* bug#26695: openssh password-authentication? should be #f by default
@ 2017-04-28 14:37 Christopher Allan Webber
2017-04-28 16:09 ` Maxim Cournoyer
2017-04-28 19:28 ` Leo Famulari
0 siblings, 2 replies; 9+ messages in thread
From: Christopher Allan Webber @ 2017-04-28 14:37 UTC (permalink / raw)
To: 26695
Our default permits password authentication for the openssh service (and
the others it seems) by default in Guix. This is somewhat dangerous
because this is a much easier to break in this way, and some users might
not assume the default is reasonably safe. If users really want
password-authentication, they should turn it on explicitly.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 14:37 bug#26695: openssh password-authentication? should be #f by default Christopher Allan Webber
@ 2017-04-28 16:09 ` Maxim Cournoyer
2017-04-28 16:37 ` Christopher Allan Webber
2017-04-28 19:28 ` Leo Famulari
1 sibling, 1 reply; 9+ messages in thread
From: Maxim Cournoyer @ 2017-04-28 16:09 UTC (permalink / raw)
To: 26695, cwebber
On April 28, 2017 7:37:13 AM PDT, Christopher Allan Webber <cwebber@dustycloud.org> wrote:
>Our default permits password authentication for the openssh service
>(and
>the others it seems) by default in Guix. This is somewhat dangerous
>because this is a much easier to break in this way, and some users
>might
>not assume the default is reasonably safe. If users really want
>password-authentication, they should turn it on explicitly.
+1. Although it means the keys will have to be copied by another mean than the "ssh-copy-id" script. Maybe the configuration could accept the public key? :) I haven't checked if this is already possible.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 16:09 ` Maxim Cournoyer
@ 2017-04-28 16:37 ` Christopher Allan Webber
2017-04-28 16:40 ` Maxim Cournoyer
2017-04-28 17:23 ` Marius Bakke
0 siblings, 2 replies; 9+ messages in thread
From: Christopher Allan Webber @ 2017-04-28 16:37 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 26695
Maxim Cournoyer writes:
> +1. Although it means the keys will have to be copied by another mean
> than the "ssh-copy-id" script. Maybe the configuration could accept
> the public key? :) I haven't checked if this is already possible.
We have discussed in the past having some service that just copies some
static files on init. That would be enough to set up public keys
appropriately.
That's a different, but related bug :)
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 16:37 ` Christopher Allan Webber
@ 2017-04-28 16:40 ` Maxim Cournoyer
2017-04-28 17:23 ` Marius Bakke
1 sibling, 0 replies; 9+ messages in thread
From: Maxim Cournoyer @ 2017-04-28 16:40 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: 26695
On April 28, 2017 9:37:59 AM PDT, Christopher Allan Webber <cwebber@dustycloud.org> wrote:
>Maxim Cournoyer writes:
>
>> +1. Although it means the keys will have to be copied by another mean
>> than the "ssh-copy-id" script. Maybe the configuration could accept
>> the public key? :) I haven't checked if this is already possible.
>
>We have discussed in the past having some service that just copies some
>static files on init. That would be enough to set up public keys
>appropriately.
>
>That's a different, but related bug :)
I see! Indeed, it seems it would solve the problem to have such service. Thanks for the reply!
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 16:37 ` Christopher Allan Webber
2017-04-28 16:40 ` Maxim Cournoyer
@ 2017-04-28 17:23 ` Marius Bakke
2017-04-28 18:25 ` Christopher Allan Webber
2017-04-30 19:47 ` Chris Marusich
1 sibling, 2 replies; 9+ messages in thread
From: Marius Bakke @ 2017-04-28 17:23 UTC (permalink / raw)
To: Christopher Allan Webber, Maxim Cournoyer; +Cc: 26695
[-- Attachment #1: Type: text/plain, Size: 820 bytes --]
Christopher Allan Webber <cwebber@dustycloud.org> writes:
> Maxim Cournoyer writes:
>
>> +1. Although it means the keys will have to be copied by another mean
>> than the "ssh-copy-id" script. Maybe the configuration could accept
>> the public key? :) I haven't checked if this is already possible.
>
> We have discussed in the past having some service that just copies some
> static files on init. That would be enough to set up public keys
> appropriately.
I think that can already be done with 'special-file-service-type'.
https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html
Another approach could be a small program that reads a configuration
file and can also pull from e.g. the ec2 metadata service which should
work with many "cloud" providers. Similar to "cloud-init" but Guile of
course :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 17:23 ` Marius Bakke
@ 2017-04-28 18:25 ` Christopher Allan Webber
2017-04-30 19:47 ` Chris Marusich
1 sibling, 0 replies; 9+ messages in thread
From: Christopher Allan Webber @ 2017-04-28 18:25 UTC (permalink / raw)
To: Marius Bakke; +Cc: 26695, Maxim Cournoyer
Marius Bakke writes:
>> We have discussed in the past having some service that just copies some
>> static files on init. That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html
Interesting! I'll have to try this route.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 17:23 ` Marius Bakke
2017-04-28 18:25 ` Christopher Allan Webber
@ 2017-04-30 19:47 ` Chris Marusich
1 sibling, 0 replies; 9+ messages in thread
From: Chris Marusich @ 2017-04-30 19:47 UTC (permalink / raw)
To: Marius Bakke; +Cc: 26695, Maxim Cournoyer
[-- Attachment #1: Type: text/plain, Size: 2324 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Maxim Cournoyer writes:
>>
>>> +1. Although it means the keys will have to be copied by another mean
>>> than the "ssh-copy-id" script. Maybe the configuration could accept
>>> the public key? :) I haven't checked if this is already possible.
>>
>> We have discussed in the past having some service that just copies some
>> static files on init. That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html
Will OpenSSH know where to look, in that case? I think a little more
work would be needed to tell OpenSSH where to look. For example, you
would have to customize the value of AuthorizedKeysFile in the OpenSSH
daemon's config file (see 'man opensshd_config' for details).
In any case, it would be better if we could hide all of that in the
abstraction we have for the OpenSSH service. For instance, it would be
nice if we could just specify the public keys in the operating system
configuration file, as part of the <openssh-configuration> record type.
> Another approach could be a small program that reads a configuration
> file and can also pull from e.g. the ec2 metadata service which should
> work with many "cloud" providers. Similar to "cloud-init" but Guile of
> course :)
This topic has come up before. Cloud-init (specifically, the idea of
pulling SSH credentials in at first boot via the EC2 metadata service)
is a useful hack for systems that cannot be declaratively defined, but
for GuixSD it should not be needed. See here for details:
https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html
https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html
https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html
Somebody just needs to implement the changes to our OpenSSH service
abstraction so that we can declare the public keys in the operating
system configuration file. Of course, to deploy onto EC2 without manual
intervention would also require more changes, but that's a separate
issue from the issue of how to get credentials onto the host.
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 14:37 bug#26695: openssh password-authentication? should be #f by default Christopher Allan Webber
2017-04-28 16:09 ` Maxim Cournoyer
@ 2017-04-28 19:28 ` Leo Famulari
2023-08-29 3:24 ` Maxim Cournoyer
1 sibling, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2017-04-28 19:28 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: 26695
[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]
On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
> Our default permits password authentication for the openssh service (and
> the others it seems) by default in Guix. This is somewhat dangerous
> because this is a much easier to break in this way, and some users might
> not assume the default is reasonably safe. If users really want
> password-authentication, they should turn it on explicitly.
The upstream default is to allow password authentication (see
sshdconfig(5)).
With the current GuixSD defaults, my understanding is that nobody will
be able to login remotely to a new GuixSD system with the default
openssh-service, unless they make the effort to insert the user's
password in their GuixSD declaration. Remote root login and empty
password login is disabled by default.
So the current situation seems safe to me. Please let us know if you see
a hole.
Allowing passwords is not the best practice for securing sshd, but I
think it's a good default for the openssh-service until we have a better
way to deploy keys.
If we do change the password authentication default to #f, I think we
should do it in a new Guix release, since it will probably break GuixSD
provisioning scripts that people are using.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#26695: openssh password-authentication? should be #f by default
2017-04-28 19:28 ` Leo Famulari
@ 2023-08-29 3:24 ` Maxim Cournoyer
0 siblings, 0 replies; 9+ messages in thread
From: Maxim Cournoyer @ 2023-08-29 3:24 UTC (permalink / raw)
To: Leo Famulari; +Cc: Christopher Allan Webber, 26695-done
Hi,
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
>> Our default permits password authentication for the openssh service (and
>> the others it seems) by default in Guix. This is somewhat dangerous
>> because this is a much easier to break in this way, and some users might
>> not assume the default is reasonably safe. If users really want
>> password-authentication, they should turn it on explicitly.
>
> The upstream default is to allow password authentication (see
> sshdconfig(5)).
>
> With the current GuixSD defaults, my understanding is that nobody will
> be able to login remotely to a new GuixSD system with the default
> openssh-service, unless they make the effort to insert the user's
> password in their GuixSD declaration. Remote root login and empty
> password login is disabled by default.
>
> So the current situation seems safe to me. Please let us know if you see
> a hole.
I agree with your assessment. I think there's probably more hurt than
benefit in diverging from upstream's choice of defaults here.
I'm thus closing this old forgotten report.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-08-29 3:26 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-28 14:37 bug#26695: openssh password-authentication? should be #f by default Christopher Allan Webber
2017-04-28 16:09 ` Maxim Cournoyer
2017-04-28 16:37 ` Christopher Allan Webber
2017-04-28 16:40 ` Maxim Cournoyer
2017-04-28 17:23 ` Marius Bakke
2017-04-28 18:25 ` Christopher Allan Webber
2017-04-30 19:47 ` Chris Marusich
2017-04-28 19:28 ` Leo Famulari
2023-08-29 3:24 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).