GNU bug report logs

#44808 Default to allowing password authentication on leaves users vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #11 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 23 Nov 2020 03:54:16 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 22 22:54:16 2020
Received: from localhost ([127.0.0.1]:48700 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kh2vg-0004q9-Jx
	for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:54:16 -0500
Received: from lists.gnu.org ([209.51.188.17]:47112)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <raingloom@riseup.net>) id 1kh2ve-0004q0-4H
 for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:54:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:52830)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <raingloom@riseup.net>)
 id 1kh2vd-0002jr-RL
 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:54:13 -0500
Received: from mx1.riseup.net ([198.252.153.129]:59306)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <raingloom@riseup.net>)
 id 1kh2vb-0006Al-Px
 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:54:13 -0500
Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4CfYDd4QfVzFdtw
 for <bug-guix@gnu.org>; Sun, 22 Nov 2020 19:54:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1606103649; bh=TytooyQ30Y3ZOFbaSCuzcRcQGk5MK9FZ+gocuqLJHN8=;
 h=Date:From:To:Subject:In-Reply-To:References:From;
 b=ZtTfDuKuO2BPuii+aiFesMc4bxRPIoukF1Bperz2cJu5Z0fhD+x6kXUc9R7otLVb+
 6IleCeSor17ht/TocMS+Rvr+JD/5VIRlTMRxL7Verp3VKfgOKSI/95EeF4JMx3oNYd
 Nz91yFyuki+SsQmDaNOxZvZOfc1F7snwDu6+kct8=
X-Riseup-User-ID: 9991ABB925FAA18817FA3B04813F70BCEA830BE739F902AFB765BE488AE2ACA0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by bell.riseup.net (Postfix) with ESMTPSA id 4CfYDd0ZLFzJmm0
 for <bug-guix@gnu.org>; Sun, 22 Nov 2020 19:54:08 -0800 (PST)
Date: Mon, 23 Nov 2020 04:46:15 +0100
From: raingloom <raingloom@riseup.net>
To: bug-guix@gnu.org
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
Message-ID: <20201123044615.13cc0898@riseup.net>
In-Reply-To: <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@gmail.com>
References: <878sat3rnn.fsf@dustycloud.org>
 <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=198.252.153.129;
 envelope-from=raingloom@riseup.net; helo=mx1.riseup.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

On Mon, 23 Nov 2020 03:32:08 +0100
Taylan Kammer <taylan.kammer@gmail.com> wrote:

> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> > Okay, I just realized I left a friend vulnerable by guiding them
> > through a Guix graphical install and telling them it would give
> > them a decent setup.  They turned on openssh support.
> > 
> > Then I realized their config had password-authentication? on.
> > 
> > That's unacceptable.  We need to change this default.  This is
> > known to leave users open to attack, and selecting a password
> > secure enough against brute forcing is fairly difficult, much more
> > difficult than only allowing entry by keys.  Plus, few
> > distributions do what we're doing anymore, precisely because of
> > wanting to be secure by default.
> > 
> > Yes, I know some people want password authentication on as part of a
> > bootstrapping process.  Fine... those users know to put it on.
> > Let's not leave our users open to attack by default though.
> > 
> > Happy to produce a patch and change the documentation, but I'd like
> > to hear that we have consensus to make this change.  But we should,
> > because otherwise else I think we're going to hurt users.  
> 
> I think most ideal would be if the user is asked the following two 
> questions, with a short explanation of what each means:
> 
> - Allow root login via SSH?
> 
> - Allow password authentication in SSH?
> 
> (I think Debian does this.)
> 
> Because as you say, on one hand password authentication in SSH can be
> a security risk.  But on the other hand many machines never have
> their SSH port exposed to the Internet, and the intranet is assumed
> to be safe. In those cases it would be an annoyance to have to enable
> it manually.
> 
> Both points apply to direct root login as well I think.
> 
> Allowing password authentication but disabling root login might also
> be considered safe enough on machines exposed to the Internet,
> because the attacker needs to guess the username as well.  Only
> presents a small increase in complexity for the attacker though.
> 
> 
> - Taylan
> 
> 
> 

Most people won't know why allowing password authentication is
unsecure. Either it should be worded differently, have a warning, or
not be an option.

Same goes doubly so for allowing root login.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:59:36 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.