GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, 44808 <at> debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Mon, 07 Dec 2020 12:51:54 +0100

Hi Chris,

Christopher Lemmer Webber <cwebber <at> dustycloud.org> skribis:

> Ludovic Courtès writes:

[...]

>> Agreed.  There are several ways to do that:
>>
>>   1. Have the installer emit an ‘openssh-configuration’ that explicitly
>>      disables password authentication.
>>
>>   2. Change the default value of the relevant field in
>>      <openssh-configuration>.
>>
>> #2 is more thorough but also more risky: people could find themselves
>> locked out of their server after reconfiguration, though this could be
>> mitigated by a news entry.
>>
>> Thoughts?
>>
>> Ludo’.
>
> We could also do a combination of the above, as a transitional plan:
> do #1 for now, but try to advertise that in the future, the default will
> be changing... please explicitly set password access to #t if you need
> this!  Then in the *following* release, change the default.
>
> This seems like a reasonable transition plan, kind of akin to a
> deprecation process?

Sounds like a plan.  I went ahead and pushed
aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138 which does this.

Thanks,
Ludo’.
This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.