[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
|
From: |
Leo Famulari |
|
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
|
Date: |
Thu, 11 Feb 2021 15:36:17 -0500 |
On Thu, Feb 11, 2021 at 07:46:51AM +0000, raid5atemyhomework via Bug reports
for GNU Guix wrote:
> Hi guix users,
>
> It strikes me that a better course of action here would be, rather than
> providing a warning that might not be noticed by the user, to remove the
> default and force people to explicitly put `password-authentication? #t` or
> `password-authentication? #f`.
I like this idea.
>
> That way if I have set up a headless server (possibly having a temporary
> keyboard/mouse/monitor during initial install, then forever logging in
> afterwards over intranet using my super secret password
> "raid5isnotagooddog"), with an existing `configuration.scm` that does not
> explicitly give the setting, I cannot accidentally lose access to my headless
> server by doing a random `guix pull && sudo guix system reconfigure
> configuration.scm` without noticing the warning.
>
> Especially since there exists an `unattended-upgrades-service-type` which
> automates this `guix pull && sudo guix system reconfigure configuration.scm`,
> which makes changing this default ***VERY DANGEROUS*** in this use-case. I'd
> rather I noticeably error out in this case.
I agree, changing the default will cause problems, and I'm not convinced
it's a serious problem that warrants changing anyways.