GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Message #14 received at 44808 <at> debbugs.gnu.org (full text, mbox):

From: Carlo Zancanaro <carlo <at> zancanaro.id.au>
To: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
Cc: 44808 <at> debbugs.gnu.org
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
Date: Mon, 23 Nov 2020 14:57:27 +1100

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
> ... Plus, few distributions do what we're doing anymore, 
> precisely because of wanting to be secure by default.

Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.

I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.

Carlo

This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #44808 Default to allowing password authentication on leaves users vulnerable

GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable