From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gEotDVnQy19UTQAA0tVLHw (envelope-from ) for ; Sat, 05 Dec 2020 18:24:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aBL4CFnQy1+iLgAA1q6Kng (envelope-from ) for ; Sat, 05 Dec 2020 18:24:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5BD489401BF for ; Sat, 5 Dec 2020 18:24:24 +0000 (UTC) Received: from localhost ([::1]:47936 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1klcEH-0002wp-Sz for larch@yhetil.org; Sat, 05 Dec 2020 13:24:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39938) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1klcDy-0002vW-Hu for bug-guix@gnu.org; Sat, 05 Dec 2020 13:24:10 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:36665) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1klcDy-0000rg-A9 for bug-guix@gnu.org; Sat, 05 Dec 2020 13:24:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1klcDy-0000af-6W for bug-guix@gnu.org; Sat, 05 Dec 2020 13:24:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Christopher Lemmer Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 05 Dec 2020 18:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.16071925822182 (code B ref 44808); Sat, 05 Dec 2020 18:24:02 +0000 Received: (at 44808) by debbugs.gnu.org; 5 Dec 2020 18:23:02 +0000 Received: from localhost ([127.0.0.1]:48211 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klcCz-0000Yx-PR for submit@debbugs.gnu.org; Sat, 05 Dec 2020 13:23:01 -0500 Received: from dustycloud.org ([50.116.34.160]:53364) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klcCx-0000Yk-L6 for 44808@debbugs.gnu.org; Sat, 05 Dec 2020 13:23:00 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id DA02926641; Sat, 5 Dec 2020 13:22:58 -0500 (EST) References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber In-reply-to: <87eek45lpg.fsf@gnu.org> Date: Sat, 05 Dec 2020 13:22:23 -0500 Message-ID: <87k0twkt9c.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maxim Cournoyer , 44808@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.30 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 5BD489401BF X-Spam-Score: -2.30 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: JSeN4EnbJa0R Ludovic Court=C3=A8s writes: > Hi! > > Maxim Cournoyer skribis: > >>>> I'm on board with what you're proposing, and I think Guix should >>>> default to the more secure option, but I'm not sure that an=20 >>>> "average user" (whatever that means for Guix's demographic) would >>>> expect that password authentication is disabled by default. >>> >>> That's fair... I think that >>> "[ ] Password authentication? (insecure)" >>> would be sufficient as an option. How do others feel? >> >> I'm +1 on disabling password access out of the box; especially since >> Guix System makes it easy to authorize SSH keys at installation time. >> We'd have to see if it breaks any of our system tests, but I doubt so. > > Agreed. There are several ways to do that: > > 1. Have the installer emit an =E2=80=98openssh-configuration=E2=80=99 t= hat explicitly > disables password authentication. > > 2. Change the default value of the relevant field in > . > > #2 is more thorough but also more risky: people could find themselves > locked out of their server after reconfiguration, though this could be > mitigated by a news entry. > > Thoughts? > > Ludo=E2=80=99. We could also do a combination of the above, as a transitional plan: do #1 for now, but try to advertise that in the future, the default will be changing... please explicitly set password access to #t if you need this! Then in the *following* release, change the default. This seems like a reasonable transition plan, kind of akin to a deprecation process?