From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#26695: openssh password-authentication? should be #f by default Date: Fri, 28 Apr 2017 15:28:34 -0400 Message-ID: <20170428192834.GB6736@jasmine> References: <87k264tx8m.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lEGEL1/lMxI0MVQ2" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42030) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d4BZi-0005AJ-Vd for bug-guix@gnu.org; Fri, 28 Apr 2017 15:29:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d4BZf-0002VN-Rn for bug-guix@gnu.org; Fri, 28 Apr 2017 15:29:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46853) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d4BZe-0002Ut-00 for bug-guix@gnu.org; Fri, 28 Apr 2017 15:29:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d4BZd-00081H-Qo for bug-guix@gnu.org; Fri, 28 Apr 2017 15:29:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87k264tx8m.fsf@dustycloud.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Christopher Allan Webber Cc: 26695@debbugs.gnu.org --lEGEL1/lMxI0MVQ2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote: > Our default permits password authentication for the openssh service (and > the others it seems) by default in Guix. This is somewhat dangerous > because this is a much easier to break in this way, and some users might > not assume the default is reasonably safe. If users really want > password-authentication, they should turn it on explicitly. The upstream default is to allow password authentication (see sshdconfig(5)). With the current GuixSD defaults, my understanding is that nobody will be able to login remotely to a new GuixSD system with the default openssh-service, unless they make the effort to insert the user's password in their GuixSD declaration. Remote root login and empty password login is disabled by default. So the current situation seems safe to me. Please let us know if you see a hole. Allowing passwords is not the best practice for securing sshd, but I think it's a good default for the openssh-service until we have a better way to deploy keys. If we do change the password authentication default to #f, I think we should do it in a new Guix release, since it will probably break GuixSD provisioning scripts that people are using. --lEGEL1/lMxI0MVQ2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDl+IACgkQJkb6MLrK fwg11w//XrL4cjkmxk0s6TvE88/xQdXNbwLfkvzRJbjbyzo2JLmH/mng16O3e00p WYCJ1U+dJOVj02KnjkwbVWC6NlaFDFUQoqilnlZhNIUz8Kp++5IEcLNC/DBInvZc vXi0v+85uLIu8r+AvKgi66vfHHBNN+ZaNpr9SOg3yK4jxMaRr5Q9MdHI+AqZZqxV Uuun6SjSjv2KOVkDyvcLR16Caa2G3TqnWXLWWomMb18vl5omxqb5TV33XVndUIk2 0HB4lxjlanukXX1Sbp9CItsGbLGDBNHRczDMjMDC4azJ43NmDPp1qN4oH6nKW9WP 2Y7C9KOX/SgjjqdKo0z+OxmRLFxRc2/7pik1G4DAsQ1+i4O1x5g2a1W35B3fJKRf viW8K2zS4ad5voBPYtWuvpoeHLHu0V2hy1cT1NKrMDChYc+i3BycYcTBIiHo+IqA 1S1TzintiQ6fHwreZs67k4tw34q9W49cxrg2KR61YNvonL98w3edkvHPp/ICqqv8 ZXDJMWmLP1WRjpIwRI/XZD9VZfUWod8oy8WgChffxxTnetPE9hrmfbLaLtdbJjFn Tc/K2GWetNj2U4v6bfr5zeM/eJ65Az4m9J/FrvV6R2lyyknMTap9LYSUnGn3uZFI wViM5ADjxuCaaaAv2B9RA1Q5K9Esfq5FBe0MyIUDfITr1kspAO4= =qlcz -----END PGP SIGNATURE----- --lEGEL1/lMxI0MVQ2--