#44808 - Default to allowing password authentication on leaves users vulnerable

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #23 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 16:18:53 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 23 11:18:53 2020
Received: from localhost ([127.0.0.1]:50841 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1khEYH-0005Gt-5n
	for submit@debbugs.gnu.org; Mon, 23 Nov 2020 11:18:53 -0500
Received: from dustycloud.org ([50.116.34.160]:58008)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@dustycloud.org>) id 1khEYF-0005Gl-LY
 for 44808@debbugs.gnu.org; Mon, 23 Nov 2020 11:18:51 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 4E8E2266EC;
 Mon, 23 Nov 2020 11:18:27 -0500 (EST)
References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@dustycloud.org>
To: Carlo Zancanaro <carlo@zancanaro.id.au>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <874klgybbs.fsf@zancanaro.id.au>
Date: Mon, 23 Nov 2020 11:17:58 -0500
Message-ID: <87im9w2gjt.fsf@dustycloud.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Carlo Zancanaro writes:

> Hey Chris!
>
> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>> ... Plus, few distributions do what we're doing anymore, precisely
>> because of wanting to be secure by default.
>
> Is this true? Debian defaults to passwords being allowed. I think it
> even allows root login by default. At least, I have always had to add
> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
> install openssh-server on debian.

Perhaps I'm wrong... I had thought that the last time I installed a
Debian server, password based access was off by default.  But I could be
wrong.

> I'm on board with what you're proposing, and I think Guix should
> default to the more secure option, but I'm not sure that an 
> "average user" (whatever that means for Guix's demographic) would
> expect that password authentication is disabled by default.

That's fair... I think that
"[ ] Password authentication? (insecure)"
would be sufficient as an option.  How do others feel?

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:44:21 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#44808 Default to allowing password authentication on leaves users vulnerable