unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#44808: Default to allowing password authentication on leaves users vulnerable
@ 2020-11-22 23:20 Christopher Lemmer Webber
  2020-11-23  2:32 ` Taylan Kammer
                   ` (2 more replies)
  0 siblings, 3 replies; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-11-22 23:20 UTC (permalink / raw)
  To: 44808

Okay, I just realized I left a friend vulnerable by guiding them through
a Guix graphical install and telling them it would give them a decent
setup.  They turned on openssh support.

Then I realized their config had password-authentication? on.

That's unacceptable.  We need to change this default.  This is known to
leave users open to attack, and selecting a password secure enough
against brute forcing is fairly difficult, much more difficult than only
allowing entry by keys.  Plus, few distributions do what we're doing
anymore, precisely because of wanting to be secure by default.

Yes, I know some people want password authentication on as part of a
bootstrapping process.  Fine... those users know to put it on.  Let's
not leave our users open to attack by default though.

Happy to produce a patch and change the documentation, but I'd like to
hear that we have consensus to make this change.  But we should, because
otherwise else I think we're going to hurt users.

 - Chris




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
@ 2020-11-23  2:32 ` Taylan Kammer
  2020-11-23  3:46   ` raingloom
  2020-11-23  3:57 ` Carlo Zancanaro
  2021-02-11  7:46 ` raid5atemyhomework via Bug reports for GNU Guix
  2 siblings, 1 reply; 24+ messages in thread
From: Taylan Kammer @ 2020-11-23  2:32 UTC (permalink / raw)
  To: Christopher Lemmer Webber, 44808

On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> Okay, I just realized I left a friend vulnerable by guiding them through
> a Guix graphical install and telling them it would give them a decent
> setup.  They turned on openssh support.
> 
> Then I realized their config had password-authentication? on.
> 
> That's unacceptable.  We need to change this default.  This is known to
> leave users open to attack, and selecting a password secure enough
> against brute forcing is fairly difficult, much more difficult than only
> allowing entry by keys.  Plus, few distributions do what we're doing
> anymore, precisely because of wanting to be secure by default.
> 
> Yes, I know some people want password authentication on as part of a
> bootstrapping process.  Fine... those users know to put it on.  Let's
> not leave our users open to attack by default though.
> 
> Happy to produce a patch and change the documentation, but I'd like to
> hear that we have consensus to make this change.  But we should, because
> otherwise else I think we're going to hurt users.

I think most ideal would be if the user is asked the following two 
questions, with a short explanation of what each means:

- Allow root login via SSH?

- Allow password authentication in SSH?

(I think Debian does this.)

Because as you say, on one hand password authentication in SSH can be a 
security risk.  But on the other hand many machines never have their SSH 
port exposed to the Internet, and the intranet is assumed to be safe. 
In those cases it would be an annoyance to have to enable it manually.

Both points apply to direct root login as well I think.

Allowing password authentication but disabling root login might also be 
considered safe enough on machines exposed to the Internet, because the 
attacker needs to guess the username as well.  Only presents a small 
increase in complexity for the attacker though.


- Taylan




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-23  2:32 ` Taylan Kammer
@ 2020-11-23  3:46   ` raingloom
  2020-11-23 16:15     ` Christopher Lemmer Webber
  0 siblings, 1 reply; 24+ messages in thread
From: raingloom @ 2020-11-23  3:46 UTC (permalink / raw)
  To: 44808

On Mon, 23 Nov 2020 03:32:08 +0100
Taylan Kammer <taylan.kammer@gmail.com> wrote:

> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> > Okay, I just realized I left a friend vulnerable by guiding them
> > through a Guix graphical install and telling them it would give
> > them a decent setup.  They turned on openssh support.
> > 
> > Then I realized their config had password-authentication? on.
> > 
> > That's unacceptable.  We need to change this default.  This is
> > known to leave users open to attack, and selecting a password
> > secure enough against brute forcing is fairly difficult, much more
> > difficult than only allowing entry by keys.  Plus, few
> > distributions do what we're doing anymore, precisely because of
> > wanting to be secure by default.
> > 
> > Yes, I know some people want password authentication on as part of a
> > bootstrapping process.  Fine... those users know to put it on.
> > Let's not leave our users open to attack by default though.
> > 
> > Happy to produce a patch and change the documentation, but I'd like
> > to hear that we have consensus to make this change.  But we should,
> > because otherwise else I think we're going to hurt users.  
> 
> I think most ideal would be if the user is asked the following two 
> questions, with a short explanation of what each means:
> 
> - Allow root login via SSH?
> 
> - Allow password authentication in SSH?
> 
> (I think Debian does this.)
> 
> Because as you say, on one hand password authentication in SSH can be
> a security risk.  But on the other hand many machines never have
> their SSH port exposed to the Internet, and the intranet is assumed
> to be safe. In those cases it would be an annoyance to have to enable
> it manually.
> 
> Both points apply to direct root login as well I think.
> 
> Allowing password authentication but disabling root login might also
> be considered safe enough on machines exposed to the Internet,
> because the attacker needs to guess the username as well.  Only
> presents a small increase in complexity for the attacker though.
> 
> 
> - Taylan
> 
> 
> 

Most people won't know why allowing password authentication is
unsecure. Either it should be worded differently, have a warning, or
not be an option.

Same goes doubly so for allowing root login.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
  2020-11-23  2:32 ` Taylan Kammer
@ 2020-11-23  3:57 ` Carlo Zancanaro
  2020-11-23 16:17   ` Christopher Lemmer Webber
  2021-02-11  7:46 ` raid5atemyhomework via Bug reports for GNU Guix
  2 siblings, 1 reply; 24+ messages in thread
From: Carlo Zancanaro @ 2020-11-23  3:57 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: 44808

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
> ... Plus, few distributions do what we're doing anymore, 
> precisely because of wanting to be secure by default.

Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.

I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.

Carlo




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-23  3:46   ` raingloom
@ 2020-11-23 16:15     ` Christopher Lemmer Webber
  0 siblings, 0 replies; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-11-23 16:15 UTC (permalink / raw)
  To: raingloom; +Cc: 44808

raingloom writes:

> On Mon, 23 Nov 2020 03:32:08 +0100
> Taylan Kammer <taylan.kammer@gmail.com> wrote:
>
>> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
>> > Okay, I just realized I left a friend vulnerable by guiding them
>> > through a Guix graphical install and telling them it would give
>> > them a decent setup.  They turned on openssh support.
>> > 
>> > Then I realized their config had password-authentication? on.
>> > 
>> > That's unacceptable.  We need to change this default.  This is
>> > known to leave users open to attack, and selecting a password
>> > secure enough against brute forcing is fairly difficult, much more
>> > difficult than only allowing entry by keys.  Plus, few
>> > distributions do what we're doing anymore, precisely because of
>> > wanting to be secure by default.
>> > 
>> > Yes, I know some people want password authentication on as part of a
>> > bootstrapping process.  Fine... those users know to put it on.
>> > Let's not leave our users open to attack by default though.
>> > 
>> > Happy to produce a patch and change the documentation, but I'd like
>> > to hear that we have consensus to make this change.  But we should,
>> > because otherwise else I think we're going to hurt users.  
>> 
>> I think most ideal would be if the user is asked the following two 
>> questions, with a short explanation of what each means:
>> 
>> - Allow root login via SSH?
>> 
>> - Allow password authentication in SSH?
>> 
>> (I think Debian does this.)
>> 
>> Because as you say, on one hand password authentication in SSH can be
>> a security risk.  But on the other hand many machines never have
>> their SSH port exposed to the Internet, and the intranet is assumed
>> to be safe. In those cases it would be an annoyance to have to enable
>> it manually.
>> 
>> Both points apply to direct root login as well I think.
>> 
>> Allowing password authentication but disabling root login might also
>> be considered safe enough on machines exposed to the Internet,
>> because the attacker needs to guess the username as well.  Only
>> presents a small increase in complexity for the attacker though.
>> 
>> 
>> - Taylan
>> 
>> 
>> 
>
> Most people won't know why allowing password authentication is
> unsecure. Either it should be worded differently, have a warning, or
> not be an option.
>
> Same goes doubly so for allowing root login.

Agreed on both counts.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-23  3:57 ` Carlo Zancanaro
@ 2020-11-23 16:17   ` Christopher Lemmer Webber
  2020-11-30  3:58     ` Maxim Cournoyer
  0 siblings, 1 reply; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-11-23 16:17 UTC (permalink / raw)
  To: Carlo Zancanaro; +Cc: 44808

Carlo Zancanaro writes:

> Hey Chris!
>
> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>> ... Plus, few distributions do what we're doing anymore, precisely
>> because of wanting to be secure by default.
>
> Is this true? Debian defaults to passwords being allowed. I think it
> even allows root login by default. At least, I have always had to add
> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
> install openssh-server on debian.

Perhaps I'm wrong... I had thought that the last time I installed a
Debian server, password based access was off by default.  But I could be
wrong.

> I'm on board with what you're proposing, and I think Guix should
> default to the more secure option, but I'm not sure that an 
> "average user" (whatever that means for Guix's demographic) would
> expect that password authentication is disabled by default.

That's fair... I think that
"[ ] Password authentication? (insecure)"
would be sufficient as an option.  How do others feel?




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-23 16:17   ` Christopher Lemmer Webber
@ 2020-11-30  3:58     ` Maxim Cournoyer
  2020-12-05 15:14       ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Maxim Cournoyer @ 2020-11-30  3:58 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: 44808

Hello,

Christopher Lemmer Webber <cwebber@dustycloud.org> writes:

> Carlo Zancanaro writes:
>
>> Hey Chris!
>>
>> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>>> ... Plus, few distributions do what we're doing anymore, precisely
>>> because of wanting to be secure by default.
>>
>> Is this true? Debian defaults to passwords being allowed. I think it
>> even allows root login by default. At least, I have always had to add
>> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
>> install openssh-server on debian.
>
> Perhaps I'm wrong... I had thought that the last time I installed a
> Debian server, password based access was off by default.  But I could be
> wrong.

I just tried with a Debian Buster VM; password access is enabled out of
the box.

>> I'm on board with what you're proposing, and I think Guix should
>> default to the more secure option, but I'm not sure that an 
>> "average user" (whatever that means for Guix's demographic) would
>> expect that password authentication is disabled by default.
>
> That's fair... I think that
> "[ ] Password authentication? (insecure)"
> would be sufficient as an option.  How do others feel?

I'm +1 on disabling password access out of the box; especially since
Guix System makes it easy to authorize SSH keys at installation time.
We'd have to see if it breaks any of our system tests, but I doubt so.

Patch welcome!

Maxim




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-30  3:58     ` Maxim Cournoyer
@ 2020-12-05 15:14       ` Ludovic Courtès
  2020-12-05 18:22         ` Christopher Lemmer Webber
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2020-12-05 15:14 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 44808

Hi!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>>> I'm on board with what you're proposing, and I think Guix should
>>> default to the more secure option, but I'm not sure that an 
>>> "average user" (whatever that means for Guix's demographic) would
>>> expect that password authentication is disabled by default.
>>
>> That's fair... I think that
>> "[ ] Password authentication? (insecure)"
>> would be sufficient as an option.  How do others feel?
>
> I'm +1 on disabling password access out of the box; especially since
> Guix System makes it easy to authorize SSH keys at installation time.
> We'd have to see if it breaks any of our system tests, but I doubt so.

Agreed.  There are several ways to do that:

  1. Have the installer emit an ‘openssh-configuration’ that explicitly
     disables password authentication.

  2. Change the default value of the relevant field in
     <openssh-configuration>.

#2 is more thorough but also more risky: people could find themselves
locked out of their server after reconfiguration, though this could be
mitigated by a news entry.

Thoughts?

Ludo’.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-05 15:14       ` Ludovic Courtès
@ 2020-12-05 18:22         ` Christopher Lemmer Webber
  2020-12-07 11:51           ` Ludovic Courtès
  2020-12-07 19:40           ` Leo Famulari
  0 siblings, 2 replies; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-12-05 18:22 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Maxim Cournoyer, 44808

Ludovic Courtès writes:

> Hi!
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>>>> I'm on board with what you're proposing, and I think Guix should
>>>> default to the more secure option, but I'm not sure that an 
>>>> "average user" (whatever that means for Guix's demographic) would
>>>> expect that password authentication is disabled by default.
>>>
>>> That's fair... I think that
>>> "[ ] Password authentication? (insecure)"
>>> would be sufficient as an option.  How do others feel?
>>
>> I'm +1 on disabling password access out of the box; especially since
>> Guix System makes it easy to authorize SSH keys at installation time.
>> We'd have to see if it breaks any of our system tests, but I doubt so.
>
> Agreed.  There are several ways to do that:
>
>   1. Have the installer emit an ‘openssh-configuration’ that explicitly
>      disables password authentication.
>
>   2. Change the default value of the relevant field in
>      <openssh-configuration>.
>
> #2 is more thorough but also more risky: people could find themselves
> locked out of their server after reconfiguration, though this could be
> mitigated by a news entry.
>
> Thoughts?
>
> Ludo’.

We could also do a combination of the above, as a transitional plan:
do #1 for now, but try to advertise that in the future, the default will
be changing... please explicitly set password access to #t if you need
this!  Then in the *following* release, change the default.

This seems like a reasonable transition plan, kind of akin to a
deprecation process?





^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-05 18:22         ` Christopher Lemmer Webber
@ 2020-12-07 11:51           ` Ludovic Courtès
  2020-12-07 12:56             ` Dr. Arne Babenhauserheide
  2020-12-07 19:40           ` Leo Famulari
  1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2020-12-07 11:51 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: Maxim Cournoyer, 44808

Hi Chris,

Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:

> Ludovic Courtès writes:

[...]

>> Agreed.  There are several ways to do that:
>>
>>   1. Have the installer emit an ‘openssh-configuration’ that explicitly
>>      disables password authentication.
>>
>>   2. Change the default value of the relevant field in
>>      <openssh-configuration>.
>>
>> #2 is more thorough but also more risky: people could find themselves
>> locked out of their server after reconfiguration, though this could be
>> mitigated by a news entry.
>>
>> Thoughts?
>>
>> Ludo’.
>
> We could also do a combination of the above, as a transitional plan:
> do #1 for now, but try to advertise that in the future, the default will
> be changing... please explicitly set password access to #t if you need
> this!  Then in the *following* release, change the default.
>
> This seems like a reasonable transition plan, kind of akin to a
> deprecation process?

Sounds like a plan.  I went ahead and pushed
aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138 which does this.

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 11:51           ` Ludovic Courtès
@ 2020-12-07 12:56             ` Dr. Arne Babenhauserheide
  2020-12-07 16:48               ` Christopher Lemmer Webber
  0 siblings, 1 reply; 24+ messages in thread
From: Dr. Arne Babenhauserheide @ 2020-12-07 12:56 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: maxim.cournoyer, 44808

[-- Attachment #1: Type: text/plain, Size: 1972 bytes --]


Ludovic Courtès <ludo@gnu.org> writes:

>>> #2 is more thorough but also more risky: people could find themselves
>>> locked out of their server after reconfiguration, though this could be
>>> mitigated by a news entry.
>>>
>>> Thoughts?

My thoughts are that there is no mitigation for being locked out of a
pre-existing server. Keep in mind that that server might not actually be
accessible in any other way — it might be with a cheap hoster whose
support is practically non-existent, or it might be in a sealed
measurement container that can only be accessed via SSH without
disassembly.

>> We could also do a combination of the above, as a transitional plan:
>> do #1 for now, but try to advertise that in the future, the default will
>> be changing... please explicitly set password access to #t if you need
>> this!  Then in the *following* release, change the default.

This sounds like trying to retroactively fixing a problem at the wrong
place: If the installer creates a configuration which prevents
password-authentication, there is no problem for new systems and new
users who need password-authentication will explicitly see in the
config, that they have to change it, otherwise it won’t work. All the
while old systems will keep working.

I do need to access my system via password+ssh from time to time,
because I don’t want to have a key that can access my system on a
presentation-laptop that (due to being moved regularly) is much less
secure than the fixed system. If someone gets access to the laptop and
compromises my keys, they can run much more efficient attacks against
its ssh-keys' password than the attacks people can use to attack ssh via
internet.

Changing a default (an invisible setting) in a way that prevents access
is a serious disruption.

In short: please don’t break running systems on update.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein
ohne es zu merken

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 12:56             ` Dr. Arne Babenhauserheide
@ 2020-12-07 16:48               ` Christopher Lemmer Webber
  2020-12-07 19:53                 ` Dr. Arne Babenhauserheide
  0 siblings, 1 reply; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-12-07 16:48 UTC (permalink / raw)
  To: Dr. Arne Babenhauserheide; +Cc: maxim.cournoyer, 44808

Dr. Arne Babenhauserheide writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>>>> #2 is more thorough but also more risky: people could find themselves
>>>> locked out of their server after reconfiguration, though this could be
>>>> mitigated by a news entry.
>>>>
>>>> Thoughts?
>
> My thoughts are that there is no mitigation for being locked out of a
> pre-existing server. Keep in mind that that server might not actually be
> accessible in any other way — it might be with a cheap hoster whose
> support is practically non-existent, or it might be in a sealed
> measurement container that can only be accessed via SSH without
> disassembly.
>
>>> We could also do a combination of the above, as a transitional plan:
>>> do #1 for now, but try to advertise that in the future, the default will
>>> be changing... please explicitly set password access to #t if you need
>>> this!  Then in the *following* release, change the default.
>
> This sounds like trying to retroactively fixing a problem at the wrong
> place: If the installer creates a configuration which prevents
> password-authentication, there is no problem for new systems and new
> users who need password-authentication will explicitly see in the
> config, that they have to change it, otherwise it won’t work. All the
> while old systems will keep working.
>
> I do need to access my system via password+ssh from time to time,
> because I don’t want to have a key that can access my system on a
> presentation-laptop that (due to being moved regularly) is much less
> secure than the fixed system. If someone gets access to the laptop and
> compromises my keys, they can run much more efficient attacks against
> its ssh-keys' password than the attacks people can use to attack ssh via
> internet.
>
> Changing a default (an invisible setting) in a way that prevents access
> is a serious disruption.
>
> In short: please don’t break running systems on update.
>
> Best wishes,
> Arne

It's a serious concern.  We are left in a tough bind: leave users with
an insecure default but try to inform them as much as we can of a
changing default, or possibly lock them out if they don't notice.

Still, now feels like to me the ideal time to do it.  The number of
people running GuixSD on servers is comparatively small.  I expect that
to change.  It would be better to make this change sooner than later.

I understand your concern though...




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-05 18:22         ` Christopher Lemmer Webber
  2020-12-07 11:51           ` Ludovic Courtès
@ 2020-12-07 19:40           ` Leo Famulari
  2020-12-07 21:38             ` Christopher Lemmer Webber
  1 sibling, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2020-12-07 19:40 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: Maxim Cournoyer, 44808

On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
> >   2. Change the default value of the relevant field in
> >      <openssh-configuration>.
> >
> > #2 is more thorough but also more risky: people could find themselves
> > locked out of their server after reconfiguration, though this could be
> > mitigated by a news entry.

I do think we should avoid changing the default. I know that passphrases
are inherently riskier than keys — compromise is more likely than with a
key, but I think it's even more likely that people will lose access to
their servers if we change this default.

How bad is the risk, from a practical perspective? How many times per
second can a remote attacker attempt passphrase authentication? If the
number is high, we could petition OpenSSH to introduce a delay.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 16:48               ` Christopher Lemmer Webber
@ 2020-12-07 19:53                 ` Dr. Arne Babenhauserheide
  2020-12-07 22:57                   ` Mark H Weaver
  0 siblings, 1 reply; 24+ messages in thread
From: Dr. Arne Babenhauserheide @ 2020-12-07 19:53 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: maxim.cournoyer, 44808

[-- Attachment #1: Type: text/plain, Size: 3009 bytes --]


Christopher Lemmer Webber <cwebber@dustycloud.org> writes:

> Dr. Arne Babenhauserheide writes:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>>>> #2 is more thorough but also more risky: people could find themselves
>>>>> locked out of their server after reconfiguration, though this could be
>>>>> mitigated by a news entry.
>>>>>
>>>>> Thoughts?
>>
>> My thoughts are that there is no mitigation for being locked out of a
>> pre-existing server. Keep in mind that that server might not actually be
>> accessible in any other way — it might be with a cheap hoster whose
>> support is practically non-existent, or it might be in a sealed
>> measurement container that can only be accessed via SSH without
>> disassembly.
>>
>>>> We could also do a combination of the above, as a transitional plan:
>>>> do #1 for now, but try to advertise that in the future, the default will
>>>> be changing... please explicitly set password access to #t if you need
>>>> this!  Then in the *following* release, change the default.
>>
>> This sounds like trying to retroactively fixing a problem at the wrong
>> place: If the installer creates a configuration which prevents
>> password-authentication, there is no problem for new systems and new
>> users who need password-authentication will explicitly see in the
>> config, that they have to change it, otherwise it won’t work. All the
>> while old systems will keep working.
>>
>> I do need to access my system via password+ssh from time to time,
>> because I don’t want to have a key that can access my system on a
>> presentation-laptop that (due to being moved regularly) is much less
>> secure than the fixed system. If someone gets access to the laptop and
>> compromises my keys, they can run much more efficient attacks against
>> its ssh-keys' password than the attacks people can use to attack ssh via
>> internet.
>>
>> Changing a default (an invisible setting) in a way that prevents access
>> is a serious disruption.
>>
>> In short: please don’t break running systems on update.
>>
>> Best wishes,
>> Arne
>
> It's a serious concern.  We are left in a tough bind: leave users with
> an insecure default but try to inform them as much as we can of a
> changing default, or possibly lock them out if they don't notice.
>
> Still, now feels like to me the ideal time to do it.  The number of
> people running GuixSD on servers is comparatively small.  I expect that
> to change.  It would be better to make this change sooner than later.

If the installer and the configuration examples are changed now, then
the number of people who unknowingly run Guix on an insecure
configuration should not rise.

To nudge them to secure their system, guix system reconfigure could emit
a warning that this is a potential security risk that requires setting
an explicit value (password yes or no) to silence.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein
ohne es zu merken

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 19:40           ` Leo Famulari
@ 2020-12-07 21:38             ` Christopher Lemmer Webber
  0 siblings, 0 replies; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-12-07 21:38 UTC (permalink / raw)
  To: Leo Famulari; +Cc: Maxim Cournoyer, 44808

Leo Famulari writes:

> On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
>> >   2. Change the default value of the relevant field in
>> >      <openssh-configuration>.
>> >
>> > #2 is more thorough but also more risky: people could find themselves
>> > locked out of their server after reconfiguration, though this could be
>> > mitigated by a news entry.
>
> I do think we should avoid changing the default. I know that passphrases
> are inherently riskier than keys — compromise is more likely than with a
> key, but I think it's even more likely that people will lose access to
> their servers if we change this default.
>
> How bad is the risk, from a practical perspective? How many times per
> second can a remote attacker attempt passphrase authentication? If the
> number is high, we could petition OpenSSH to introduce a delay.

Some servers try to protect against such systems with something such as
fail2ban.  It can help a little, but origin-oriented systems have
serious problems.  A simple example is that a botnet can be used to try
logging in from many origins.  But origin-oriented designs also don't
hold up in general as one tends to move towards things like p2p
systems... consider if exposing ssh over a tor onion service just how
easy it is to generate lots of onion addresses.

Consider the following though: most users have fairly weak passwords.
Sad, but true... but in the case where that password only is affected by
someone trying to gain login from physical access, it also only affects
physical access brute forcing with the computer on.

A weak password doesn't hold up as well when any server anywhere can
start hammering on it.

Looking at my auth logs, such hammering is super common... most of the
servers I've dealt with tend to have logs filled with bots trying to get
in all the time, and that's in an untargeted case.  A targeted case is
worse.

Maybe it's not a good idea to change the default, but yes, the problem
is serious.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 19:53                 ` Dr. Arne Babenhauserheide
@ 2020-12-07 22:57                   ` Mark H Weaver
  2020-12-08 10:36                     ` Ludovic Courtès
  2020-12-08 13:48                     ` Christopher Lemmer Webber
  0 siblings, 2 replies; 24+ messages in thread
From: Mark H Weaver @ 2020-12-07 22:57 UTC (permalink / raw)
  To: Dr. Arne Babenhauserheide, Christopher Lemmer Webber
  Cc: maxim.cournoyer, 44808

Hi,

"Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:
> To nudge them to secure their system, guix system reconfigure could emit
> a warning that this is a potential security risk that requires setting
> an explicit value (password yes or no) to silence.

I think this is a good idea.  Likewise, in the Guix installer, I would
favor asking the user whether or not to enable password authentication,
after warning them that it is a security risk.

I agree with Chris that password authentication is a significant
security risk, but I also worry that if we simply disable it, it will
catch some users by surprise and they may be quite unhappy about it.

     Regards,
       Mark




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 22:57                   ` Mark H Weaver
@ 2020-12-08 10:36                     ` Ludovic Courtès
  2020-12-09  1:31                       ` Mark H Weaver
  2020-12-08 13:48                     ` Christopher Lemmer Webber
  1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2020-12-08 10:36 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: maxim.cournoyer, 44808

Hi,

Mark H Weaver <mhw@netris.org> skribis:

> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:
>> To nudge them to secure their system, guix system reconfigure could emit
>> a warning that this is a potential security risk that requires setting
>> an explicit value (password yes or no) to silence.
>
> I think this is a good idea.  Likewise, in the Guix installer, I would
> favor asking the user whether or not to enable password authentication,
> after warning them that it is a security risk.
>
> I agree with Chris that password authentication is a significant
> security risk, but I also worry that if we simply disable it, it will
> catch some users by surprise and they may be quite unhappy about it.

What do you think of the approach in
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?

The default is unchanged but the warning could be kept say until the
next release, at which point we’d change the default.

Or are you suggesting keeping the default unchanged?

Ludo’.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-07 22:57                   ` Mark H Weaver
  2020-12-08 10:36                     ` Ludovic Courtès
@ 2020-12-08 13:48                     ` Christopher Lemmer Webber
  1 sibling, 0 replies; 24+ messages in thread
From: Christopher Lemmer Webber @ 2020-12-08 13:48 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: maxim.cournoyer, 44808

Mark H Weaver writes:

> Hi,
>
> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:
>> To nudge them to secure their system, guix system reconfigure could emit
>> a warning that this is a potential security risk that requires setting
>> an explicit value (password yes or no) to silence.
>
> I think this is a good idea.  Likewise, in the Guix installer, I would
> favor asking the user whether or not to enable password authentication,
> after warning them that it is a security risk.
>
> I agree with Chris that password authentication is a significant
> security risk, but I also worry that if we simply disable it, it will
> catch some users by surprise and they may be quite unhappy about it.
>
>      Regards,
>        Mark

It's clear that quite a few people are unhappy with switching the
default, fearing lockout.  I'm fine with making the above compromise
given all that, personally.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-08 10:36                     ` Ludovic Courtès
@ 2020-12-09  1:31                       ` Mark H Weaver
  2020-12-10  8:17                         ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Mark H Weaver @ 2020-12-09  1:31 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: maxim.cournoyer, 44808

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:
>>> To nudge them to secure their system, guix system reconfigure could emit
>>> a warning that this is a potential security risk that requires setting
>>> an explicit value (password yes or no) to silence.
>>
>> I think this is a good idea.  Likewise, in the Guix installer, I would
>> favor asking the user whether or not to enable password authentication,
>> after warning them that it is a security risk.
>>
>> I agree with Chris that password authentication is a significant
>> security risk, but I also worry that if we simply disable it, it will
>> catch some users by surprise and they may be quite unhappy about it.
>
> What do you think of the approach in
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?

One problem, which I just discovered, is that it warns users even if
they don't have an 'openssh-service' in their system configuration.
(For that reason, I just reverted this commit on my private branch).

> The default is unchanged but the warning could be kept say until the
> next release, at which point we’d change the default.
>
> Or are you suggesting keeping the default unchanged?

I don't feel strongly about what the default setting should be, as long
as we ensure that users are somehow made aware of the change before it
happens, and are given the opportunity (and preferably easy instructions
on how) to keep password authentication enabled if they wish.

I also think that the installer should explicitly ask the user what the
setting should be, so that we do not catch new users off guard who
expected to be able to ssh in to their newly-installed systems using
only a password.

If the plan is to change the default setting and issue warnings in the
meantime, it should be easy to silence those warnings, especially for
those of us who don't even use openssh-service :)

What do you think?

      Regards,
        Mark




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-09  1:31                       ` Mark H Weaver
@ 2020-12-10  8:17                         ` Ludovic Courtès
  2020-12-11  1:43                           ` Mark H Weaver
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2020-12-10  8:17 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: maxim.cournoyer, 44808

Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> What do you think of the approach in
>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>
> One problem, which I just discovered, is that it warns users even if
> they don't have an 'openssh-service' in their system configuration.

Could it be that you have a childhurd or some other service that uses
‘openssh-service-type’?  What source code location is associated with
that warning?

>> The default is unchanged but the warning could be kept say until the
>> next release, at which point we’d change the default.
>>
>> Or are you suggesting keeping the default unchanged?
>
> I don't feel strongly about what the default setting should be, as long
> as we ensure that users are somehow made aware of the change before it
> happens, and are given the opportunity (and preferably easy instructions
> on how) to keep password authentication enabled if they wish.
>
> I also think that the installer should explicitly ask the user what the
> setting should be, so that we do not catch new users off guard who
> expected to be able to ssh in to their newly-installed systems using
> only a password.

Yeah, we can do that; it’s a bit of extra complexity in the installer,
but perhaps that’ll be useful to configure other services as well.

> If the plan is to change the default setting and issue warnings in the
> meantime, it should be easy to silence those warnings, especially for
> those of us who don't even use openssh-service :)

Agreed.  :-)  Normally, if you explicitly set the field, the warning
disappears.

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-10  8:17                         ` Ludovic Courtès
@ 2020-12-11  1:43                           ` Mark H Weaver
  2020-12-11 18:10                             ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Mark H Weaver @ 2020-12-11  1:43 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: maxim.cournoyer, 44808

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
>>> What do you think of the approach in
>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>>
>> One problem, which I just discovered, is that it warns users even if
>> they don't have an 'openssh-service' in their system configuration.
>
> Could it be that you have a childhurd or some other service that uses
> ‘openssh-service-type’?

I highly doubt it.  In any case, there's certainly no ssh daemon
running.  See below for my system configuration.

> What source code location is associated with that warning?

gnu/services/ssh.scm:570:31, here:

  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570

Here's what I see when I build a system:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
field of 'openssh-configuration' will change from #true to #false in the
future.  Explicitly set it to #true to allow password authentication.
/gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system
--8<---------------cut here---------------end--------------->8---

Could it be related to the fact that I always run Guix via
./pre-inst-env from a git checkout?

If this problem only affect me, due to the unusual way in which I use
Guix, feel free to disregard this issue.  It's easy enough for me add
one more to my collection of reverted patches on my private branch :)

     Thanks,
       Mark


--8<---------------cut here---------------start------------->8---
(use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages))
(use-service-modules base desktop networking xorg dbus sound)
(use-package-modules certs gnome cryptsetup linux admin guile firmware xdisorg libusb suckless ratpoison wm vpn)

(operating-system
  (host-name "jojen")
  (timezone "right/US/Eastern")
  (locale "en_US.utf8")

  (bootloader (bootloader-configuration
	       (bootloader grub-bootloader)
	       (target "/dev/sda")))

  (kernel linux-libre)
  (kernel-arguments '("page_alloc.shuffle=1"))

  (firmware (list ath9k-htc-firmware))
  ;;(firmware '())

  (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3"))
          (target "jojen-root")
          (type luks-device-mapping))))

  (file-systems (cons* (file-system
                         ;; FIXME: reference by the file system label?
                         (device "/dev/mapper/jojen-root")
                         (mount-point "/")
                         (type "btrfs")
                         (dependencies mapped-devices))
                       %base-file-systems))

  (users (cons* (user-account
                 (name "mhw")
                 (uid 1000)
                 (group "mhw")
                 (supplementary-groups '("wheel" "users" "netdev"
                                         "audio" "video" "dialout"))
                 (home-directory "/home/mhw"))
                %base-user-accounts))

  (groups (cons* (user-group
                  (name "mhw")
                  (id 1000))
                 %base-groups))

  (setuid-programs
   (list (file-append shadow "/bin/passwd")
         (file-append inetutils "/bin/ping")))

  ;; This is where we specify system-wide packages.
  (packages (cons* nss-certs         ;for HTTPS access
                   gvfs              ;for user mounts
                   cryptsetup
                   btrfs-progs
                   wpa-supplicant
                   network-manager
                   network-manager-applet
		   network-manager-openvpn
		   openvpn
		   ratpoison
		   i3-wm
		   dwm
                   (delete sudo %base-packages)))

  (services (cons* (service gnome-desktop-service-type)
		   ;;(service xfce-desktop-service-type)

                   (service gdm-service-type)
                   ;;(service slim-service-type)
                   (screen-locker-service slock)
                   ;;(screen-locker-service xlockmore "xlock")

		   ;; Add udev rules for MTP devices so that non-root
		   ;; users can access them.
                   (simple-service 'mtp udev-service-type (list libmtp))
		   ;; Add udev rules for scanners.
		   (service sane-service-type)
		   ;; Add polkit rules, so that non-root users in the
		   ;; wheel group can perform administrative tasks
		   ;; (similar to "sudo").
		   polkit-wheel-service

		   ;; NetworkManager and its dependents.
                   (service network-manager-service-type)
                   (service wpa-supplicant-service-type)
		   ;; (simple-service 'network-manager-applet
                   ;;                 profile-service-type
                   ;;                 (list network-manager-applet))
		   ;; (service modem-manager-service-type)
		   ;; (service usb-modeswitch-service-type)

		   ;; The D-Bus clique.
		   ;;(service avahi-service-type)    ; I don't trust this
                   (udisks-service)
                   (service upower-service-type)
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)
		   (service colord-service-type)
		   ;;(geoclue-service)  ; I don't want this
                   (service polkit-service-type)
                   (elogind-service)
                   (dbus-service)

                   ;;(service ntp-service-type)   ; I don't trust this

                   (service pulseaudio-service-type)
		   (service alsa-service-type)

		   ;;;; Disabled for now
		   ;;
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)

		   ;; TOR: The Onion Router
		   (service tor-service-type)

                   ;; Optional OpenNTPd, below
		   #;
		   (service
		    openntpd-service-type
		    (openntpd-configuration
		     (listen-on '("127.0.0.1" "::1"))
		     ;;(constraint-from '("www.gnu.org"))
		     (allow-large-adjustment? #t)))

		   x11-socket-directory-service

		   ;;;; Disabled for now
		   ;;
		   ;;(service alsa-service-type)

                   (modify-services %base-services
                     ;; I don't trust the build farm
                     (guix-service-type config =>
                                        (guix-configuration
                                          (inherit config)
                                          (use-substitutes? #f)
                                          (authorize-key?   #f)
                                          (authorized-keys '())
                                          (substitute-urls '())
                                          (extra-options '("--gc-keep-derivations=yes"
                                                           "--gc-keep-outputs=yes")))))))

  ;; Allow resolution of '.local' host names with mDNS.
  ;;(name-service-switch %mdns-host-lookup-nss)  ; disabled for now
  )
--8<---------------cut here---------------end--------------->8---




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-12-11  1:43                           ` Mark H Weaver
@ 2020-12-11 18:10                             ` Ludovic Courtès
  0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2020-12-11 18:10 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: maxim.cournoyer, 44808

Hi,

Mark H Weaver <mhw@netris.org> skribis:

> gnu/services/ssh.scm:570:31, here:
>
>   https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570
>
> Here's what I see when I build a system:
>
> mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
> gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
> field of 'openssh-configuration' will change from #true to #false in the
> future.  Explicitly set it to #true to allow password authentication.
> /gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system

I ended up reverting it in d8051557aee9fa252b015ff67cc15681e8540777
because it affects everyone, I couldn’t think of an easy way to address
that while still getting the warning when we want it, and it seems we
may have to discuss the issue a bit more (apologies for assuming we had
reached a consensus!).

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
  2020-11-23  2:32 ` Taylan Kammer
  2020-11-23  3:57 ` Carlo Zancanaro
@ 2021-02-11  7:46 ` raid5atemyhomework via Bug reports for GNU Guix
  2021-02-11 20:36   ` Leo Famulari
  2 siblings, 1 reply; 24+ messages in thread
From: raid5atemyhomework via Bug reports for GNU Guix @ 2021-02-11  7:46 UTC (permalink / raw)
  To: 44808@debbugs.gnu.org

Hi guix users,

It strikes me that a better course of action here would be, rather than providing a warning that might not be noticed by the user, to remove the default and force people to explicitly put `password-authentication? #t` or `password-authentication? #f`.

That way if I have set up a headless server (possibly having a temporary keyboard/mouse/monitor during initial install, then forever logging in afterwards over intranet using my super secret password "raid5isnotagooddog"), with an existing `configuration.scm` that does not explicitly give the setting, I cannot accidentally lose access to my headless server by doing a random `guix pull && sudo guix system reconfigure configuration.scm` without noticing the warning.

Especially since there exists an `unattended-upgrades-service-type` which automates this `guix pull && sudo guix system reconfigure configuration.scm`, which makes changing this default ***VERY DANGEROUS*** in this use-case.  I'd rather I noticeably error out in this case.

Then later after a year give a "sane" default, after people who have depended on the existing `password-authentication? #t` have already  explicitly put the setting in their `configuration.scm`.

Thanks
raid5atemyhomework




^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#44808: Default to allowing password authentication on leaves users vulnerable
  2021-02-11  7:46 ` raid5atemyhomework via Bug reports for GNU Guix
@ 2021-02-11 20:36   ` Leo Famulari
  0 siblings, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2021-02-11 20:36 UTC (permalink / raw)
  To: 44808

On Thu, Feb 11, 2021 at 07:46:51AM +0000, raid5atemyhomework via Bug reports for GNU Guix wrote:
> Hi guix users,
> 
> It strikes me that a better course of action here would be, rather than providing a warning that might not be noticed by the user, to remove the default and force people to explicitly put `password-authentication? #t` or `password-authentication? #f`.

I like this idea.

> 
> That way if I have set up a headless server (possibly having a temporary keyboard/mouse/monitor during initial install, then forever logging in afterwards over intranet using my super secret password "raid5isnotagooddog"), with an existing `configuration.scm` that does not explicitly give the setting, I cannot accidentally lose access to my headless server by doing a random `guix pull && sudo guix system reconfigure configuration.scm` without noticing the warning.
> 
> Especially since there exists an `unattended-upgrades-service-type` which automates this `guix pull && sudo guix system reconfigure configuration.scm`, which makes changing this default ***VERY DANGEROUS*** in this use-case.  I'd rather I noticeably error out in this case.

I agree, changing the default will cause problems, and I'm not convinced
it's a serious problem that warrants changing anyways.




^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2021-02-11 20:37 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
2020-11-23  2:32 ` Taylan Kammer
2020-11-23  3:46   ` raingloom
2020-11-23 16:15     ` Christopher Lemmer Webber
2020-11-23  3:57 ` Carlo Zancanaro
2020-11-23 16:17   ` Christopher Lemmer Webber
2020-11-30  3:58     ` Maxim Cournoyer
2020-12-05 15:14       ` Ludovic Courtès
2020-12-05 18:22         ` Christopher Lemmer Webber
2020-12-07 11:51           ` Ludovic Courtès
2020-12-07 12:56             ` Dr. Arne Babenhauserheide
2020-12-07 16:48               ` Christopher Lemmer Webber
2020-12-07 19:53                 ` Dr. Arne Babenhauserheide
2020-12-07 22:57                   ` Mark H Weaver
2020-12-08 10:36                     ` Ludovic Courtès
2020-12-09  1:31                       ` Mark H Weaver
2020-12-10  8:17                         ` Ludovic Courtès
2020-12-11  1:43                           ` Mark H Weaver
2020-12-11 18:10                             ` Ludovic Courtès
2020-12-08 13:48                     ` Christopher Lemmer Webber
2020-12-07 19:40           ` Leo Famulari
2020-12-07 21:38             ` Christopher Lemmer Webber
2021-02-11  7:46 ` raid5atemyhomework via Bug reports for GNU Guix
2021-02-11 20:36   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).