Re: openssh-server's default config is dangerous

To: mwnx <mwnx@gmx.com>
Cc: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Tue, 12 Jul 2016 10:41:33 -0300
Message-id: <[🔎] 20160712134133.GA18605@khazad-dum.debian.net>
In-reply-to: <[🔎] 20160712092610.GA6945@debian>
References: <[🔎] 20160712092610.GA6945@debian>

On Tue, 12 Jul 2016, mwnx wrote:
> Currently, after installing openssh-server, anyone can gain access
> to any user's account on the system using only the corresponding
> user's password. As we know, people do not necessarily use the most
> secure of passwords. This will especially be the case if the user
> does not expect his computer to be accessible in any way from the
> outside.

Well, arguably, we could restrict ssh to key-based access by default
(which has a side effect of not allowing anyone in until keys are
deployed), or at least ask about it.

We could have it behave differently when installed from within
debian-installer (where it is used to complete the installation
remotely, and needs to be password-based).

Feel free to file a *wishlist* bug about it against the openssh-server
package, it would be a much better place to discuss its defaults.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: openssh-server's default config is dangerous
  - From: <tomas@tuxteam.de>

References:
- openssh-server's default config is dangerous
  - From: mwnx <mwnx@gmx.com>

Prev by Date: Re: openssh-server's default config is dangerous
Next by Date: Re: openssh-server's default config is dangerous
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread