GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Full log

View this message in rfc822 format

From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
To: Carlo Zancanaro <carlo <at> zancanaro.id.au>
Cc: 44808 <at> debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Mon, 23 Nov 2020 11:17:58 -0500

Carlo Zancanaro writes:

> Hey Chris!
>
> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>> ... Plus, few distributions do what we're doing anymore, precisely
>> because of wanting to be secure by default.
>
> Is this true? Debian defaults to passwords being allowed. I think it
> even allows root login by default. At least, I have always had to add
> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
> install openssh-server on debian.

Perhaps I'm wrong... I had thought that the last time I installed a
Debian server, password based access was off by default.  But I could be
wrong.

> I'm on board with what you're proposing, and I think Guix should
> default to the more secure option, but I'm not sure that an 
> "average user" (whatever that means for Guix's demographic) would
> expect that password authentication is disabled by default.

That's fair... I think that
"[ ] Password authentication? (insecure)"
would be sufficient as an option.  How do others feel?
This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.