GNU bug report logs

#44808 Default to allowing password authentication on leaves users vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #76 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 10 Dec 2020 08:17:33 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 10 03:17:33 2020
Received: from localhost ([127.0.0.1]:36941 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1knH8n-0002Pc-K8
	for submit@debbugs.gnu.org; Thu, 10 Dec 2020 03:17:33 -0500
Received: from eggs.gnu.org ([209.51.188.92]:39058)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1knH8l-0002PN-G4
 for 44808@debbugs.gnu.org; Thu, 10 Dec 2020 03:17:32 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37035)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1knH8b-0002FD-Ml; Thu, 10 Dec 2020 03:17:21 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56736 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1knH8a-00004y-T1; Thu, 10 Dec 2020 03:17:21 -0500
From: Ludovic Courtès <ludo@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au>
 <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com>
 <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org>
 <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de>
 <87sg8hlfyu.fsf@dustycloud.org> <871rg1e6js.fsf@web.de>
 <87im9ddy0r.fsf@netris.org> <87wnxswpmk.fsf@gnu.org>
 <87lfe7ydc0.fsf@netris.org>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 20 Frimaire an 229 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 10 Dec 2020 09:17:19 +0100
In-Reply-To: <87lfe7ydc0.fsf@netris.org> (Mark H. Weaver's message of "Tue, 08
 Dec 2020 20:31:16 -0500")
Message-ID: <87o8j29isw.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@dustycloud.org>,
 "Dr. Arne Babenhauserheide" <arne_bab@web.de>, maxim.cournoyer@gmail.com,
 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> What do you think of the approach in
>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>
> One problem, which I just discovered, is that it warns users even if
> they don't have an 'openssh-service' in their system configuration.

Could it be that you have a childhurd or some other service that uses
‘openssh-service-type’?  What source code location is associated with
that warning?

>> The default is unchanged but the warning could be kept say until the
>> next release, at which point we’d change the default.
>>
>> Or are you suggesting keeping the default unchanged?
>
> I don't feel strongly about what the default setting should be, as long
> as we ensure that users are somehow made aware of the change before it
> happens, and are given the opportunity (and preferably easy instructions
> on how) to keep password authentication enabled if they wish.
>
> I also think that the installer should explicitly ask the user what the
> setting should be, so that we do not catch new users off guard who
> expected to be able to ssh in to their newly-installed systems using
> only a password.

Yeah, we can do that; it’s a bit of extra complexity in the installer,
but perhaps that’ll be useful to configure other services as well.

> If the plan is to change the default setting and issue warnings in the
> meantime, it should be easy to silence those warnings, especially for
> those of us who don't even use openssh-service :)

Agreed.  :-)  Normally, if you explicitly set the field, the warning
disappears.

Thanks,
Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:19:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.