GNU bug report logs - #26695
openssh password-authentication? should be #f by default

Previous Next

Full log

Message #34 received at 26695-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Allan Webber <cwebber <at> dustycloud.org>,
 26695-done <at> debbugs.gnu.org
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
Date: Mon, 28 Aug 2023 23:24:46 -0400

Hi,

Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
>> Our default permits password authentication for the openssh service (and
>> the others it seems) by default in Guix.  This is somewhat dangerous
>> because this is a much easier to break in this way, and some users might
>> not assume the default is reasonably safe.  If users really want
>> password-authentication, they should turn it on explicitly.
>
> The upstream default is to allow password authentication (see
> sshdconfig(5)).
>
> With the current GuixSD defaults, my understanding is that nobody will
> be able to login remotely to a new GuixSD system with the default
> openssh-service, unless they make the effort to insert the user's
> password in their GuixSD declaration. Remote root login and empty
> password login is disabled by default.
>
> So the current situation seems safe to me. Please let us know if you see
> a hole.

I agree with your assessment.  I think there's probably more hurt than
benefit in diverging from upstream's choice of defaults here.

I'm thus closing this old forgotten report.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.