GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Christopher Lemmer Webber <cwebber <at> dustycloud.org>, "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>, maxim.cournoyer <at> gmail.com, 44808 <at> debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Fri, 11 Dec 2020 19:10:02 +0100

Hi,

Mark H Weaver <mhw <at> netris.org> skribis:

> gnu/services/ssh.scm:570:31, here:
>
>   https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570
>
> Here's what I see when I build a system:
>
> mhw <at> jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
> gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
> field of 'openssh-configuration' will change from #true to #false in the
> future.  Explicitly set it to #true to allow password authentication.
> /gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system

I ended up reverting it in d8051557aee9fa252b015ff67cc15681e8540777
because it affects everyone, I couldn’t think of an easy way to address
that while still getting the warning when we want it, and it seems we
may have to discuss the issue a bit more (apologies for assuming we had
reached a consensus!).

Thanks,
Ludo’.
This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.