undefined | Better HN

0 pointsDaSHacka1y ago0 comments

Any sufficiently poorly constructed system is indistinguishable from a legitimate vulnerability.

You shouldn't need to edit an undocumented file that's force enabling an insecure authentication method in the first place.

"You're using it wrong" doesn't change the fact that the defaults are poor and likely to ultimately cause more devices to be improperly configured than if it was left as sysadmins and end-users expect.

0 comments

HumanOstrich1y ago

They likely chose the option to enable password-based SSH authentication during installation [1], or it's a cloud service that provisions servers with a password.

I've been looking for info about whether it's force-enabled with a vanilla install where the user doesn't actually choose for it to be enabled. I'm happy to be educated here.

[1]: https://askubuntu.com/a/1440509

j / k navigate · click thread line to collapse

0 comments

HumanOstrich1y ago

They likely chose the option to enable password-based SSH authentication during installation [1], or it's a cloud service that provisions servers with a password.

I've been looking for info about whether it's force-enabled with a vanilla install where the user doesn't actually choose for it to be enabled. I'm happy to be educated here.

[1]: https://askubuntu.com/a/1440509

j / k navigate · click thread line to collapse