GNU bug report logs

#44808 Default to allowing password authentication on leaves users vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #31 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 5 Dec 2020 15:14:44 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 05 10:14:44 2020
Received: from localhost ([127.0.0.1]:47992 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1klZGl-000296-Tg
	for submit@debbugs.gnu.org; Sat, 05 Dec 2020 10:14:44 -0500
Received: from eggs.gnu.org ([209.51.188.92]:44374)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1klZGk-00028s-HD
 for 44808@debbugs.gnu.org; Sat, 05 Dec 2020 10:14:42 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:46929)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1klZGf-0004hR-8H; Sat, 05 Dec 2020 10:14:37 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58522 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1klZGe-0005di-Mz; Sat, 05 Dec 2020 10:14:37 -0500
From: Ludovic Courtès <ludo@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au>
 <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 15 Frimaire an 229 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 05 Dec 2020 16:14:35 +0100
In-Reply-To: <87im9nmr5u.fsf@gmail.com> (Maxim Cournoyer's message of "Sun, 29
 Nov 2020 22:58:53 -0500")
Message-ID: <87eek45lpg.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@dustycloud.org>, 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>>> I'm on board with what you're proposing, and I think Guix should
>>> default to the more secure option, but I'm not sure that an 
>>> "average user" (whatever that means for Guix's demographic) would
>>> expect that password authentication is disabled by default.
>>
>> That's fair... I think that
>> "[ ] Password authentication? (insecure)"
>> would be sufficient as an option.  How do others feel?
>
> I'm +1 on disabling password access out of the box; especially since
> Guix System makes it easy to authorize SSH keys at installation time.
> We'd have to see if it breaks any of our system tests, but I doubt so.

Agreed.  There are several ways to do that:

  1. Have the installer emit an ‘openssh-configuration’ that explicitly
     disables password authentication.

  2. Change the default value of the relevant field in
     <openssh-configuration>.

#2 is more thorough but also more risky: people could find themselves
locked out of their server after reconfiguration, though this could be
mitigated by a news entry.

Thoughts?

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:11:27 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.