Re: openssh-server's default config is dangerous
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jul 12, 2016 at 10:41:33AM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 12 Jul 2016, mwnx wrote:
> > Currently, after installing openssh-server, anyone can gain access
> > to any user's account on the system using only the corresponding
> > user's password. As we know, people do not necessarily use the most
> > secure of passwords. This will especially be the case if the user
> > does not expect his computer to be accessible in any way from the
> > outside.
>
> Well, arguably, we could restrict ssh to key-based access by default
> (which has a side effect of not allowing anyone in until keys are
> deployed), or at least ask about it.
>
> We could have it behave differently when installed from within
> debian-installer (where it is used to complete the installation
> remotely, and needs to be password-based).
>
> Feel free to file a *wishlist* bug about it against the openssh-server
> package, it would be a much better place to discuss its defaults.
Ultimately you are right, of course: but as I understood mwnx was
looking for input, and quite a few valid points have been made.
Changing the default right away seems too simplistic and would put
many users in the rain.
Some more thinking is needed, I guess.
Me, I just wanted to avoid the OP being driven away by all too
dismissive reactions. (S)he has a point, although perhaps the
solution is a bit difficult.
regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAleE9ssACgkQBcgs9XrR2kbssQCfRq9oMcVfP4ey/62XhsPYNxyQ
ma0An2z6Rx5Smc2KyDmE6XvKepImIh78
=z/Vo
-----END PGP SIGNATURE-----
Reply to: