From 0b4e6754a34ee9ba8d7d71f6f16e7e29f4fd8ec8 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 25 Oct 2021 20:47:35 -0400 Subject: [PATCH] news fragment --- newsfragments/3827.security | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 newsfragments/3827.security diff --git a/newsfragments/3827.security b/newsfragments/3827.security new file mode 100644 index 000000000..4fee19c76 --- /dev/null +++ b/newsfragments/3827.security @@ -0,0 +1,4 @@ +The SFTP server no longer accepts password-based credentials for authentication. +Public/private key-based credentials are now the only supported authentication type. +This removes plaintext password storage from the SFTP credentials file. +It also removes a possible timing side-channel vulnerability which might have allowed attackers to discover an account's plaintext password.