#44808 - Default to allowing password authentication on leaves users vulnerable

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #14 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 03:57:32 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 22 22:57:32 2020
Received: from localhost ([127.0.0.1]:48704 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kh2yq-0004uq-4Y
	for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:57:32 -0500
Received: from zancanaro.com.au ([45.76.117.151]:42246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <carlo@zancanaro.id.au>) id 1kh2yo-0004ue-I6
 for 44808@debbugs.gnu.org; Sun, 22 Nov 2020 22:57:31 -0500
Received: by zancanaro.com.au (Postfix, from userid 116)
 id 6DE5632A5E; Mon, 23 Nov 2020 03:57:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on vultr
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.2
Received: from jolteon (ec2-13-55-194-30.ap-southeast-2.compute.amazonaws.com
 [13.55.194.30])
 by zancanaro.com.au (Postfix) with ESMTPSA id 0200932A45;
 Mon, 23 Nov 2020 03:57:27 +0000 (UTC)
References: <878sat3rnn.fsf@dustycloud.org>
User-agent: mu4e 1.4.13; emacs 27.1
From: Carlo Zancanaro <carlo@zancanaro.id.au>
To: Christopher Lemmer Webber <cwebber@dustycloud.org>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <878sat3rnn.fsf@dustycloud.org>
Date: Mon, 23 Nov 2020 14:57:27 +1100
Message-ID: <874klgybbs.fsf@zancanaro.id.au>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
> ... Plus, few distributions do what we're doing anymore, 
> precisely because of wanting to be secure by default.

Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.

I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.

Carlo

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:59:59 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#44808 Default to allowing password authentication on leaves users vulnerable