From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id +y0DBFUzu1//eQAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 23 Nov 2020 03:58:13 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id OEbsOlQzu18TFwAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 23 Nov 2020 03:58:12 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 64AAD9403EB
	for <larch@yhetil.org>; Mon, 23 Nov 2020 03:58:12 +0000 (UTC)
Received: from localhost ([::1]:48138 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kh2zS-0003Fd-SO
	for larch@yhetil.org; Sun, 22 Nov 2020 22:58:10 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:53870)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kh2zK-0003DP-Jr
 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:58:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:37158)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kh2zK-0007hg-CL
 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:58:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kh2zK-0004vY-AD
 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:58:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves
 users vulnerable
Resent-From: Carlo Zancanaro <carlo@zancanaro.id.au>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 23 Nov 2020 03:58:02 +0000
Resent-Message-ID: <handler.44808.B44808.160610385218904@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 44808
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Christopher Lemmer Webber <cwebber@dustycloud.org>
Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.160610385218904
 (code B ref 44808); Mon, 23 Nov 2020 03:58:02 +0000
Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 03:57:32 +0000
Received: from localhost ([127.0.0.1]:48704 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kh2yq-0004uq-4Y
 for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:57:32 -0500
Received: from zancanaro.com.au ([45.76.117.151]:42246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <carlo@zancanaro.id.au>) id 1kh2yo-0004ue-I6
 for 44808@debbugs.gnu.org; Sun, 22 Nov 2020 22:57:31 -0500
Received: by zancanaro.com.au (Postfix, from userid 116)
 id 6DE5632A5E; Mon, 23 Nov 2020 03:57:28 +0000 (UTC)
Received: from jolteon (ec2-13-55-194-30.ap-southeast-2.compute.amazonaws.com
 [13.55.194.30])
 by zancanaro.com.au (Postfix) with ESMTPSA id 0200932A45;
 Mon, 23 Nov 2020 03:57:27 +0000 (UTC)
References: <878sat3rnn.fsf@dustycloud.org>
User-agent: mu4e 1.4.13; emacs 27.1
From: Carlo Zancanaro <carlo@zancanaro.id.au>
In-reply-to: <878sat3rnn.fsf@dustycloud.org>
Date: Mon, 23 Nov 2020 14:57:27 +1100
Message-ID: <874klgybbs.fsf@zancanaro.id.au>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.0 (-)
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 44808@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Spam-Score: -1.01
X-TUID: 3Qkic00JHjU0

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
> ... Plus, few distributions do what we're doing anymore, 
> precisely because of wanting to be secure by default.

Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.

I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.

Carlo