From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wFofL1op0F8dFAAA0tVLHw (envelope-from ) for ; Wed, 09 Dec 2020 01:33:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QNPaKlop0F+XUwAAbx9fmQ (envelope-from ) for ; Wed, 09 Dec 2020 01:33:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0A0C5940483 for ; Wed, 9 Dec 2020 01:33:12 +0000 (UTC) Received: from localhost ([::1]:48824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmoLu-0004Pi-2w for larch@yhetil.org; Tue, 08 Dec 2020 20:33:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45820) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmoLm-0004PQ-Tu for bug-guix@gnu.org; Tue, 08 Dec 2020 20:33:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:48774) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kmoLm-0006HP-2s for bug-guix@gnu.org; Tue, 08 Dec 2020 20:33:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kmoLl-0007uH-VU for bug-guix@gnu.org; Tue, 08 Dec 2020 20:33:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 09 Dec 2020 01:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.160747753530338 (code B ref 44808); Wed, 09 Dec 2020 01:33:01 +0000 Received: (at 44808) by debbugs.gnu.org; 9 Dec 2020 01:32:15 +0000 Received: from localhost ([127.0.0.1]:60320 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmoL1-0007tF-7L for submit@debbugs.gnu.org; Tue, 08 Dec 2020 20:32:15 -0500 Received: from world.peace.net ([64.112.178.59]:47250) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmoKz-0007sz-GR for 44808@debbugs.gnu.org; Tue, 08 Dec 2020 20:32:14 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kmoKt-0005NK-Ke; Tue, 08 Dec 2020 20:32:07 -0500 From: Mark H Weaver In-Reply-To: <87wnxswpmk.fsf@gnu.org> References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org> <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de> <87sg8hlfyu.fsf@dustycloud.org> <871rg1e6js.fsf@web.de> <87im9ddy0r.fsf@netris.org> <87wnxswpmk.fsf@gnu.org> Date: Tue, 08 Dec 2020 20:31:16 -0500 Message-ID: <87lfe7ydc0.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: maxim.cournoyer@gmail.com, 44808@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: 0.49 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0A0C5940483 X-Spam-Score: 0.49 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: ImRpxqtkzomF Hi Ludovic, Ludovic Court=C3=A8s writes: > Mark H Weaver skribis: > >> "Dr. Arne Babenhauserheide" writes: >>> To nudge them to secure their system, guix system reconfigure could emit >>> a warning that this is a potential security risk that requires setting >>> an explicit value (password yes or no) to silence. >> >> I think this is a good idea. Likewise, in the Guix installer, I would >> favor asking the user whether or not to enable password authentication, >> after warning them that it is a security risk. >> >> I agree with Chris that password authentication is a significant >> security risk, but I also worry that if we simply disable it, it will >> catch some users by surprise and they may be quite unhappy about it. > > What do you think of the approach in > ? One problem, which I just discovered, is that it warns users even if they don't have an 'openssh-service' in their system configuration. (For that reason, I just reverted this commit on my private branch). > The default is unchanged but the warning could be kept say until the > next release, at which point we=E2=80=99d change the default. > > Or are you suggesting keeping the default unchanged? I don't feel strongly about what the default setting should be, as long as we ensure that users are somehow made aware of the change before it happens, and are given the opportunity (and preferably easy instructions on how) to keep password authentication enabled if they wish. I also think that the installer should explicitly ask the user what the setting should be, so that we do not catch new users off guard who expected to be able to ssh in to their newly-installed systems using only a password. If the plan is to change the default setting and issue warnings in the meantime, it should be easy to silence those warnings, especially for those of us who don't even use openssh-service :) What do you think? Regards, Mark