[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Christopher Lemmer Webber |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Mon, 23 Nov 2020 11:17:58 -0500 |
User-agent: |
mu4e 1.4.13; emacs 27.1 |
Carlo Zancanaro writes:
> Hey Chris!
>
> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>> ... Plus, few distributions do what we're doing anymore, precisely
>> because of wanting to be secure by default.
>
> Is this true? Debian defaults to passwords being allowed. I think it
> even allows root login by default. At least, I have always had to add
> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
> install openssh-server on debian.
Perhaps I'm wrong... I had thought that the last time I installed a
Debian server, password based access was off by default. But I could be
wrong.
> I'm on board with what you're proposing, and I think Guix should
> default to the more secure option, but I'm not sure that an
> "average user" (whatever that means for Guix's demographic) would
> expect that password authentication is disabled by default.
That's fair... I think that
"[ ] Password authentication? (insecure)"
would be sufficient as an option. How do others feel?