Hello, Christopher Lemmer Webber writes: > Carlo Zancanaro writes: > >> Hey Chris! >> >> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote: >>> ... Plus, few distributions do what we're doing anymore, precisely >>> because of wanting to be secure by default. >> >> Is this true? Debian defaults to passwords being allowed. I think it >> even allows root login by default. At least, I have always had to add >> "PermitRootLogin no" and "PasswordAuthentication no" whenever I >> install openssh-server on debian. > > Perhaps I'm wrong... I had thought that the last time I installed a > Debian server, password based access was off by default. But I could be > wrong. I just tried with a Debian Buster VM; password access is enabled out of the box. >> I'm on board with what you're proposing, and I think Guix should >> default to the more secure option, but I'm not sure that an >> "average user" (whatever that means for Guix's demographic) would >> expect that password authentication is disabled by default. > > That's fair... I think that > "[ ] Password authentication? (insecure)" > would be sufficient as an option. How do others feel? I'm +1 on disabling password access out of the box; especially since Guix System makes it easy to authorize SSH keys at installation time. We'd have to see if it breaks any of our system tests, but I doubt so. Patch welcome! Maxim