From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kO4/CqIyu1+AaAAA0tVLHw (envelope-from ) for ; Mon, 23 Nov 2020 03:55:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id UA4PBqIyu19LHQAA1q6Kng (envelope-from ) for ; Mon, 23 Nov 2020 03:55:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4A1119403EC for ; Mon, 23 Nov 2020 03:55:13 +0000 (UTC) Received: from localhost ([::1]:47700 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kh2wZ-0002nQ-Jp for larch@yhetil.org; Sun, 22 Nov 2020 22:55:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52914) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kh2wQ-0002n3-5G for bug-guix@gnu.org; Sun, 22 Nov 2020 22:55:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37154) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kh2wP-0006WS-U4 for bug-guix@gnu.org; Sun, 22 Nov 2020 22:55:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kh2wP-0004rC-SQ for bug-guix@gnu.org; Sun, 22 Nov 2020 22:55:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: raingloom Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 23 Nov 2020 03:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 44808@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160610365618613 (code B ref -1); Mon, 23 Nov 2020 03:55:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 Nov 2020 03:54:16 +0000 Received: from localhost ([127.0.0.1]:48700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kh2vg-0004q9-Jx for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:54:16 -0500 Received: from lists.gnu.org ([209.51.188.17]:47112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kh2ve-0004q0-4H for submit@debbugs.gnu.org; Sun, 22 Nov 2020 22:54:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52830) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kh2vd-0002jr-RL for bug-guix@gnu.org; Sun, 22 Nov 2020 22:54:13 -0500 Received: from mx1.riseup.net ([198.252.153.129]:59306) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kh2vb-0006Al-Px for bug-guix@gnu.org; Sun, 22 Nov 2020 22:54:13 -0500 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4CfYDd4QfVzFdtw for ; Sun, 22 Nov 2020 19:54:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1606103649; bh=TytooyQ30Y3ZOFbaSCuzcRcQGk5MK9FZ+gocuqLJHN8=; h=Date:From:To:Subject:In-Reply-To:References:From; b=ZtTfDuKuO2BPuii+aiFesMc4bxRPIoukF1Bperz2cJu5Z0fhD+x6kXUc9R7otLVb+ 6IleCeSor17ht/TocMS+Rvr+JD/5VIRlTMRxL7Verp3VKfgOKSI/95EeF4JMx3oNYd Nz91yFyuki+SsQmDaNOxZvZOfc1F7snwDu6+kct8= X-Riseup-User-ID: 9991ABB925FAA18817FA3B04813F70BCEA830BE739F902AFB765BE488AE2ACA0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4CfYDd0ZLFzJmm0 for ; Sun, 22 Nov 2020 19:54:08 -0800 (PST) Date: Mon, 23 Nov 2020 04:46:15 +0100 From: raingloom Message-ID: <20201123044615.13cc0898@riseup.net> In-Reply-To: <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@gmail.com> References: <878sat3rnn.fsf@dustycloud.org> <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.4 (--) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=riseup.net header.s=squak header.b=ZtTfDuKu; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: 9rK65KJTv/Ay On Mon, 23 Nov 2020 03:32:08 +0100 Taylan Kammer wrote: > On 23.11.2020 00:20, Christopher Lemmer Webber wrote: > > Okay, I just realized I left a friend vulnerable by guiding them > > through a Guix graphical install and telling them it would give > > them a decent setup. They turned on openssh support. > > > > Then I realized their config had password-authentication? on. > > > > That's unacceptable. We need to change this default. This is > > known to leave users open to attack, and selecting a password > > secure enough against brute forcing is fairly difficult, much more > > difficult than only allowing entry by keys. Plus, few > > distributions do what we're doing anymore, precisely because of > > wanting to be secure by default. > > > > Yes, I know some people want password authentication on as part of a > > bootstrapping process. Fine... those users know to put it on. > > Let's not leave our users open to attack by default though. > > > > Happy to produce a patch and change the documentation, but I'd like > > to hear that we have consensus to make this change. But we should, > > because otherwise else I think we're going to hurt users. > > I think most ideal would be if the user is asked the following two > questions, with a short explanation of what each means: > > - Allow root login via SSH? > > - Allow password authentication in SSH? > > (I think Debian does this.) > > Because as you say, on one hand password authentication in SSH can be > a security risk. But on the other hand many machines never have > their SSH port exposed to the Internet, and the intranet is assumed > to be safe. In those cases it would be an annoyance to have to enable > it manually. > > Both points apply to direct root login as well I think. > > Allowing password authentication but disabling root login might also > be considered safe enough on machines exposed to the Internet, > because the attacker needs to guess the username as well. Only > presents a small increase in complexity for the attacker though. > > > - Taylan > > > Most people won't know why allowing password authentication is unsecure. Either it should be worded differently, have a warning, or not be an option. Same goes doubly so for allowing root login.