Mark Ballard
2014-07-22 20:14:16 UTC
Hello
Two problems related to security and internationalisation have arisen
while attempting to install opensuse: one major, one merely
obstructive.
Both problems occur when setting the encryption password.
1.
The major problem concerns the keyboard layout.
The opensuse installer very helpfully asks which international
keyboard layout it should use during install. It does this before
asking for the user to set their passphrases. So the user gets to
formulate their password in their chosen international keyboard layout
- most likely the keyboard layout they are actually using: e.g. UK
keyboard layout.
But when install is complete, in my instance at least, the computer
goes to a command screen and says, before prompting for the just given
password to open the encrypted disk: "Note: only US keyboard layout is
supported".
The result is a failed install unless you happen to be in the US.
Perhaps the problem has not occured in other countries where language
differences have focused more attention on internationlisation?
It is nigh on impossible to enter your encryption password using a US
layout on a UK keyboard unless you use a password drawn from a limited
and therefore less secure set of characters; and only then if you
happen to know what characters are actually valid in both keyboard
layouts, and where they are.
I had a quick look. I'm not even sure it's actually possible to map
characters chosen from a UK keyboard layout into a US keymap and then
back onto a UK keyboard layout again without losing some. At least not
for a regular person who is simply trying to put their password in at
the prompt. Maybe not for anyone but Lou Gerstner himself.
if this problem cannot be corrected, it would at least save the people
time and frustration to tell them which characters are valid or not
when they create their password, and to remove the offer of a non-US
keyboard during install. I'm sure people would be happy not to choose
invalid characters if they were told what they were.
2.
The other problem is that the password itself recognises limited
punctuation characters in whatever character set. Characters it does
not recognise are recognised routinely by other password prompts. Some
other password prompts fail to recognise characters that the opensuse
password prompt does. Some password prompts have no limitations for a
given standard keyboard layout.
The result is that it becomes difficult to create a password system -
i.e. a method for choosing complex passwords for different situations
that can be remembered - because your system falls down as soon as you
come across a password screen that disallows certain characters your
system relies on.
This actually happens pretty regularly. And the rules about what is a
valid character or not seem always to be different. That doesn't make
it right. If only the base system could assure no limitations.
Hope this helps.
mb.
Two problems related to security and internationalisation have arisen
while attempting to install opensuse: one major, one merely
obstructive.
Both problems occur when setting the encryption password.
1.
The major problem concerns the keyboard layout.
The opensuse installer very helpfully asks which international
keyboard layout it should use during install. It does this before
asking for the user to set their passphrases. So the user gets to
formulate their password in their chosen international keyboard layout
- most likely the keyboard layout they are actually using: e.g. UK
keyboard layout.
But when install is complete, in my instance at least, the computer
goes to a command screen and says, before prompting for the just given
password to open the encrypted disk: "Note: only US keyboard layout is
supported".
The result is a failed install unless you happen to be in the US.
Perhaps the problem has not occured in other countries where language
differences have focused more attention on internationlisation?
It is nigh on impossible to enter your encryption password using a US
layout on a UK keyboard unless you use a password drawn from a limited
and therefore less secure set of characters; and only then if you
happen to know what characters are actually valid in both keyboard
layouts, and where they are.
I had a quick look. I'm not even sure it's actually possible to map
characters chosen from a UK keyboard layout into a US keymap and then
back onto a UK keyboard layout again without losing some. At least not
for a regular person who is simply trying to put their password in at
the prompt. Maybe not for anyone but Lou Gerstner himself.
if this problem cannot be corrected, it would at least save the people
time and frustration to tell them which characters are valid or not
when they create their password, and to remove the offer of a non-US
keyboard during install. I'm sure people would be happy not to choose
invalid characters if they were told what they were.
2.
The other problem is that the password itself recognises limited
punctuation characters in whatever character set. Characters it does
not recognise are recognised routinely by other password prompts. Some
other password prompts fail to recognise characters that the opensuse
password prompt does. Some password prompts have no limitations for a
given standard keyboard layout.
The result is that it becomes difficult to create a password system -
i.e. a method for choosing complex passwords for different situations
that can be remembered - because your system falls down as soon as you
come across a password screen that disallows certain characters your
system relies on.
This actually happens pretty regularly. And the rules about what is a
valid character or not seem always to be different. That doesn't make
it right. If only the base system could assure no limitations.
Hope this helps.
mb.
--
To unsubscribe, e-mail: opensuse-security+***@opensuse.org
To contact the owner, e-mail: opensuse-security+***@opensuse.org
To unsubscribe, e-mail: opensuse-security+***@opensuse.org
To contact the owner, e-mail: opensuse-security+***@opensuse.org