On Tue, 12 Jul 2016, mwnx wrote: > Currently, after installing openssh-server, anyone can gain access > to any user's account on the system using only the corresponding > user's password. As we know, people do not necessarily use the most > secure of passwords. This will especially be the case if the user > does not expect his computer to be accessible in any way from the > outside.
Well, arguably, we could restrict ssh to key-based access by default (which has a side effect of not allowing anyone in until keys are deployed), or at least ask about it. We could have it behave differently when installed from within debian-installer (where it is used to complete the installation remotely, and needs to be password-based). Feel free to file a *wishlist* bug about it against the openssh-server package, it would be a much better place to discuss its defaults. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
