|
From: | Carlo Zancanaro |
Subject: | bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: | Mon, 23 Nov 2020 14:57:27 +1100 |
User-agent: | mu4e 1.4.13; emacs 27.1 |
Hey Chris! On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
... Plus, few distributions do what we're doing anymore, precisely because of wanting to be secure by default.
Is this true? Debian defaults to passwords being allowed. I think it even allows root login by default. At least, I have always had to add "PermitRootLogin no" and "PasswordAuthentication no" whenever I install openssh-server on debian.
I'm on board with what you're proposing, and I think Guix should default to the more secure option, but I'm not sure that an "average user" (whatever that means for Guix's demographic) would expect that password authentication is disabled by default.
Carlo
[Prev in Thread] | Current Thread | [Next in Thread] |