From: Mark H Weaver <mhw@netris.org>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: maxim.cournoyer@gmail.com, 44808@debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Thu, 10 Dec 2020 20:43:45 -0500 [thread overview]
Message-ID: <87pn3h15hv.fsf@netris.org> (raw)
In-Reply-To: <87o8j29isw.fsf@gnu.org>
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
>>> What do you think of the approach in
>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>>
>> One problem, which I just discovered, is that it warns users even if
>> they don't have an 'openssh-service' in their system configuration.
>
> Could it be that you have a childhurd or some other service that uses
> ‘openssh-service-type’?
I highly doubt it. In any case, there's certainly no ssh daemon
running. See below for my system configuration.
> What source code location is associated with that warning?
gnu/services/ssh.scm:570:31, here:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570
Here's what I see when I build a system:
--8<---------------cut here---------------start------------->8---
mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
field of 'openssh-configuration' will change from #true to #false in the
future. Explicitly set it to #true to allow password authentication.
/gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system
--8<---------------cut here---------------end--------------->8---
Could it be related to the fact that I always run Guix via
./pre-inst-env from a git checkout?
If this problem only affect me, due to the unusual way in which I use
Guix, feel free to disregard this issue. It's easy enough for me add
one more to my collection of reverted patches on my private branch :)
Thanks,
Mark
--8<---------------cut here---------------start------------->8---
(use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages))
(use-service-modules base desktop networking xorg dbus sound)
(use-package-modules certs gnome cryptsetup linux admin guile firmware xdisorg libusb suckless ratpoison wm vpn)
(operating-system
(host-name "jojen")
(timezone "right/US/Eastern")
(locale "en_US.utf8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")))
(kernel linux-libre)
(kernel-arguments '("page_alloc.shuffle=1"))
(firmware (list ath9k-htc-firmware))
;;(firmware '())
(keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3"))
(target "jojen-root")
(type luks-device-mapping))))
(file-systems (cons* (file-system
;; FIXME: reference by the file system label?
(device "/dev/mapper/jojen-root")
(mount-point "/")
(type "btrfs")
(dependencies mapped-devices))
%base-file-systems))
(users (cons* (user-account
(name "mhw")
(uid 1000)
(group "mhw")
(supplementary-groups '("wheel" "users" "netdev"
"audio" "video" "dialout"))
(home-directory "/home/mhw"))
%base-user-accounts))
(groups (cons* (user-group
(name "mhw")
(id 1000))
%base-groups))
(setuid-programs
(list (file-append shadow "/bin/passwd")
(file-append inetutils "/bin/ping")))
;; This is where we specify system-wide packages.
(packages (cons* nss-certs ;for HTTPS access
gvfs ;for user mounts
cryptsetup
btrfs-progs
wpa-supplicant
network-manager
network-manager-applet
network-manager-openvpn
openvpn
ratpoison
i3-wm
dwm
(delete sudo %base-packages)))
(services (cons* (service gnome-desktop-service-type)
;;(service xfce-desktop-service-type)
(service gdm-service-type)
;;(service slim-service-type)
(screen-locker-service slock)
;;(screen-locker-service xlockmore "xlock")
;; Add udev rules for MTP devices so that non-root
;; users can access them.
(simple-service 'mtp udev-service-type (list libmtp))
;; Add udev rules for scanners.
(service sane-service-type)
;; Add polkit rules, so that non-root users in the
;; wheel group can perform administrative tasks
;; (similar to "sudo").
polkit-wheel-service
;; NetworkManager and its dependents.
(service network-manager-service-type)
(service wpa-supplicant-service-type)
;; (simple-service 'network-manager-applet
;; profile-service-type
;; (list network-manager-applet))
;; (service modem-manager-service-type)
;; (service usb-modeswitch-service-type)
;; The D-Bus clique.
;;(service avahi-service-type) ; I don't trust this
(udisks-service)
(service upower-service-type)
;;(accountsservice-service)
;;(service cups-pk-helper-service-type)
(service colord-service-type)
;;(geoclue-service) ; I don't want this
(service polkit-service-type)
(elogind-service)
(dbus-service)
;;(service ntp-service-type) ; I don't trust this
(service pulseaudio-service-type)
(service alsa-service-type)
;;;; Disabled for now
;;
;;(accountsservice-service)
;;(service cups-pk-helper-service-type)
;; TOR: The Onion Router
(service tor-service-type)
;; Optional OpenNTPd, below
#;
(service
openntpd-service-type
(openntpd-configuration
(listen-on '("127.0.0.1" "::1"))
;;(constraint-from '("www.gnu.org"))
(allow-large-adjustment? #t)))
x11-socket-directory-service
;;;; Disabled for now
;;
;;(service alsa-service-type)
(modify-services %base-services
;; I don't trust the build farm
(guix-service-type config =>
(guix-configuration
(inherit config)
(use-substitutes? #f)
(authorize-key? #f)
(authorized-keys '())
(substitute-urls '())
(extra-options '("--gc-keep-derivations=yes"
"--gc-keep-outputs=yes")))))))
;; Allow resolution of '.local' host names with mDNS.
;;(name-service-switch %mdns-host-lookup-nss) ; disabled for now
)
--8<---------------cut here---------------end--------------->8---
next prev parent reply other threads:[~2020-12-11 1:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-22 23:20 bug#44808: Default to allowing password authentication on leaves users vulnerable Christopher Lemmer Webber
2020-11-23 2:32 ` Taylan Kammer
2020-11-23 3:46 ` raingloom
2020-11-23 16:15 ` Christopher Lemmer Webber
2020-11-23 3:57 ` Carlo Zancanaro
2020-11-23 16:17 ` Christopher Lemmer Webber
2020-11-30 3:58 ` Maxim Cournoyer
2020-12-05 15:14 ` Ludovic Courtès
2020-12-05 18:22 ` Christopher Lemmer Webber
2020-12-07 11:51 ` Ludovic Courtès
2020-12-07 12:56 ` Dr. Arne Babenhauserheide
2020-12-07 16:48 ` Christopher Lemmer Webber
2020-12-07 19:53 ` Dr. Arne Babenhauserheide
2020-12-07 22:57 ` Mark H Weaver
2020-12-08 10:36 ` Ludovic Courtès
2020-12-09 1:31 ` Mark H Weaver
2020-12-10 8:17 ` Ludovic Courtès
2020-12-11 1:43 ` Mark H Weaver [this message]
2020-12-11 18:10 ` Ludovic Courtès
2020-12-08 13:48 ` Christopher Lemmer Webber
2020-12-07 19:40 ` Leo Famulari
2020-12-07 21:38 ` Christopher Lemmer Webber
2021-02-11 7:46 ` raid5atemyhomework via Bug reports for GNU Guix
2021-02-11 20:36 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pn3h15hv.fsf@netris.org \
--to=mhw@netris.org \
--cc=44808@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).