[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#26695: openssh password-authentication? should be #f by default
From: |
Maxim Cournoyer |
Subject: |
bug#26695: openssh password-authentication? should be #f by default |
Date: |
Mon, 28 Aug 2023 23:24:46 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi,
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
>> Our default permits password authentication for the openssh service (and
>> the others it seems) by default in Guix. This is somewhat dangerous
>> because this is a much easier to break in this way, and some users might
>> not assume the default is reasonably safe. If users really want
>> password-authentication, they should turn it on explicitly.
>
> The upstream default is to allow password authentication (see
> sshdconfig(5)).
>
> With the current GuixSD defaults, my understanding is that nobody will
> be able to login remotely to a new GuixSD system with the default
> openssh-service, unless they make the effort to insert the user's
> password in their GuixSD declaration. Remote root login and empty
> password login is disabled by default.
>
> So the current situation seems safe to me. Please let us know if you see
> a hole.
I agree with your assessment. I think there's probably more hurt than
benefit in diverging from upstream's choice of defaults here.
I'm thus closing this old forgotten report.
--
Thanks,
Maxim
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#26695: openssh password-authentication? should be #f by default,
Maxim Cournoyer <=