From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YDfXMVZdzl9rHQAA0tVLHw (envelope-from ) for ; Mon, 07 Dec 2020 16:50:30 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 2DbXLVZdzl/zZgAA1q6Kng (envelope-from ) for ; Mon, 07 Dec 2020 16:50:30 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4C86594011C for ; Mon, 7 Dec 2020 16:50:30 +0000 (UTC) Received: from localhost ([::1]:58620 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmJiX-0008UW-9c for larch@yhetil.org; Mon, 07 Dec 2020 11:50:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37000) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmJi6-0008TN-Qj for bug-guix@gnu.org; Mon, 07 Dec 2020 11:50:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:43758) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kmJi6-0001K3-J0 for bug-guix@gnu.org; Mon, 07 Dec 2020 11:50:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kmJi6-0008LG-G3 for bug-guix@gnu.org; Mon, 07 Dec 2020 11:50:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable Resent-From: Christopher Lemmer Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 07 Dec 2020 16:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44808 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: "Dr. Arne Babenhauserheide" X-Debbugs-Original-Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , bug-guix@gnu.org, Maxim Cournoyer , 44808@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160735976532013 (code B ref -1); Mon, 07 Dec 2020 16:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 7 Dec 2020 16:49:25 +0000 Received: from localhost ([127.0.0.1]:55304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmJhV-0008KH-DJ for submit@debbugs.gnu.org; Mon, 07 Dec 2020 11:49:25 -0500 Received: from lists.gnu.org ([209.51.188.17]:52242) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmJhT-0008K9-GJ for submit@debbugs.gnu.org; Mon, 07 Dec 2020 11:49:23 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36880) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmJhR-0008FB-Sr for bug-guix@gnu.org; Mon, 07 Dec 2020 11:49:23 -0500 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:40284) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmJhQ-0001GP-Ec; Mon, 07 Dec 2020 11:49:21 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 5DB8D265FA; Mon, 7 Dec 2020 11:49:18 -0500 (EST) References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org> <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber In-reply-to: <87a6upepwb.fsf@web.de> Date: Mon, 07 Dec 2020 11:48:41 -0500 Message-ID: <87sg8hlfyu.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2600:3c02::f03c:91ff:feae:cb51; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-Spam_score_int: 14 X-Spam_score: 1.4 X-Spam_bar: + X-Spam_report: (1.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: maxim.cournoyer@gmail.com, 44808@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.30 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4C86594011C X-Spam-Score: -2.30 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: +lYhtnc3K2T2 Dr. Arne Babenhauserheide writes: > Ludovic Court=C3=A8s writes: > >>>> #2 is more thorough but also more risky: people could find themselves >>>> locked out of their server after reconfiguration, though this could be >>>> mitigated by a news entry. >>>> >>>> Thoughts? > > My thoughts are that there is no mitigation for being locked out of a > pre-existing server. Keep in mind that that server might not actually be > accessible in any other way =E2=80=94 it might be with a cheap hoster who= se > support is practically non-existent, or it might be in a sealed > measurement container that can only be accessed via SSH without > disassembly. > >>> We could also do a combination of the above, as a transitional plan: >>> do #1 for now, but try to advertise that in the future, the default will >>> be changing... please explicitly set password access to #t if you need >>> this! Then in the *following* release, change the default. > > This sounds like trying to retroactively fixing a problem at the wrong > place: If the installer creates a configuration which prevents > password-authentication, there is no problem for new systems and new > users who need password-authentication will explicitly see in the > config, that they have to change it, otherwise it won=E2=80=99t work. All= the > while old systems will keep working. > > I do need to access my system via password+ssh from time to time, > because I don=E2=80=99t want to have a key that can access my system on a > presentation-laptop that (due to being moved regularly) is much less > secure than the fixed system. If someone gets access to the laptop and > compromises my keys, they can run much more efficient attacks against > its ssh-keys' password than the attacks people can use to attack ssh via > internet. > > Changing a default (an invisible setting) in a way that prevents access > is a serious disruption. > > In short: please don=E2=80=99t break running systems on update. > > Best wishes, > Arne It's a serious concern. We are left in a tough bind: leave users with an insecure default but try to inform them as much as we can of a changing default, or possibly lock them out if they don't notice. Still, now feels like to me the ideal time to do it. The number of people running GuixSD on servers is comparatively small. I expect that to change. It would be better to make this change sooner than later. I understand your concern though...