GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Full log

Message #70 received at 44808 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
To: Mark H Weaver <mhw <at> netris.org>
Cc: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>, maxim.cournoyer <at> gmail.com,
 44808 <at> debbugs.gnu.org
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
Date: Tue, 08 Dec 2020 08:48:34 -0500

Mark H Weaver writes:

> Hi,
>
> "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> writes:
>> To nudge them to secure their system, guix system reconfigure could emit
>> a warning that this is a potential security risk that requires setting
>> an explicit value (password yes or no) to silence.
>
> I think this is a good idea.  Likewise, in the Guix installer, I would
> favor asking the user whether or not to enable password authentication,
> after warning them that it is a security risk.
>
> I agree with Chris that password authentication is a significant
> security risk, but I also worry that if we simply disable it, it will
> catch some users by surprise and they may be quite unhappy about it.
>
>      Regards,
>        Mark

It's clear that quite a few people are unhappy with switching the
default, fearing lockout.  I'm fine with making the above compromise
given all that, personally.
This bug report was last modified 4 years and 123 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.