[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Maxim Cournoyer |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Sun, 29 Nov 2020 22:58:53 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hello,
Christopher Lemmer Webber <cwebber@dustycloud.org> writes:
> Carlo Zancanaro writes:
>
>> Hey Chris!
>>
>> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>>> ... Plus, few distributions do what we're doing anymore, precisely
>>> because of wanting to be secure by default.
>>
>> Is this true? Debian defaults to passwords being allowed. I think it
>> even allows root login by default. At least, I have always had to add
>> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
>> install openssh-server on debian.
>
> Perhaps I'm wrong... I had thought that the last time I installed a
> Debian server, password based access was off by default. But I could be
> wrong.
I just tried with a Debian Buster VM; password access is enabled out of
the box.
>> I'm on board with what you're proposing, and I think Guix should
>> default to the more secure option, but I'm not sure that an
>> "average user" (whatever that means for Guix's demographic) would
>> expect that password authentication is disabled by default.
>
> That's fair... I think that
> "[ ] Password authentication? (insecure)"
> would be sufficient as an option. How do others feel?
I'm +1 on disabling password access out of the box; especially since
Guix System makes it easy to authorize SSH keys at installation time.
We'd have to see if it breaks any of our system tests, but I doubt so.
Patch welcome!
Maxim