From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 2LiYJpmjzl+lJwAA0tVLHw (envelope-from ) for ; Mon, 07 Dec 2020 21:50:17 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eGBuIpmjzl/vNgAAB5/wlQ (envelope-from ) for ; Mon, 07 Dec 2020 21:50:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F3F8B9402A9 for ; Mon, 7 Dec 2020 21:50:16 +0000 (UTC) Received: from localhost ([::1]:56756 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmOOd-0006g0-O3 for larch@yhetil.org; Mon, 07 Dec 2020 16:50:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55218) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmOEl-0004SR-9M for bug-guix@gnu.org; Mon, 07 Dec 2020 16:40:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:44197) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kmOEk-0000Lw-F4 for bug-guix@gnu.org; Mon, 07 Dec 2020 16:40:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kmOEk-0002t9-BZ for bug-guix@gnu.org; Mon, 07 Dec 2020 16:40:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Christopher Lemmer Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 07 Dec 2020 21:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Leo Famulari Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.160737715711041 (code B ref 44808); Mon, 07 Dec 2020 21:40:02 +0000 Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 21:39:17 +0000 Received: from localhost ([127.0.0.1]:55743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmOE1-0002s0-6m for submit@debbugs.gnu.org; Mon, 07 Dec 2020 16:39:17 -0500 Received: from dustycloud.org ([50.116.34.160]:55546) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmODz-0002rr-Il for 44808@debbugs.gnu.org; Mon, 07 Dec 2020 16:39:16 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id B26B326641; Mon, 7 Dec 2020 16:39:14 -0500 (EST) References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber In-reply-to: Date: Mon, 07 Dec 2020 16:38:37 -0500 Message-ID: <87eek1fg9u.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maxim Cournoyer , 44808@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.30 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: F3F8B9402A9 X-Spam-Score: -2.30 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: avqXwODRCKx8 Leo Famulari writes: > On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote: >> > 2. Change the default value of the relevant field in >> > . >> > >> > #2 is more thorough but also more risky: people could find themselves >> > locked out of their server after reconfiguration, though this could be >> > mitigated by a news entry. > > I do think we should avoid changing the default. I know that passphrases > are inherently riskier than keys =E2=80=94 compromise is more likely than= with a > key, but I think it's even more likely that people will lose access to > their servers if we change this default. > > How bad is the risk, from a practical perspective? How many times per > second can a remote attacker attempt passphrase authentication? If the > number is high, we could petition OpenSSH to introduce a delay. Some servers try to protect against such systems with something such as fail2ban. It can help a little, but origin-oriented systems have serious problems. A simple example is that a botnet can be used to try logging in from many origins. But origin-oriented designs also don't hold up in general as one tends to move towards things like p2p systems... consider if exposing ssh over a tor onion service just how easy it is to generate lots of onion addresses. Consider the following though: most users have fairly weak passwords. Sad, but true... but in the case where that password only is affected by someone trying to gain login from physical access, it also only affects physical access brute forcing with the computer on. A weak password doesn't hold up as well when any server anywhere can start hammering on it. Looking at my auth logs, such hammering is super common... most of the servers I've dealt with tend to have logs filled with bots trying to get in all the time, and that's in an untargeted case. A targeted case is worse. Maybe it's not a good idea to change the default, but yes, the problem is serious.