GNU bug report logs -
#44808
Default to allowing password authentication on leaves users vulnerable
Previous Next
Full log
View this message in rfc822 format
Hi Mark,
Mark H Weaver <mhw <at> netris.org> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
[...]
>> What do you think of the approach in
>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>
> One problem, which I just discovered, is that it warns users even if
> they don't have an 'openssh-service' in their system configuration.
Could it be that you have a childhurd or some other service that uses
‘openssh-service-type’? What source code location is associated with
that warning?
>> The default is unchanged but the warning could be kept say until the
>> next release, at which point we’d change the default.
>>
>> Or are you suggesting keeping the default unchanged?
>
> I don't feel strongly about what the default setting should be, as long
> as we ensure that users are somehow made aware of the change before it
> happens, and are given the opportunity (and preferably easy instructions
> on how) to keep password authentication enabled if they wish.
>
> I also think that the installer should explicitly ask the user what the
> setting should be, so that we do not catch new users off guard who
> expected to be able to ssh in to their newly-installed systems using
> only a password.
Yeah, we can do that; it’s a bit of extra complexity in the installer,
but perhaps that’ll be useful to configure other services as well.
> If the plan is to change the default setting and issue warnings in the
> meantime, it should be easy to silence those warnings, especially for
> those of us who don't even use openssh-service :)
Agreed. :-) Normally, if you explicitly set the field, the warning
disappears.
Thanks,
Ludo’.
This bug report was last modified 4 years and 122 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.