GNU bug report logs

#44808 Default to allowing password authentication on leaves users vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 22 Nov 2020 23:21:25 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 22 18:21:25 2020
Received: from localhost ([127.0.0.1]:48534 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kgyfc-0004dh-TG
	for submit@debbugs.gnu.org; Sun, 22 Nov 2020 18:21:25 -0500
Received: from lists.gnu.org ([209.51.188.17]:39152)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@dustycloud.org>) id 1kgyfa-0004dZ-KG
 for submit@debbugs.gnu.org; Sun, 22 Nov 2020 18:21:23 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43282)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@dustycloud.org>)
 id 1kgyfa-00081C-F9
 for bug-guix@gnu.org; Sun, 22 Nov 2020 18:21:22 -0500
Received: from dustycloud.org ([50.116.34.160]:35190)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@dustycloud.org>)
 id 1kgyfZ-0001NT-1v
 for bug-guix@gnu.org; Sun, 22 Nov 2020 18:21:22 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 3D5CF26650
 for <bug-guix@gnu.org>; Sun, 22 Nov 2020 18:20:56 -0500 (EST)
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@dustycloud.org>
To: bug-guix@gnu.org
Subject: Default to allowing password authentication on leaves users vulnerable
Date: Sun, 22 Nov 2020 18:20:28 -0500
Message-ID: <878sat3rnn.fsf@dustycloud.org>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=50.116.34.160;
 envelope-from=cwebber@dustycloud.org; helo=dustycloud.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Okay, I just realized I left a friend vulnerable by guiding them through
a Guix graphical install and telling them it would give them a decent
setup.  They turned on openssh support.

Then I realized their config had password-authentication? on.

That's unacceptable.  We need to change this default.  This is known to
leave users open to attack, and selecting a password secure enough
against brute forcing is fairly difficult, much more difficult than only
allowing entry by keys.  Plus, few distributions do what we're doing
anymore, precisely because of wanting to be secure by default.

Yes, I know some people want password authentication on as part of a
bootstrapping process.  Fine... those users know to put it on.  Let's
not leave our users open to attack by default though.

Happy to produce a patch and change the documentation, but I'd like to
hear that we have consensus to make this change.  But we should, because
otherwise else I think we're going to hurt users.

 - Chris

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:42:47 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.