James Harper <james.harper@bendigoit.com.au> wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
I think there are checks performed on passwords entered by users other than root, but I'm not sure.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
Debian enable password authentication by default; I always turn it off, though. People who don't have keys or who don't know how to use them have no business logging into my machines remotely.