GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Message #64 received at 44808 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>, Christopher Lemmer Webber
 <cwebber <at> dustycloud.org>
Cc: maxim.cournoyer <at> gmail.com, 44808 <at> debbugs.gnu.org
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
Date: Mon, 07 Dec 2020 17:57:45 -0500

Hi,

"Dr. Arne Babenhauserheide" <arne_bab <at> web.de> writes:
> To nudge them to secure their system, guix system reconfigure could emit
> a warning that this is a potential security risk that requires setting
> an explicit value (password yes or no) to silence.

I think this is a good idea.  Likewise, in the Guix installer, I would
favor asking the user whether or not to enable password authentication,
after warning them that it is a security risk.

I agree with Chris that password authentication is a significant
security risk, but I also worry that if we simply disable it, it will
catch some users by surprise and they may be quite unhappy about it.

     Regards,
       Mark

This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #44808 Default to allowing password authentication on leaves users vulnerable

GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable