#44808 Default to allowing password authentication on leaves users vulnerable

Message #79 received at 44808@debbugs.gnu.org (full text, mbox, reply):

Received: (at 44808) by debbugs.gnu.org; 11 Dec 2020 01:45:00 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 10 20:45:00 2020
Received: from localhost ([127.0.0.1]:39598 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1knXUR-0001Jn-Lz
	for submit@debbugs.gnu.org; Thu, 10 Dec 2020 20:45:00 -0500
Received: from world.peace.net ([64.112.178.59]:60824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1knXUP-0001Ja-US
 for 44808@debbugs.gnu.org; Thu, 10 Dec 2020 20:44:58 -0500
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1knXUI-0007Ps-0R; Thu, 10 Dec 2020 20:44:51 -0500
From: Mark H Weaver <mhw@netris.org>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-Reply-To: <87o8j29isw.fsf@gnu.org>
References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au>
 <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com>
 <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org>
 <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de>
 <87sg8hlfyu.fsf@dustycloud.org> <871rg1e6js.fsf@web.de>
 <87im9ddy0r.fsf@netris.org> <87wnxswpmk.fsf@gnu.org>
 <87lfe7ydc0.fsf@netris.org> <87o8j29isw.fsf@gnu.org>
Date: Thu, 10 Dec 2020 20:43:45 -0500
Message-ID: <87pn3h15hv.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@dustycloud.org>,
 "Dr. Arne Babenhauserheide" <arne_bab@web.de>, maxim.cournoyer@gmail.com,
 44808@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
>>> What do you think of the approach in
>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>>
>> One problem, which I just discovered, is that it warns users even if
>> they don't have an 'openssh-service' in their system configuration.
>
> Could it be that you have a childhurd or some other service that uses
> ‘openssh-service-type’?

I highly doubt it.  In any case, there's certainly no ssh daemon
running.  See below for my system configuration.

> What source code location is associated with that warning?

gnu/services/ssh.scm:570:31, here:

  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570

Here's what I see when I build a system:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
field of 'openssh-configuration' will change from #true to #false in the
future.  Explicitly set it to #true to allow password authentication.
/gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system
--8<---------------cut here---------------end--------------->8---

Could it be related to the fact that I always run Guix via
./pre-inst-env from a git checkout?

If this problem only affect me, due to the unusual way in which I use
Guix, feel free to disregard this issue.  It's easy enough for me add
one more to my collection of reverted patches on my private branch :)

     Thanks,
       Mark


--8<---------------cut here---------------start------------->8---
(use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages))
(use-service-modules base desktop networking xorg dbus sound)
(use-package-modules certs gnome cryptsetup linux admin guile firmware xdisorg libusb suckless ratpoison wm vpn)

(operating-system
  (host-name "jojen")
  (timezone "right/US/Eastern")
  (locale "en_US.utf8")

  (bootloader (bootloader-configuration
	       (bootloader grub-bootloader)
	       (target "/dev/sda")))

  (kernel linux-libre)
  (kernel-arguments '("page_alloc.shuffle=1"))

  (firmware (list ath9k-htc-firmware))
  ;;(firmware '())

  (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3"))
          (target "jojen-root")
          (type luks-device-mapping))))

  (file-systems (cons* (file-system
                         ;; FIXME: reference by the file system label?
                         (device "/dev/mapper/jojen-root")
                         (mount-point "/")
                         (type "btrfs")
                         (dependencies mapped-devices))
                       %base-file-systems))

  (users (cons* (user-account
                 (name "mhw")
                 (uid 1000)
                 (group "mhw")
                 (supplementary-groups '("wheel" "users" "netdev"
                                         "audio" "video" "dialout"))
                 (home-directory "/home/mhw"))
                %base-user-accounts))

  (groups (cons* (user-group
                  (name "mhw")
                  (id 1000))
                 %base-groups))

  (setuid-programs
   (list (file-append shadow "/bin/passwd")
         (file-append inetutils "/bin/ping")))

  ;; This is where we specify system-wide packages.
  (packages (cons* nss-certs         ;for HTTPS access
                   gvfs              ;for user mounts
                   cryptsetup
                   btrfs-progs
                   wpa-supplicant
                   network-manager
                   network-manager-applet
		   network-manager-openvpn
		   openvpn
		   ratpoison
		   i3-wm
		   dwm
                   (delete sudo %base-packages)))

  (services (cons* (service gnome-desktop-service-type)
		   ;;(service xfce-desktop-service-type)

                   (service gdm-service-type)
                   ;;(service slim-service-type)
                   (screen-locker-service slock)
                   ;;(screen-locker-service xlockmore "xlock")

		   ;; Add udev rules for MTP devices so that non-root
		   ;; users can access them.
                   (simple-service 'mtp udev-service-type (list libmtp))
		   ;; Add udev rules for scanners.
		   (service sane-service-type)
		   ;; Add polkit rules, so that non-root users in the
		   ;; wheel group can perform administrative tasks
		   ;; (similar to "sudo").
		   polkit-wheel-service

		   ;; NetworkManager and its dependents.
                   (service network-manager-service-type)
                   (service wpa-supplicant-service-type)
		   ;; (simple-service 'network-manager-applet
                   ;;                 profile-service-type
                   ;;                 (list network-manager-applet))
		   ;; (service modem-manager-service-type)
		   ;; (service usb-modeswitch-service-type)

		   ;; The D-Bus clique.
		   ;;(service avahi-service-type)    ; I don't trust this
                   (udisks-service)
                   (service upower-service-type)
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)
		   (service colord-service-type)
		   ;;(geoclue-service)  ; I don't want this
                   (service polkit-service-type)
                   (elogind-service)
                   (dbus-service)

                   ;;(service ntp-service-type)   ; I don't trust this

                   (service pulseaudio-service-type)
		   (service alsa-service-type)

		   ;;;; Disabled for now
		   ;;
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)

		   ;; TOR: The Onion Router
		   (service tor-service-type)

                   ;; Optional OpenNTPd, below
		   #;
		   (service
		    openntpd-service-type
		    (openntpd-configuration
		     (listen-on '("127.0.0.1" "::1"))
		     ;;(constraint-from '("www.gnu.org"))
		     (allow-large-adjustment? #t)))

		   x11-socket-directory-service

		   ;;;; Disabled for now
		   ;;
		   ;;(service alsa-service-type)

                   (modify-services %base-services
                     ;; I don't trust the build farm
                     (guix-service-type config =>
                                        (guix-configuration
                                          (inherit config)
                                          (use-substitutes? #f)
                                          (authorize-key?   #f)
                                          (authorized-keys '())
                                          (substitute-urls '())
                                          (extra-options '("--gc-keep-derivations=yes"
                                                           "--gc-keep-outputs=yes")))))))

  ;; Allow resolution of '.local' host names with mDNS.
  ;;(name-service-switch %mdns-host-lookup-nss)  ; disabled for now
  )
--8<---------------cut here---------------end--------------->8---

Send a report that this bug log contains spam.