GNU bug report logs

#44808 Default to allowing password authentication on leaves users vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #52 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 19:40:24 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 14:40:24 2020
Received: from localhost ([127.0.0.1]:55544 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kmMMy-0006FM-HB
	for submit@debbugs.gnu.org; Mon, 07 Dec 2020 14:40:24 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43023)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1kmMMw-0006F2-LU
 for 44808@debbugs.gnu.org; Mon, 07 Dec 2020 14:40:23 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 876995C0244;
 Mon,  7 Dec 2020 14:40:17 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 07 Dec 2020 14:40:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:content-transfer-encoding:in-reply-to; s=mesmtp;
 bh=OkLUasV13vkonrCMjAN6F9CEwKpNoLSIp9yj6b6Oj90=; b=Skte+A4vT7tV
 O3x5m3jlqM09/khVyOIAVBTqplyebGWaEaGSOw99b21pPzuFGQYmAYezYLQIAYN6
 l+jKfw4f1wOWzViyw/1EhktbwOwgpFYtUO8eOmsVarhJWNvP79hwaejKSEHn+R9n
 unPyf5RnecP0cVBvbsi3/jvMdG1bcSc=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; bh=OkLUasV13vkonrCMjAN6F9CEwKpNoLSIp9yj6b6Oj
 90=; b=fL4fzm0BWo5yJEN8Lz2A+t+D/819DtodPUtMUugJAyXVHEj51jW1MlXJo
 07dnG8m3lfY+pHtszRQfgWrSf9Q4PFbM7WIFFPByzl7S544oGTcYhWYhbCm5niXM
 jDcKONDCQVQzq+Zsx4PVlgvBLDIfUlzQw58Y+L82qQw1xPfEuqIJ5t3KhJj61QYq
 GzUdqrd0isbq9DHzFvfUHAXqmSoLLhEp49q0FkK7KfieTP+MwDagEoaoT4fkp40e
 gJ7byAhYPi1fk8UBSjOc+xgYKeUNx0BnctuXZOVbOKjbuZnVigrQfKJYWJgo0JWc
 SxGqvaawZ7rN3eke9Ewuci0kQEbxQ==
X-ME-Sender: <xms:IIXOX5M_Su2FhounWM04OYuON3Vnu-ByLtq3Wx6BHR1QQLtYblVDjQ>
 <xme:IIXOX78_NRvpJys9sP5u7-hGlHUXVrPJNH_elLEU9CrxiS8UX3J6cd_ChEoIHoSqy
 O3auw9tGI4pkuycNg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudejgedguddvjecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpefnvgho
 ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg
 htthgvrhhnpeegjeeggeehtddugfffuddtvdfffeffjeekffffveffheegvddvuedtffek
 jeejjeenucfkphepjeefrddugedurdduvdejrddugeeinecuvehluhhsthgvrhfuihiivg
 eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm
 vg
X-ME-Proxy: <xmx:IIXOX4QWZsqzhlFzT1wgi-l7SpI8oEBuiCRx2s7L0m4B4KeDnA9x2A>
 <xmx:IIXOX1uaRWRNWcWI8pKiKrTmdUKWJPmwt_SQQlr2Asgk4pgjRzXCXA>
 <xmx:IIXOXxc_eKwVY7oyE5X6hXCR26nje1oVqd9Pn7lmMuQ6_fy3qvTgXQ>
 <xmx:IYXOXxF2VRf8AE8bwV59tdw2mOXU6GnFKWnANQANR0LBivd70Nw9Pw>
Received: from localhost (c-73-141-127-146.hsd1.pa.comcast.net
 [73.141.127.146])
 by mail.messagingengine.com (Postfix) with ESMTPA id B5F8D240062;
 Mon,  7 Dec 2020 14:40:16 -0500 (EST)
Date: Mon, 7 Dec 2020 14:40:15 -0500
From: Leo Famulari <leo@famulari.name>
To: Christopher Lemmer Webber <cwebber@dustycloud.org>
Subject: Re: bug#44808: Default to allowing password authentication on leaves
 users vulnerable
Message-ID: <X86FH7Mt3353VRGL@jasmine.lan>
References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au>
 <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com>
 <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87k0twkt9c.fsf@dustycloud.org>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 44808
Cc: Ludovic Courtès <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>, 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
> >   2. Change the default value of the relevant field in
> >      <openssh-configuration>.
> >
> > #2 is more thorough but also more risky: people could find themselves
> > locked out of their server after reconfiguration, though this could be
> > mitigated by a news entry.

I do think we should avoid changing the default. I know that passphrases
are inherently riskier than keys — compromise is more likely than with a
key, but I think it's even more likely that people will lose access to
their servers if we change this default.

How bad is the risk, from a practical perspective? How many times per
second can a remote attacker attempt passphrase authentication? If the
number is high, we could petition OpenSSH to introduce a delay.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:49:31 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.