From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id hVUdJmwfu18BdgAA0tVLHw (envelope-from ) for ; Mon, 23 Nov 2020 02:33:16 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id MA5aIWwfu1/oYgAA1q6Kng (envelope-from ) for ; Mon, 23 Nov 2020 02:33:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 11EAC940220 for ; Mon, 23 Nov 2020 02:33:16 +0000 (UTC) Received: from localhost ([::1]:38678 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kh1fF-0006PG-IP for larch@yhetil.org; Sun, 22 Nov 2020 21:33:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39728) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kh1f4-0006N3-Ag for bug-guix@gnu.org; Sun, 22 Nov 2020 21:33:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37090) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kh1f4-00089y-36 for bug-guix@gnu.org; Sun, 22 Nov 2020 21:33:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kh1f3-0000nh-Vm for bug-guix@gnu.org; Sun, 22 Nov 2020 21:33:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Taylan Kammer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 23 Nov 2020 02:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Lemmer Webber , 44808@debbugs.gnu.org Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.16060987413023 (code B ref 44808); Mon, 23 Nov 2020 02:33:01 +0000 Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 02:32:21 +0000 Received: from localhost ([127.0.0.1]:48636 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kh1eP-0000mh-0O for submit@debbugs.gnu.org; Sun, 22 Nov 2020 21:32:21 -0500 Received: from mail-wr1-f42.google.com ([209.85.221.42]:34309) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kh1eL-0000mS-KF for 44808@debbugs.gnu.org; Sun, 22 Nov 2020 21:32:19 -0500 Received: by mail-wr1-f42.google.com with SMTP id r17so17176915wrw.1 for <44808@debbugs.gnu.org>; Sun, 22 Nov 2020 18:32:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=Bj7d6Ko666gQTLpIqD0zL9x1Q2KlM+on5Q24MbcrcCk=; b=oGBPXoQkAFNs0F5fblG11iYtitOJHIG0/8s5uG1Idz7BpFLCuONMm/JP5DG7iFFkfj BvYnPS6JTSpDmYdnYd44NMJ7LN8xY9+jtRE9AFGQxjUXTALiNIcPthWdiyIoPTy2rocF NTcglFw3gjVAWl9ISz6cfEZwAvw6jqj+/IJi6uNoioLZVWpLdgZX981cMtSBx2OjrGpo 7EkJIm60UC8EQrnq8WN4sbZgHNI+a37f+psXOYt68GRDIK4ysSMhbwIJC64/mFGQg2N0 L77kDxsrmF+QSlx82ZZXW6JbjYtDF3ACooJBwZd/HbEYYj2TI02FsYP90Ht+q34g8ZdQ xfkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Bj7d6Ko666gQTLpIqD0zL9x1Q2KlM+on5Q24MbcrcCk=; b=H5j7ncuxAb04bfJuKGTf4j2PrXTsQLkrR2w5uuVW93PrTQiMrRZCppfn4wKhc9d1ng peNO7Ud+HZD0XBdKS0O9EcmDRlx6vvfy6dyYdFaPcjhia6xu/MgKI0+T73j32AWCo2X+ 51mQaTXY7a/FrarOFMaHITg90Z15SmUVVhDng/VZ6lP7SPmL1siU3OckLUBTlrB8szhQ MyLt0NAeShdFdRDqdBeeqxs63/w7uARm3h2D+8rSjVdV3R706UKAxIwNoH+lSHLuRCHO MCJXlos85B5Qpqxv8w3XSPQNYZixZnJB9Ys6keZm1LdrlzuWrX/fOu+VzGTTUVr0Lg7n CU0g== X-Gm-Message-State: AOAM530AeK7ceip9tA4ECmp6rM9kZBnSRbeqBUsPysmkdVC+UTq6MS1P mtjL9Dier2qsliNn/V9uq0mFCL6o50c= X-Google-Smtp-Source: ABdhPJyn2fdUCYYr8Jhy+UKIK5TZdivJN6X6cTRDhou9F9nU9V3q3qonD7Q/jX54UpvNvchRQ92Tmw== X-Received: by 2002:adf:f84e:: with SMTP id d14mr4422718wrq.390.1606098731307; Sun, 22 Nov 2020 18:32:11 -0800 (PST) Received: from [192.168.178.20] ([109.90.125.150]) by smtp.gmail.com with ESMTPSA id q12sm14137844wmc.45.2020.11.22.18.32.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 22 Nov 2020 18:32:10 -0800 (PST) References: <878sat3rnn.fsf@dustycloud.org> From: Taylan Kammer Message-ID: <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@gmail.com> Date: Mon, 23 Nov 2020 03:32:08 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <878sat3rnn.fsf@dustycloud.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=gmail.com header.s=20161025 header.b=oGBPXoQk; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: xAe9kBCKvGqC On 23.11.2020 00:20, Christopher Lemmer Webber wrote: > Okay, I just realized I left a friend vulnerable by guiding them through > a Guix graphical install and telling them it would give them a decent > setup. They turned on openssh support. > > Then I realized their config had password-authentication? on. > > That's unacceptable. We need to change this default. This is known to > leave users open to attack, and selecting a password secure enough > against brute forcing is fairly difficult, much more difficult than only > allowing entry by keys. Plus, few distributions do what we're doing > anymore, precisely because of wanting to be secure by default. > > Yes, I know some people want password authentication on as part of a > bootstrapping process. Fine... those users know to put it on. Let's > not leave our users open to attack by default though. > > Happy to produce a patch and change the documentation, but I'd like to > hear that we have consensus to make this change. But we should, because > otherwise else I think we're going to hurt users. I think most ideal would be if the user is asked the following two questions, with a short explanation of what each means: - Allow root login via SSH? - Allow password authentication in SSH? (I think Debian does this.) Because as you say, on one hand password authentication in SSH can be a security risk. But on the other hand many machines never have their SSH port exposed to the Internet, and the intranet is assumed to be safe. In those cases it would be an annoyance to have to enable it manually. Both points apply to direct root login as well I think. Allowing password authentication but disabling root login might also be considered safe enough on machines exposed to the Internet, because the attacker needs to guess the username as well. Only presents a small increase in complexity for the attacker though. - Taylan