[SECURITY] Password based auth is available on git.alpinelinux.org
After the gentoo breach I have been looking at how the various distros I use secure their infrastructure. I know you use github as a mirror of git.alpinelinux.org and that the build servers don’t use github.
I decided to check if git.alpinelinux.org allows any authentication method other than keys. It turns out it allows password based auth:
$ ssh -v firstname.lastname@example.org
+OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Authentications that can continue: publickey,password,keyboard-interactive
I know that tools such as fail2ban can be used to prevent brute force attacks. At the same time it doesn’t sit well with me having password auth enabled for public facing SSH.
Sorry if this is the wrong place for this ticket. Someone told me it was the best place to raise it.
(from redmine: issue id 9064, created on 2018-07-07, closed on 2018-08-20)