:12 <simo> anaconda rola should be advisory
15:08:23 <simo> I think double click on done is still a pile of BS
15:08:29 <mizmo> does anybody know the original impetus for the anaconda change
15:08:52 <mizmo> was there a security concern?
15:08:58 <sgallagh> mizmo: It was a response to chatter on the mailing list about disabling SSH password access by default
15:09:02 <simo> someone said: we have poor security, something needs to be done ... here this is something ... something has been done
15:09:03 <nirik> I think it was around ssh brute force attempts
15:09:12 <nirik> simo: ha. indeed.
15:09:32 <mizmo> sgallagh, nirik - so disabling ssh password access by default honestly makes sense to me, but what does that have to do w the password policy?
15:09:42 <sgallagh> mizmo: I should clarify my earlier statement. I'm mostly concerned that the interactive and noninteractive experience should not differ.
15:09:52 <sgallagh> RIght now, kickstart doesn't restrict password selection at all
15:10:00 <sgallagh> Only the interactive installer does.
15:10:08 <mizmo> sgallagh, i dont think the two should necessarily be the same
15:10:10 <simo> sgallagh: and it shouldn't imo
15:10:10 <nirik> mizmo: if we disable that it breaks some install setups.
15:10:18 <sgallagh> mizmo: We can't disable password access for Server, because in 99.99% of cases, it's headless
15:10:24 <simo> though it is more than welcome to show a "password strenght" graphic
15:10:40 <sgallagh> simo: Yes, I agree there.
15:10:47 <sgallagh> And it already does that, which is even better: )
15:10:49 <mizmo> what if there was a way to put in an ssh key instead
15:11:08 <simo> mizmo: I think people should stop trying to solve a problem that does not exist
15:11:09 <sgallagh> mizmo: You do realize that SSH keys are too long to type interactively,right?
15:11:09 <adamw> i think all we need to decide today is what password policy the server images should have
15:11:11 <nirik> there is in kickstart, but if you aren't using that...
15:11:22 <sgallagh> Sorry, that came out sounding far more snarky than intended.
15:11:28 <adamw> i don't think we need to be designing new anaconda features or railing against the inequities of the cold unfeeling universe
15:11:28 <mizmo> simo, i had a fedora system that was brute force hacked in my old apt
15:11:35 <simo> adamw: no password policy, let the admin decide
15:11:46 <adamw> simo: so '0' is fine?
15:12:01 <simo> mizmo: sorry, but that is not something that can or should be fixed in the installer
15:12:19 * adamw doesn't really care, but would like something as low-impact as possible
15:12:20 <mizmo> simo, i dont even understand how the password policy change in the installer relates :)
15:12:40 <adamw> i'm a bit worried about the support implications of every product/spin going out and coming up with its own policy for the hell of it
15:12:40 <sgallagh> mizmo: Password security is something that's best solved with user education rather than artificial hurdles.
15:12:41 * nirik hasn't even looked to see what we can adjust... just the libpwquality score?
15:12:47 <simo> adamw: if 0 means nothing is enforced, works for me
15:12:51 <mizmo> sorry im just trying to understand the actual problem before deciding how server shold handle it
15:12:54 <sgallagh> nirik: Basically yes
15:12:56 <stefw> nirik, https://github.com/rhinstaller/anaconda/commit/8f24eeaedd7691b6ebe119592e5bc09c1c42e181
15:13:00 <adamw> simo: i meant you're OK with the literal password '0'
15:13:08 <simo> adamw: yes
15:13:19 <sgallagh> mizmo: Sure, that makes sense.
15:13:24 <mizmo> sgallagh, user education is a bad thing to rely on, mostly because users don't want to be educated, but also because it's putting a huge burden on users
15:13:30 * adamw would like us to talk to the other products and see if we can come with the most unified possible change
15:13:47 <simo> mizmo: the desktop spin does not expose ssh by default right ?
15:13:47 <sgallagh> In many cases, this is largely academic, since we expect that (outside of trying it out), most people will deploy Server with a kickstart anyway.
15:14:05 <mizmo> simo, i was hacked i think fedora 8 or fedora 9 time frame so it did back then i think
15:14:06 <nirik> adamw: +1
15:14:15 <stefw> simo, mizmo, it doesn't
15:14:16 <sgallagh> adamw: The change FESCo requested was to simply turn back on the click-twice-to-get-on-with-life option
15:14:18 <simo> sgallagh: I still install my VMs interactively, am I bad ? :)
15:14:20 <mizmo> simo, i didn't even know until afterwards you could turn passwords off and just use ssh
15:14:26 <stefw> mizmo, at least when installed from the livecd
15:14:54 <adamw> sgallagh: yeah, basically going back to the pre-f22 policy is fine for me, but i'd just like to make sure any other products that choose to change this make the same change as us, if possible
15:15:04 <simo> mizmo: the solution for desktop is to not expose ssh by default
15:15:11 <mizmo> so the actual concern was brute force attacks. the response was to force passwords to be more difficult.
15:15:13 <simo> for server it is like not exposing a UI at all
15:15:14 <sgallagh> mizmo: Fedora Workstation ships with a firewall configuration that blocks SSH
15:15:19 <mizmo> today, workstation does not deploy with sshd turns on by default
15:15:42 <mizmo> (ah but i once had someone break into my system because of... vinagre?? but another issue :) )
15:15:45 <simo> adamw: are you going to talk to other products ?
15:15:53 <adamw> simo: i can send out a mail, sure.
15:16:09 <simo> mizmo: the takeaway here is that you have poor security practices :)
15:16:13 <mizmo> is there anything beyond ssh that a poor password could affect security wise?
15:16:17 <sgallagh> #action adamw to email other products to try to unify the pwpolicy change
15:16:26 <stefw> mizmo, yes, cockpit
15:16:31 <simo> mizmo: anything that allows authentication
15:16:38 <simo> (with that passowrd)
15:16:41 <sgallagh> simo: I think she means "out of the box"
15:16:51 <mizmo> do we care about potentially horrible passwords allowing cockpit to be accessed on a system?
15:16:52 <simo> the real solution here is to throttle/lock attempts
15:16:55 <mizmo> yes
15:16:59 <sgallagh> So that basically amounts to SSH and Cockpit remotely, and local physical terminals
15:17:02 <mizmo> throttling should be happening, is it?
15:17:10 <sgallagh> But in the latter case, that's a physical security problem and out of our hands
15:17:12 <mizmo> it wasn't back in f8/f9
15:17:12 <simo> but apprently that is to hard to implement by those that keep bringing up the weak password problem
15:17:15 <stefw> mizmo, only per connection
15:17:23 <adamw> i think someone mentioned we do rate-limiting on ssh by default now, but i don't know the details
15:17:27 <mizmo> my system logs had attempts from aol and comcast IPs spanning a week....
15:17:32 * mizmo <= bad sys admin, i know
15:17:45 <simo> adamw: we do rate-limiting how ?
15:17:56 <adamw> simo: i refer you to the part about me not knowing the details. :)
15:18:06 <simo> ok, it's news to me
15:18:09 <stefw> me too
15:18:10 <adamw> anyhow, what exactly are we discussing now? what positive action is it going to lead to?
15:18:10 <sgallagh> Yeah, news to me as well
15:18:17 <simo> we should use something in pam really
15:18:19 * adamw goes looking for the email he sorta-remembers
15:18:30 <simo> so it is enforced across all programs
15:18:37 <sgallagh> simo: Well, the other problem with rate-limiting is locking out legitimate users (like root)
15:18:46 <simo> but back to the issue at hand I propose we do *NOT* enforce a apassword policy
15:18:51 <sgallagh> Doing it in PAM can be problematic for that case
15:19:00 <simo> sgallagh: you wouldn't rate-limit the console
15:19:20 <sgallagh> simo: No, but that doesn't much help if your datacenter is in another locale
15:19:30 <mizmo> fedora infra has a set up where specific ips get banned if they have too many failed attempts
15:19:52 <sgallagh> mizmo: Yeah, intrusion detection is usually a function of add-on tools
15:19:56 <nirik> thats denyhosts, but it's...
15:19:58 <nirik> not great
15:20:28 <sgallagh> mizmo: There's an ongoing discussion about how to solve these problems in the long-term (hopefully F23)
15:20:44 <sgallagh> Today, with less than a week until Beta Freeze, we need to work with the solutions we have
15:20:54 <sgallagh> nirik: Can you paste the link?
15:20:59 <nirik> which one?
15:21:08 <nirik> denyhosts?
15:21:10 <sgallagh> The long-term security policy
15:21:15 <sgallagh> You started a wiki on it, IIRC
15:21:21 <danofsatx> what about including fail2ban by default?
15:21:24 <nirik> oh, that. Yeah, I have had 0 time to work on it.
15:21:36 <nirik> https://fedoraproject.org/wiki/User:Kevin/Draft_Passwordpolicy
15:21:40 <sgallagh> Thanks
15:21:46 <nirik> danofsatx: fail2ban is also horrible, imho.
15:21:48 <sgallagh> mizmo: Your input would be invaluable there :)
15:21:53 <danofsatx> really?
15:22:13 <nirik> when I last tried it out it took up all memory and crashed the vm I was testing in.
15:22:13 <danofsatx> well, in that case, I am starting my own little patch to firewalld, maybe I could roll this into it?
15:22:19 <nirik> perhaps it's better now, but it was also very complex
15:22:24 <sgallagh> adamw: I'm slightly concerned about waiting for responses from the other WGs given the limited time.
15:22:46 <nirik> IMHO, we just need defaults to be resistant to this kind of thing.
15:22:59 <adamw> sgallagh: beta doesn't freeze for a week.
15:23:11 <sgallagh> So as a stopgap proposal: Set pwpolicy requirement to 0 AND re-enable double-click feature.
15:23:31 <adamw> what was the previous policy?
15:23:44 <sgallagh> pwpolicy >= 50, no option to override
15:24:24 <sgallagh> mizmo: Before you ask, no: there is no way to present to a user sanely what will or won't meet that requirement.
15:24:32 <sgallagh> pwpolicy is... complex like that
15:24:52 <simo> nirik: why fail2ban is horrible? I've used it with very pleasing results in the past
15:25:19 <danofsatx> yeah, I have no issues with it currently (once I get it configured)
15:25:20 <masta> huh... would need a way for the pam.d specified policy to be queried
15:25:21 <nirik> see above. It crashed my test vm.
15:25:24 <sgallagh> Can we please shunt the long-term work to a separate discussion?
15:25:42 <nirik> right. is the double click to allow part of this setting?
15:25:45 <nirik> or is that seperate?
15:26:13 <simo> sgallagh: if the policy is level 0 do we still need doubleclick ?
15:26:19 <sgallagh> nirik: There are basically two things we can fiddle with.
15:26:32 <sgallagh> simo: I think level 0 still requires a non-zero-length password.
15:26:34 <adamw> sgallagh: when I say 'previous', I mean F21.
15:26:48 <sgallagh> adamw: I'm not actually sure.
15:26:53 <adamw> sigh, i'll go looking.
15:27:12 <sgallagh> I think it may actually have just been length in F21, but I'm not certain\
15:27:48 <nirik> sgallagh: score and ...
15:28:09 <sgallagh> nirik: score and whether double-click-to-accept-anyway is allowed
15:28:29 <nirik> and length
15:28:32 <simo> sgallagh: non zero lenght is probably fine
15:28:35 <nirik> minlen
15:28:49 <mizmo> whatever f20 did would be the same as your proposal sgallagh?
15:28:53 <nirik> and for root, user and luks
15:29:05 <sgallagh> mizmo: Roughly, yes.
15:29:36 <sgallagh> nirik: https://github.com/rhinstaller/anaconda/commit/8f24eeaedd7691b6ebe119592e5bc09c1c42e181 is better information
15:29:44 <nirik> yeah, thats what I am reading from.
15:29:45 <sgallagh> So we actually have more knobs to twiddle than I thought
15:30:28 <nirik> I guess for f22 I would be ok overriding the score to 0 for all.
15:30:34 <simo> sgallagh: dial them all to 11 and walk away
15:30:46 <sgallagh> heh
15:30:49 <nirik> luks is a bit more involved to change after install, but yeh
15:30:57 <junland> ha
15:31:50 <sgallagh> nirik: So do you want to formalize that as a proposal?
15:32:06 <mizmo> mizmo proposal: jsut do how it was in f20, nobody died
15:32:16 <nirik> as a side note I will say that the libpwquality maintainer doesn't think they should be using score at all... but thats back to long term I guess.
15:32:30 * adamw is drafting an email to the other SIGs, suggesting the pre-f22 behaviour, which I think is:
15:32:38 <adamw> --nostrict --minlen=6 --minquality=50 --nochanges --emptyok
15:32:49 <adamw> note that with --nostrict, --minquality defines the quality that requires the double click.
15:32:58 <mizmo> this github link is f21 or f20?
15:33:04 <sgallagh> mizmo: F22
15:33:05 <nirik> f22
15:33:12 <mizmo> cuz this github link says minlen 8 min quality 50 and isn't that causing drama?
15:33:20 <adamw> mizmo: because it has --strict.
15:33:23 <nirik> the --strict is.
15:33:29 <adamw> --strict vs. --nostrict is the difference between allowing the double click and not.
15:33:31 <mizmo> ohhh --strict is what determines ifyou get the double click option or not?
15:33:33 <mizmo> okay
15:33:34 <adamw> yes.
15:33:34 <mizmo> cool
15:33:43 * mizmo supports adam's proposal
15:33:58 <nirik> sure, +1 to that for now.
15:34:04 <sgallagh> +1 to adamw
15:34:18 <mizmo> i just feel like, if things got a step too strict, the response to completely make it wide open with 0 min length etc is kind of silly
15:34:26 <sgallagh> I understand simo's point as well, but I think it's probably okay to warn about the low-sec password on the interactive mode.
15:34:46 <mizmo> simo, is your point the double click is annoying?
15:34:46 <sgallagh> mizmo: At the same time, that's how it works if you set the password in kickstart.
15:35:08 <sgallagh> the double-click being annoying is, I think, kind of the point.
15:35:11 <mizmo> sgallagh, right but ks has a higher bar
15:35:16 <sgallagh> true
15:35:25 <mizmo> and companies that use KS write up policies for it
15:35:49 <mizmo> so even tho ks doesn't enforce it a company policy may enforce certain standards on ks
15:35:57 * mizmo has seen this with ks users in the field
15:36:01 <sgallagh> Sure
15:36:22 <sgallagh> So, any *opposition* to adamw's proposal?
15:36:26 <nirik> perhaps we can improve things down the road... ;)
15:36:35 <mizmo> rate limiting down the road!
15:36:43 <mizmo> so idiots like me dont get hacked by an aol botnet
15:36:48 <sgallagh> If not, we'll go with lazy consensus and figure out who is going to do the work.
15:36:58 * adamw sent out the email.
15:37:08 <mizmo> adamw, whats a bunfight? (do i want to know?)
15:37:14 <nirik> rate limiting, nuke the word 'password' everywhere, provide users some feedback on things, etc
15:37:17 <adamw> hey look, i spot a guy who knows how all this product-specific anaconda overriding works
15:37:21 <adamw> his name begins with 's'
15:37:38 <adamw> mizmo: more or less what it sounds like - what, the term's not universal? always figured it was
15:37:48 <sgallagh> mizmo: I'm going to choose to assume it refers to the Beefy Miracle :)
15:37:54 <mizmo> adamw, im imaging beefy mircale fighting with another hot dog for one bun
15:38:03 <mizmo> adamw, or people fighting with their butts over a bar stool???
15:38:09 <adamw> http://www.oxforddictionaries.com/definition/english/bunfight
15:38:11 <mizmo> or maybe cute bunnies fighting ove ra carrot
15:38:21 <mizmo> oh wow never heard of that
15:38:29 <adamw> though actually i like the urban dictionary's formulation in this case: http://www.urbandictionary.com/define.php?term=bun+fight
15:38:36 <adamw> it captures the fact that it's usually an overblown fight over a petty matter
15:38:42 * nirik hasn't either
15:39:10 <adamw> guess it's UK English, interesting
15:39:12 <sgallagh> #agreed The password policy will be "--nostrict --minlen=6 --minquality=50 --nochanges --emptyok" for root, user and luks
15:39:15 <simo> mizmo: the double click is not really discoverable
15:39:24 <adamw> apart from the info bar that tells you exactly what to do?
15:39:26 <simo> mizmo: the first time I encountered it it utterly confused me
15:39:42 <sgallagh> adamw: I was really trying to avoid adding to my plate, but if no one else is willing to do it...
15:40:02 * adamw on a strict not goddamn volunteering for anything diet
15:40:12 <mizmo> well thats an anaconda notification area noticability bug that is on the ux radar
15:40:19 <sgallagh> /me needs to depart in five minutes
15:40:32 <danofsatx> I was in the Navy - Never Again Volunteer Yourself.
15:40:37 <adamw> how about we give it to simo since he cares the most? :P
15:40:44 <simo> :)
15:40:52 <sgallagh> danofsatx: Congratulations, I'm now assigning it to you since I know you can take orders :)
15:41:17 <danofsatx> notice "was"....there's a reason I'm no longer. that whole authority thing didn't sit well with me.
15:41:19 <simo> mizmo: yeah it may be a combination of bugs, once you know you "know", but otherwise it took me a lot to figure out (eventually I found the notification I think
15:41:44 <sgallagh> Ah well. What harm can *one more straw* do?
15:42:03 <simo> said the man before the camel back broke
15:42:08 <sgallagh> #action sgallagh to update fedora-productimg-server with the agreed defaults.
15:42:26 * adamw still hasn't written the damn database test cases, so clearly shouldn't be taking any *more* tasks.
15:42:30 <sgallagh> simo: http://i.imgur.com/NPG7CxB.gif
15:42:57 <sgallagh> #topic Open Floor
15:43:00 <adamw> has anyone tested the database server role yet, without test cases
15:43:01 <adamw> ?
15:43:07 <simo> adamw: :(
15:43:10 <sgallagh> adamw: Besides me, I assume?
15:43:10 <adamw> we're only a week before beta freeze so, y'know, would be good to know it works
15:43:15 <adamw> sgallagh: yeah, no-one trusts you. :P
15:43:19 <sgallagh> Fair
15:43:29 <adamw> sgallagh: no, if you've actually tested it - as in sat down and done it from scratch in a clean env - that's good data
15:44:00 <sgallagh> Oh, that reminds me.
15:44:02 <adamw> and i promise the test cases are next on my todo list, now i more or less finished fiddling with wikitcms for the week...
15:44:09 <sgallagh> Can *someone* please review the patches on Review Board today?
15:44:26 <sgallagh> I want to get that built in Koji ASAP
15:44:40 <sgallagh> http://reviewboard-fedoraserver.rhcloud.com/dashboard/
15:44:53 <sgallagh> #info Help needed in reviewing rolekit database server patches
15:45:09 <adamw> if i can get to it after the test cases, I will
15:45:28 <sgallagh> Thanks adamw
15:45:43 <sgallagh> I'm not sure where twoerner and mitr are this week (they're usually the ones doing the reviews)
15:46:28 <sgallagh> If it gets to the end of the day tomorrow without a review, I'm just pushing them as-is and to Hell with the consequences...
15:46:33 <danofsatx> I forgot to pull that tab up after a few reboots of my workstation. I'll look at them also.
15:46:38 <sgallagh> Thanks
15:47:27 <sgallagh> #action adamw and danofsatx to review the database server patches at their convenience
15:48:00 <sgallagh> OK, if there's anything else for Open Floor, I'll ask someone else to take the chair. I have to drive to an appointment.
15:48:08 <sgallagh> Otherwise I'll close the meeting in 60s
15:49:08 * danofsatx notices nothing but a floor in desperate need of swabbing
15:49:17 * nirik has nothing
15:49:32 <sgallagh> #endmeeting