[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Christopher Lemmer Webber |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Sat, 05 Dec 2020 13:22:23 -0500 |
User-agent: |
mu4e 1.4.13; emacs 27.1 |
Ludovic Courtès writes:
> Hi!
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>>>> I'm on board with what you're proposing, and I think Guix should
>>>> default to the more secure option, but I'm not sure that an
>>>> "average user" (whatever that means for Guix's demographic) would
>>>> expect that password authentication is disabled by default.
>>>
>>> That's fair... I think that
>>> "[ ] Password authentication? (insecure)"
>>> would be sufficient as an option. How do others feel?
>>
>> I'm +1 on disabling password access out of the box; especially since
>> Guix System makes it easy to authorize SSH keys at installation time.
>> We'd have to see if it breaks any of our system tests, but I doubt so.
>
> Agreed. There are several ways to do that:
>
> 1. Have the installer emit an ‘openssh-configuration’ that explicitly
> disables password authentication.
>
> 2. Change the default value of the relevant field in
> <openssh-configuration>.
>
> #2 is more thorough but also more risky: people could find themselves
> locked out of their server after reconfiguration, though this could be
> mitigated by a news entry.
>
> Thoughts?
>
> Ludo’.
We could also do a combination of the above, as a transitional plan:
do #1 for now, but try to advertise that in the future, the default will
be changing... please explicitly set password access to #t if you need
this! Then in the *following* release, change the default.
This seems like a reasonable transition plan, kind of akin to a
deprecation process?
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/05
- bug#44808: Default to allowing password authentication on leaves users vulnerable,
Christopher Lemmer Webber <=
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/11