GNU bug report logs - #26695
openssh password-authentication? should be #f by default

Previous Next

Package: guix;

Reported by: Christopher Allan Webber <cwebber <at> dustycloud.org>

Date: Fri, 28 Apr 2017 14:38:02 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Christopher Allan Webber <cwebber <at> dustycloud.org>
Subject: bug#26695: closed (Re: bug#26695: openssh password-authentication?
 should be #f by default)
Date: Tue, 29 Aug 2023 03:26:03 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#26695: openssh password-authentication? should be #f by default

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 26695 <at> debbugs.gnu.org.

-- 
26695: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26695
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Allan Webber <cwebber <at> dustycloud.org>,
 26695-done <at> debbugs.gnu.org
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
Date: Mon, 28 Aug 2023 23:24:46 -0400

Hi,

Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
>> Our default permits password authentication for the openssh service (and
>> the others it seems) by default in Guix.  This is somewhat dangerous
>> because this is a much easier to break in this way, and some users might
>> not assume the default is reasonably safe.  If users really want
>> password-authentication, they should turn it on explicitly.
>
> The upstream default is to allow password authentication (see
> sshdconfig(5)).
>
> With the current GuixSD defaults, my understanding is that nobody will
> be able to login remotely to a new GuixSD system with the default
> openssh-service, unless they make the effort to insert the user's
> password in their GuixSD declaration. Remote root login and empty
> password login is disabled by default.
>
> So the current situation seems safe to me. Please let us know if you see
> a hole.

I agree with your assessment.  I think there's probably more hurt than
benefit in diverging from upstream's choice of defaults here.

I'm thus closing this old forgotten report.

-- 
Thanks,
Maxim


[Message part 3 (message/rfc822, inline)]
From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: bug-guix <at> gnu.org
Subject: openssh password-authentication? should be #f by default
Date: Fri, 28 Apr 2017 09:37:13 -0500

Our default permits password authentication for the openssh service (and
the others it seems) by default in Guix.  This is somewhat dangerous
because this is a much easier to break in this way, and some users might
not assume the default is reasonably safe.  If users really want
password-authentication, they should turn it on explicitly.
This bug report was last modified 1 year and 261 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.