news fragment

2025-04-10 04:09:58 +00:00 · 2021-10-25 20:47:35 -04:00 · 2021-10-25 20:47:35 -04:00 · 0b4e6754a3
commit 0b4e6754a3
parent aa6360f08e
1 changed files with 4 additions and 0 deletions
--- a/newsfragments/3827.security
+++ b/newsfragments/3827.security
@ -0,0 +1,4 @@
+The SFTP server no longer accepts password-based credentials for authentication.
+Public/private key-based credentials are now the only supported authentication type.
+This removes plaintext password storage from the SFTP credentials file.
+It also removes a possible timing side-channel vulnerability which might have allowed attackers to discover an account's plaintext password.