Hi, Leo Famulari <[email protected]> writes:
> On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote: >> Our default permits password authentication for the openssh service (and >> the others it seems) by default in Guix. This is somewhat dangerous >> because this is a much easier to break in this way, and some users might >> not assume the default is reasonably safe. If users really want >> password-authentication, they should turn it on explicitly. > > The upstream default is to allow password authentication (see > sshdconfig(5)). > > With the current GuixSD defaults, my understanding is that nobody will > be able to login remotely to a new GuixSD system with the default > openssh-service, unless they make the effort to insert the user's > password in their GuixSD declaration. Remote root login and empty > password login is disabled by default. > > So the current situation seems safe to me. Please let us know if you see > a hole. I agree with your assessment. I think there's probably more hurt than benefit in diverging from upstream's choice of defaults here. I'm thus closing this old forgotten report. -- Thanks, Maxim
