Carlo Zancanaro writes: > Hey Chris! > > On Mon, Nov 23 2020, Christopher Lemmer Webber wrote: >> ... Plus, few distributions do what we're doing anymore, precisely >> because of wanting to be secure by default. > > Is this true? Debian defaults to passwords being allowed. I think it > even allows root login by default. At least, I have always had to add > "PermitRootLogin no" and "PasswordAuthentication no" whenever I > install openssh-server on debian.
Perhaps I'm wrong... I had thought that the last time I installed a Debian server, password based access was off by default. But I could be wrong. > I'm on board with what you're proposing, and I think Guix should > default to the more secure option, but I'm not sure that an > "average user" (whatever that means for Guix's demographic) would > expect that password authentication is disabled by default. That's fair... I think that "[ ] Password authentication? (insecure)" would be sufficient as an option. How do others feel?
