[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Leo Famulari |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Mon, 7 Dec 2020 14:40:15 -0500 |
On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
> > 2. Change the default value of the relevant field in
> > <openssh-configuration>.
> >
> > #2 is more thorough but also more risky: people could find themselves
> > locked out of their server after reconfiguration, though this could be
> > mitigated by a news entry.
I do think we should avoid changing the default. I know that passphrases
are inherently riskier than keys — compromise is more likely than with a
key, but I think it's even more likely that people will lose access to
their servers if we change this default.
How bad is the risk, from a practical perspective? How many times per
second can a remote attacker attempt passphrase authentication? If the
number is high, we could petition OpenSSH to introduce a delay.
- bug#44808: Default to allowing password authentication on leaves users vulnerable, (continued)
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/11
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/08
bug#44808: Default to allowing password authentication on leaves users vulnerable,
Leo Famulari <=