-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 12, 2016 at 03:05:35PM +0300, Reco wrote: > Hi. > > On Tue, Jul 12, 2016 at 11:26:10AM +0200, mwnx wrote: > > Currently, after installing openssh-server, anyone can gain access > > to any user's account on the system using only the corresponding > > user's password. As we know, people do not necessarily use the most > > secure of passwords. This will especially be the case if the user > > does not expect his computer to be accessible in any way from the > > outside. > > So, you're blaming a perfectly good (and reasonably secure) way of > remote access, but somehow assume that weak passwords are ok. > By that logic you should not stop there. Why not blame any remote access > mechanism that uses PAM for password checking as well?
I still think the OP has a point. I don't know how a solution might look which makes sense (a default config with password disabled seems a bit strong, TBH), but IMHO it's worth thinking about the problem instead of dismissing it off-hand. That weak passwords are a problem in themselves or that other services get started right away after install too is irrelevant to the point made -- again IMHO. regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAleE4JYACgkQBcgs9XrR2kaTLQCfWSYLS3FE7Q/oZW3tCwYvAQ9E +MsAmQEDTqNlkQ2LWVvAb49ZCHM1rUdU =F3W6 -----END PGP SIGNATURE-----
