[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Ludovic Courtès |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Thu, 10 Dec 2020 09:17:19 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> What do you think of the approach in
>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>
> One problem, which I just discovered, is that it warns users even if
> they don't have an 'openssh-service' in their system configuration.
Could it be that you have a childhurd or some other service that uses
‘openssh-service-type’? What source code location is associated with
that warning?
>> The default is unchanged but the warning could be kept say until the
>> next release, at which point we’d change the default.
>>
>> Or are you suggesting keeping the default unchanged?
>
> I don't feel strongly about what the default setting should be, as long
> as we ensure that users are somehow made aware of the change before it
> happens, and are given the opportunity (and preferably easy instructions
> on how) to keep password authentication enabled if they wish.
>
> I also think that the installer should explicitly ask the user what the
> setting should be, so that we do not catch new users off guard who
> expected to be able to ssh in to their newly-installed systems using
> only a password.
Yeah, we can do that; it’s a bit of extra complexity in the installer,
but perhaps that’ll be useful to configure other services as well.
> If the plan is to change the default setting and issue warnings in the
> meantime, it should be easy to silence those warnings, especially for
> those of us who don't even use openssh-service :)
Agreed. :-) Normally, if you explicitly set the field, the warning
disappears.
Thanks,
Ludo’.
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/05
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/05
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable,
Ludovic Courtès <=
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/11
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/08
bug#44808: Default to allowing password authentication on leaves users vulnerable, Leo Famulari, 2020/12/07