From: "Ludovic Courtès" <ludo@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: maxim.cournoyer@gmail.com, 44808@debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Thu, 10 Dec 2020 09:17:19 +0100 [thread overview]
Message-ID: <87o8j29isw.fsf@gnu.org> (raw)
In-Reply-To: <87lfe7ydc0.fsf@netris.org> (Mark H. Weaver's message of "Tue, 08 Dec 2020 20:31:16 -0500")
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> What do you think of the approach in
>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>
> One problem, which I just discovered, is that it warns users even if
> they don't have an 'openssh-service' in their system configuration.
Could it be that you have a childhurd or some other service that uses
‘openssh-service-type’? What source code location is associated with
that warning?
>> The default is unchanged but the warning could be kept say until the
>> next release, at which point we’d change the default.
>>
>> Or are you suggesting keeping the default unchanged?
>
> I don't feel strongly about what the default setting should be, as long
> as we ensure that users are somehow made aware of the change before it
> happens, and are given the opportunity (and preferably easy instructions
> on how) to keep password authentication enabled if they wish.
>
> I also think that the installer should explicitly ask the user what the
> setting should be, so that we do not catch new users off guard who
> expected to be able to ssh in to their newly-installed systems using
> only a password.
Yeah, we can do that; it’s a bit of extra complexity in the installer,
but perhaps that’ll be useful to configure other services as well.
> If the plan is to change the default setting and issue warnings in the
> meantime, it should be easy to silence those warnings, especially for
> those of us who don't even use openssh-service :)
Agreed. :-) Normally, if you explicitly set the field, the warning
disappears.
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-12-10 8:18 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
2020-11-23 2:32 ` Taylan Kammer
2020-11-23 3:46 ` raingloom
2020-11-23 16:15 ` Christopher Lemmer Webber
2020-11-23 3:57 ` Carlo Zancanaro
2020-11-23 16:17 ` Christopher Lemmer Webber
2020-11-30 3:58 ` Maxim Cournoyer
2020-12-05 15:14 ` Ludovic Courtès
2020-12-05 18:22 ` Christopher Lemmer Webber
2020-12-07 11:51 ` Ludovic Courtès
2020-12-07 12:56 ` Dr. Arne Babenhauserheide
2020-12-07 16:48 ` Christopher Lemmer Webber
2020-12-07 19:53 ` Dr. Arne Babenhauserheide
2020-12-07 22:57 ` Mark H Weaver
2020-12-08 10:36 ` Ludovic Courtès
2020-12-09 1:31 ` Mark H Weaver
2020-12-10 8:17 ` Ludovic Courtès [this message]
2020-12-11 1:43 ` Mark H Weaver
2020-12-11 18:10 ` Ludovic Courtès
2020-12-08 13:48 ` Christopher Lemmer Webber
2020-12-07 19:40 ` Leo Famulari
2020-12-07 21:38 ` Christopher Lemmer Webber
2021-02-11 7:46 ` raid5atemyhomework via Bug reports for GNU Guix
2021-02-11 20:36 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o8j29isw.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=44808@debbugs.gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).