From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +88cETvP0l83eQAA0tVLHw (envelope-from ) for ; Fri, 11 Dec 2020 01:45:31 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4HNoDDvP0l8jKgAA1q6Kng (envelope-from ) for ; Fri, 11 Dec 2020 01:45:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 839D4940396 for ; Fri, 11 Dec 2020 01:45:30 +0000 (UTC) Received: from localhost ([::1]:55256 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1knXUt-0008NA-Jj for larch@yhetil.org; Thu, 10 Dec 2020 20:45:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55572) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1knXUU-0008N3-IU for bug-guix@gnu.org; Thu, 10 Dec 2020 20:45:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:56285) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1knXUU-0004Nf-BH for bug-guix@gnu.org; Thu, 10 Dec 2020 20:45:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1knXUU-0001KK-7D for bug-guix@gnu.org; Thu, 10 Dec 2020 20:45:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 11 Dec 2020 01:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 44808-submit@debbugs.gnu.org id=B44808.16076511005076 (code B ref 44808); Fri, 11 Dec 2020 01:45:02 +0000 Received: (at 44808) by debbugs.gnu.org; 11 Dec 2020 01:45:00 +0000 Received: from localhost ([127.0.0.1]:39598 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1knXUR-0001Jn-Lz for submit@debbugs.gnu.org; Thu, 10 Dec 2020 20:45:00 -0500 Received: from world.peace.net ([64.112.178.59]:60824) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1knXUP-0001Ja-US for 44808@debbugs.gnu.org; Thu, 10 Dec 2020 20:44:58 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1knXUI-0007Ps-0R; Thu, 10 Dec 2020 20:44:51 -0500 From: Mark H Weaver In-Reply-To: <87o8j29isw.fsf@gnu.org> References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org> <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de> <87sg8hlfyu.fsf@dustycloud.org> <871rg1e6js.fsf@web.de> <87im9ddy0r.fsf@netris.org> <87wnxswpmk.fsf@gnu.org> <87lfe7ydc0.fsf@netris.org> <87o8j29isw.fsf@gnu.org> Date: Thu, 10 Dec 2020 20:43:45 -0500 Message-ID: <87pn3h15hv.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: maxim.cournoyer@gmail.com, 44808@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.30 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 839D4940396 X-Spam-Score: -2.30 X-Migadu-Scanner: scn1.migadu.com X-TUID: iTKL0Lby3joI Hi Ludovic, Ludovic Court=C3=A8s writes: > Mark H Weaver skribis: > >> Ludovic Court=C3=A8s writes: > > [...] > >>> What do you think of the approach in >>> ? >> >> One problem, which I just discovered, is that it warns users even if >> they don't have an 'openssh-service' in their system configuration. > > Could it be that you have a childhurd or some other service that uses > =E2=80=98openssh-service-type=E2=80=99? I highly doubt it. In any case, there's certainly no ssh daemon running. See below for my system configuration. > What source code location is associated with that warning? gnu/services/ssh.scm:570:31, here: https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id= =3Dec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570 Here's what I see when I build a system: --8<---------------cut here---------------start------------->8--- mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm gnu/services/ssh.scm:570:31: warning: The default value of the 'password-au= thentication?' field of 'openssh-configuration' will change from #true to #false in the future. Explicitly set it to #true to allow password authentication. /gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system --8<---------------cut here---------------end--------------->8--- Could it be related to the fact that I always run Guix via ./pre-inst-env from a git checkout? If this problem only affect me, due to the unusual way in which I use Guix, feel free to disregard this issue. It's easy enough for me add one more to my collection of reverted patches on my private branch :) Thanks, Mark --8<---------------cut here---------------start------------->8--- (use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages)) (use-service-modules base desktop networking xorg dbus sound) (use-package-modules certs gnome cryptsetup linux admin guile firmware xdis= org libusb suckless ratpoison wm vpn) (operating-system (host-name "jojen") (timezone "right/US/Eastern") (locale "en_US.utf8") (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda"))) (kernel linux-libre) (kernel-arguments '("page_alloc.shuffle=3D1")) (firmware (list ath9k-htc-firmware)) ;;(firmware '()) (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps"))) ;; Specify a mapped device for the encrypted root partition. ;; The UUID is that returned by 'cryptsetup luksUUID'. (mapped-devices (list (mapped-device (source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3")) (target "jojen-root") (type luks-device-mapping)))) (file-systems (cons* (file-system ;; FIXME: reference by the file system label? (device "/dev/mapper/jojen-root") (mount-point "/") (type "btrfs") (dependencies mapped-devices)) %base-file-systems)) (users (cons* (user-account (name "mhw") (uid 1000) (group "mhw") (supplementary-groups '("wheel" "users" "netdev" "audio" "video" "dialout")) (home-directory "/home/mhw")) %base-user-accounts)) (groups (cons* (user-group (name "mhw") (id 1000)) %base-groups)) (setuid-programs (list (file-append shadow "/bin/passwd") (file-append inetutils "/bin/ping"))) ;; This is where we specify system-wide packages. (packages (cons* nss-certs ;for HTTPS access gvfs ;for user mounts cryptsetup btrfs-progs wpa-supplicant network-manager network-manager-applet network-manager-openvpn openvpn ratpoison i3-wm dwm (delete sudo %base-packages))) (services (cons* (service gnome-desktop-service-type) ;;(service xfce-desktop-service-type) (service gdm-service-type) ;;(service slim-service-type) (screen-locker-service slock) ;;(screen-locker-service xlockmore "xlock") ;; Add udev rules for MTP devices so that non-root ;; users can access them. (simple-service 'mtp udev-service-type (list libmtp)) ;; Add udev rules for scanners. (service sane-service-type) ;; Add polkit rules, so that non-root users in the ;; wheel group can perform administrative tasks ;; (similar to "sudo"). polkit-wheel-service ;; NetworkManager and its dependents. (service network-manager-service-type) (service wpa-supplicant-service-type) ;; (simple-service 'network-manager-applet ;; profile-service-type ;; (list network-manager-applet)) ;; (service modem-manager-service-type) ;; (service usb-modeswitch-service-type) ;; The D-Bus clique. ;;(service avahi-service-type) ; I don't trust this (udisks-service) (service upower-service-type) ;;(accountsservice-service) ;;(service cups-pk-helper-service-type) (service colord-service-type) ;;(geoclue-service) ; I don't want this (service polkit-service-type) (elogind-service) (dbus-service) ;;(service ntp-service-type) ; I don't trust this (service pulseaudio-service-type) (service alsa-service-type) ;;;; Disabled for now ;; ;;(accountsservice-service) ;;(service cups-pk-helper-service-type) ;; TOR: The Onion Router (service tor-service-type) ;; Optional OpenNTPd, below #; (service openntpd-service-type (openntpd-configuration (listen-on '("127.0.0.1" "::1")) ;;(constraint-from '("www.gnu.org")) (allow-large-adjustment? #t))) x11-socket-directory-service ;;;; Disabled for now ;; ;;(service alsa-service-type) (modify-services %base-services ;; I don't trust the build farm (guix-service-type config =3D> (guix-configuration (inherit config) (use-substitutes? #f) (authorize-key? #f) (authorized-keys '()) (substitute-urls '()) (extra-options '("--gc-keep-deriv= ations=3Dyes" "--gc-keep-outpu= ts=3Dyes"))))))) ;; Allow resolution of '.local' host names with mDNS. ;;(name-service-switch %mdns-host-lookup-nss) ; disabled for now ) --8<---------------cut here---------------end--------------->8---