At Tue, 27 Oct 2009 04:58:09 -0400, Steven Bellovin <smb%cs.columbia.edu@localhost
> wrote:
Subject: Re: ssh scans
That depends on how bad your users are with password choices. Some
of
my students lost some VMs to attackers who got in via just this
mechanism.
A _long_ time ago I submitted patches for NetBSD that incorporated a
"standard" password cracking tool proactively as countermeasures to
prevent users from choosing obviously poor passwords in the first
place.
Sadly the PR was closed after an very much inferior, incomplete, and
actually unused solution was added to NetBSD.
Even then it took 5 years for the PR to be addressed, and another 4
years later the resulting "solution" (if I dare call it such) is still
not yet properly documented or cross-referenced in all the relevant
places, nor is it even enabled in any way in passwd(1) or any other
password setting tool.
Meanwhile all too many sites still rely on passwords for
authentication,
and sites running NetBSD continue to be hacked due to lack of using
commonly available cracking tools as countermeasures.
Until the ability to use passwords is ripped entirely out of the OS,
we
obviously still need to use common password cracking techniques as
countermeasures to prevent users from choosing weak passwords. As I
asked in the title of my old PR, of what use are 128-byte passwords if
people can still choose easily guessable ones?
No, I'm not _really_ bitter -- I still use the code I wrote to
integrate
cracklib, but I am sad that the poor attitudes of a few have
prevented it
from directly benefitting many others who use NetBSD.