Re: openssh-server's default config is dangerous
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jul 12, 2016 at 03:05:35PM +0300, Reco wrote:
> Hi.
>
> On Tue, Jul 12, 2016 at 11:26:10AM +0200, mwnx wrote:
> > Currently, after installing openssh-server, anyone can gain access
> > to any user's account on the system using only the corresponding
> > user's password. As we know, people do not necessarily use the most
> > secure of passwords. This will especially be the case if the user
> > does not expect his computer to be accessible in any way from the
> > outside.
>
> So, you're blaming a perfectly good (and reasonably secure) way of
> remote access, but somehow assume that weak passwords are ok.
> By that logic you should not stop there. Why not blame any remote access
> mechanism that uses PAM for password checking as well?
I still think the OP has a point. I don't know how a solution might look
which makes sense (a default config with password disabled seems a bit
strong, TBH), but IMHO it's worth thinking about the problem instead
of dismissing it off-hand.
That weak passwords are a problem in themselves or that other services
get started right away after install too is irrelevant to the point
made -- again IMHO.
regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAleE4JYACgkQBcgs9XrR2kaTLQCfWSYLS3FE7Q/oZW3tCwYvAQ9E
+MsAmQEDTqNlkQ2LWVvAb49ZCHM1rUdU
=F3W6
-----END PGP SIGNATURE-----
Reply to: