GNU bug report logs - #26695
openssh password-authentication? should be #f by default

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Christopher Allan Webber <cwebber@HIDDEN>; dated Fri, 28 Apr 2017 14:38:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 30 Apr 2017 19:47:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 30 15:47:36 2017
Received: from localhost ([127.0.0.1]:48082 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d4uoh-0001Hb-PL
	for submit <at> debbugs.gnu.org; Sun, 30 Apr 2017 15:47:35 -0400
Received: from mail-pg0-f43.google.com ([74.125.83.43]:35481)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cmmarusich@HIDDEN>) id 1d4uog-0001HN-7E
 for 26695 <at> debbugs.gnu.org; Sun, 30 Apr 2017 15:47:34 -0400
Received: by mail-pg0-f43.google.com with SMTP id o3so32145112pgn.2
 for <26695 <at> debbugs.gnu.org>; Sun, 30 Apr 2017 12:47:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=Bvl/XyGFB+SUhG1Cq/g0ZLk2V9y46BCDHcV/ecYlxiY=;
 b=kDmlrS8O6A8dh6ENL7Wwf+8RlhlfM641/WZ1dwigGI73pqL4tlMBLD5qmn4fdpUnw/
 xeskPlGnsjp3OOZblrbb6WxiLc9G2s4CfBwmNCNx/58rYDMqVXKgYVdRvsyN7Iw7sGNc
 8yatOWrgwZHPVPCpsDdfInsrDW1V8BNsRBEepSNXKSWwmw1lWkRwtSajeM/X7k4tHB1a
 5T8GvWv5GFwEnXNic31q2tuheS+ki6VUf5Pjl+BQWpSd0yE999Bm+sii2o3v9KbDGqLQ
 hDGqnNOUavXU5Vps4zpSIy4iotO+xVzMfNLSLTgzgT6xua48URstXLTg20muwCpcp6ml
 EGjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=Bvl/XyGFB+SUhG1Cq/g0ZLk2V9y46BCDHcV/ecYlxiY=;
 b=lNJFzNXJw8Izt9rX7mCm1i2PHgdIaRotpxMCCvif5lyKzvKHi8dUr+cVUvlN6O7qJA
 1SsncPBDlVXai6TQD2Q4aqUwbrGJR43eRXxpxAwRq5LLN1TKO+aqNv4lwaJX1/awBMf5
 irCgkrl4cETcvLMSA5B6seQ1jtBemdgZ61QdSCUp2QAqfchO94pgyZ42cbHIrNdN+i1V
 kjbvejEYYDxZHQPyPOsTte0lAQ0BWi50n+xVcM/D+sdUAbtJ1mSah3YeWtfRKPAH6rSw
 XgisaM1RSBjBiFGx4rByNP/IFr7oRvbgTBZTfXX7KgigrIWdkEPKPQeZ5qxV1Bn6lK66
 B2mA==
X-Gm-Message-State: AN3rC/4aPucT3SvsHxJOmZhByew1xUMLwJCQpLFJlqOakHgRXlxz5SDZ
 O6ccVpwRXmaZJg==
X-Received: by 10.98.220.8 with SMTP id t8mr22641290pfg.144.1493581647950;
 Sun, 30 Apr 2017 12:47:27 -0700 (PDT)
Received: from garuda (c-24-18-189-215.hsd1.wa.comcast.net. [24.18.189.215])
 by smtp.gmail.com with ESMTPSA id m8sm20093514pgd.59.2017.04.30.12.47.25
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 30 Apr 2017 12:47:26 -0700 (PDT)
From: Chris Marusich <cmmarusich@HIDDEN>
To: Marius Bakke <mbakke@HIDDEN>
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
References: <87k264tx8m.fsf@HIDDEN>
 <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
 <87h9184heg.fsf@HIDDEN> <87efwcbg49.fsf@HIDDEN>
Date: Sun, 30 Apr 2017 12:47:22 -0700
In-Reply-To: <87efwcbg49.fsf@HIDDEN> (Marius Bakke's message of "Fri, 28
 Apr 2017 19:23:50 +0200")
Message-ID: <87ziexfzjp.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: -2.8 (--)
X-Debbugs-Envelope-To: 26695
Cc: Christopher Allan Webber <cwebber@HIDDEN>, 26695 <at> debbugs.gnu.org,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.8 (--)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Marius Bakke <mbakke@HIDDEN> writes:

> Christopher Allan Webber <cwebber@HIDDEN> writes:
>
>> Maxim Cournoyer writes:
>>
>>> +1. Although it means the keys will have to be copied by another mean
>>> than the "ssh-copy-id" script. Maybe the configuration could accept
>>> the public key? :) I haven't checked if this is already possible.
>>
>> We have discussed in the past having some service that just copies some
>> static files on init.  That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html

Will OpenSSH know where to look, in that case?  I think a little more
work would be needed to tell OpenSSH where to look.  For example, you
would have to customize the value of AuthorizedKeysFile in the OpenSSH
daemon's config file (see 'man opensshd_config' for details).

In any case, it would be better if we could hide all of that in the
abstraction we have for the OpenSSH service.  For instance, it would be
nice if we could just specify the public keys in the operating system
configuration file, as part of the <openssh-configuration> record type.

> Another approach could be a small program that reads a configuration
> file and can also pull from e.g. the ec2 metadata service which should
> work with many "cloud" providers. Similar to "cloud-init" but Guile of
> course :)

This topic has come up before.  Cloud-init (specifically, the idea of
pulling SSH credentials in at first boot via the EC2 metadata service)
is a useful hack for systems that cannot be declaratively defined, but
for GuixSD it should not be needed.  See here for details:

https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html
https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html
https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html

Somebody just needs to implement the changes to our OpenSSH service
abstraction so that we can declare the public keys in the operating
system configuration file.  Of course, to deploy onto EC2 without manual
intervention would also require more changes, but that's a separate
issue from the issue of how to get credentials onto the host.

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGP0oACgkQ3UCaFdgi
Rp2esA/9EynXEf+d1ZILmFHnCLqhQxDV0tt8bk77NvfzSfIIDSJUFK67VrlvK0Ao
nQiJefk0oiS7/2amCr88tiwuz2n7F2Fq5quW+cd8qbrvQzV/A4+bkB/08lj+zuSB
XYzq3/6Gu27EEnEyrNlMjmGrgokBCxfjgiOPHQQnwa7jALjTE7S9sxQJkxeVPfE3
2uinXUGuRXWjjEdzaUA7K8QhfXWTft3A4W+XavtXYkeYksvJVTnwarE8GBwqucw0
Lqf2jMzs4KQGHQ7zkdbyjy4Sww0rBe6C+2oZMWOVKBAsp/dltacbNEK3IABKdl9b
CLKpSUjKMhzzyojJsKlCLqbGGpmarWWcnMUUlC541zwYpcEYxiuD4IEYMRdzFgzB
GyWZHT1oN9mvMN9Lm43kUlTXMxeSOLMew4DZQCVUS7whW1G4my6k80kEqj8si6SU
9bo+qVQWvdjsoG2am8oelG2CrTUlCipuPvVa4SXHheKk1Vtrncq/KYLuicShA2Qs
EP6AWRrV03LJnzyGo3XB3s9n16NyqhX3jSF9pWfMCUjnpwNMGUjq9Fw5OXawo9Vv
NjFxh1FvcYHhHOE6r8z4ojb+hHkopt1C7MPZC1Vwnzz+LG3Gv3rDaJSkPguaY+21
tNC1bNxy7wTFpDyKWigEHJGd1xcJu8nLUTC3bmw7JodypZ8VXbE=
=oGFT
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 19:28:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 15:28:40 2017
Received: from localhost ([127.0.0.1]:45052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d4BZH-00080f-PF
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 15:28:39 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:33015)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1d4BZF-00080W-DD
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 15:28:39 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id EA4EC20C07;
 Fri, 28 Apr 2017 15:28:35 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Fri, 28 Apr 2017 15:28:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=zwQcE1MhcgyLSN2v7Xgt0hwGbz2K7gHJK/Pr8T
 RTXX0=; b=heg9qgAV2+PdizRwozVlvpMD24vAm3G/zJ78xdLzbq9T5u6Q7tQ14e
 B5RbVfO3QIRKKx16JLRFlOkZsMJiRhqYjZjFKMut+pCoJ2ONS20rsrgOinyPO4wF
 oYQ8KDc/Csul+BPhrALHVkeq0Fx7+rGX3MtDmnLuN5QTiVNCyiT54=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=zwQcE1MhcgyLSN2v7X
 gt0hwGbz2K7gHJK/Pr8TRTXX0=; b=JB75QShJRkidDIt518HOFjDMDzlHJPNr9H
 JPfOuwfUUsCupDZ14OfXmAhhaUgMNWzNJIrE/UpzXH85RdfiHnpHkbpgy3gyAPfz
 HcKOzI+dSGG0DaUvGYlyewHTQRFFlfli3FLFCuf/UQUH3alN0nhLTGf1jCImg691
 r+pgROm+s21cWkfAqqDj0Z7X5FlFB/QbeW0h4JRO0CY5Avn/R+QLVKym8MHpXwv3
 y0Iv5VgEIoCb/3Khy2RaiBNAZYON7oA9KM3Q7A5E4LcDl4dXjFWPT2xQlmnvpg0j
 yIDRtiRzoQSwaz7c37FJ8qZrH8viycFxICQSL9TywUQQdEo3Fuqw==
X-ME-Sender: <xms:45cDWQixWRmlyLZNpGR7cU3xbYePACCo69_WdFYON1jrBJBTO98dZQ>
X-Sasl-enc: Jn+rzUx+1M3+/Eqp0ytsFzRuP/9PKmdIbxhO5KiwOsCx 1493407715
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id A849B2415E;
 Fri, 28 Apr 2017 15:28:35 -0400 (EDT)
Date: Fri, 28 Apr 2017 15:28:34 -0400
From: Leo Famulari <leo@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
Message-ID: <20170428192834.GB6736@jasmine>
References: <87k264tx8m.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="lEGEL1/lMxI0MVQ2"
Content-Disposition: inline
In-Reply-To: <87k264tx8m.fsf@HIDDEN>
User-Agent: Mutt/1.8.2 (2017-04-18)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 26695
Cc: 26695 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--lEGEL1/lMxI0MVQ2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote:
> Our default permits password authentication for the openssh service (and
> the others it seems) by default in Guix.  This is somewhat dangerous
> because this is a much easier to break in this way, and some users might
> not assume the default is reasonably safe.  If users really want
> password-authentication, they should turn it on explicitly.

The upstream default is to allow password authentication (see
sshdconfig(5)).

With the current GuixSD defaults, my understanding is that nobody will
be able to login remotely to a new GuixSD system with the default
openssh-service, unless they make the effort to insert the user's
password in their GuixSD declaration. Remote root login and empty
password login is disabled by default.

So the current situation seems safe to me. Please let us know if you see
a hole.

Allowing passwords is not the best practice for securing sshd, but I
think it's a good default for the openssh-service until we have a better
way to deploy keys.

If we do change the password authentication default to #f, I think we
should do it in a new Guix release, since it will probably break GuixSD
provisioning scripts that people are using.

--lEGEL1/lMxI0MVQ2
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDl+IACgkQJkb6MLrK
fwg11w//XrL4cjkmxk0s6TvE88/xQdXNbwLfkvzRJbjbyzo2JLmH/mng16O3e00p
WYCJ1U+dJOVj02KnjkwbVWC6NlaFDFUQoqilnlZhNIUz8Kp++5IEcLNC/DBInvZc
vXi0v+85uLIu8r+AvKgi66vfHHBNN+ZaNpr9SOg3yK4jxMaRr5Q9MdHI+AqZZqxV
Uuun6SjSjv2KOVkDyvcLR16Caa2G3TqnWXLWWomMb18vl5omxqb5TV33XVndUIk2
0HB4lxjlanukXX1Sbp9CItsGbLGDBNHRczDMjMDC4azJ43NmDPp1qN4oH6nKW9WP
2Y7C9KOX/SgjjqdKo0z+OxmRLFxRc2/7pik1G4DAsQ1+i4O1x5g2a1W35B3fJKRf
viW8K2zS4ad5voBPYtWuvpoeHLHu0V2hy1cT1NKrMDChYc+i3BycYcTBIiHo+IqA
1S1TzintiQ6fHwreZs67k4tw34q9W49cxrg2KR61YNvonL98w3edkvHPp/ICqqv8
ZXDJMWmLP1WRjpIwRI/XZD9VZfUWod8oy8WgChffxxTnetPE9hrmfbLaLtdbJjFn
Tc/K2GWetNj2U4v6bfr5zeM/eJ65Az4m9J/FrvV6R2lyyknMTap9LYSUnGn3uZFI
wViM5ADjxuCaaaAv2B9RA1Q5K9Esfq5FBe0MyIUDfITr1kspAO4=
=qlcz
-----END PGP SIGNATURE-----

--lEGEL1/lMxI0MVQ2--




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 18:25:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 14:25:57 2017
Received: from localhost ([127.0.0.1]:44981 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d4Aab-0006SR-0B
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 14:25:57 -0400
Received: from dustycloud.org ([50.116.34.160]:39072)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1d4AaZ-0006SJ-36
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 14:25:56 -0400
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 6B9FC265EE;
 Fri, 28 Apr 2017 14:25:52 -0400 (EDT)
References: <87k264tx8m.fsf@HIDDEN>
 <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
 <87h9184heg.fsf@HIDDEN> <87efwcbg49.fsf@HIDDEN>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: Marius Bakke <mbakke@HIDDEN>
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
In-reply-to: <87efwcbg49.fsf@HIDDEN>
Date: Fri, 28 Apr 2017 13:25:51 -0500
Message-ID: <87efwc4ceo.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 26695
Cc: 26695 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Marius Bakke writes:

>> We have discussed in the past having some service that just copies some
>> static files on init.  That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html

Interesting!  I'll have to try this route.




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 17:23:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 13:23:57 2017
Received: from localhost ([127.0.0.1]:44963 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d49ca-0004xN-I8
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 13:23:57 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:53601)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@HIDDEN>) id 1d49cY-0004xF-As
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 13:23:54 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id CE69820C46;
 Fri, 28 Apr 2017 13:23:52 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute5.internal (MEProxy); Fri, 28 Apr 2017 13:23:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=IgUzB1l5Ks5vG/mGJfBFguo3so7ShcA3GvKI+m2EL
 x8=; b=sI6FTSHcHr4XAFSxt30IOElBMB/NjCq07LBQZ9TXXznNA082l3FO0yfz9
 x6xJkfSz8DVsOVno5l4iuaulVLTL4xWLLGdCdU7SbOg1NHrk+KO1RJNtX2o6Nbyf
 bNrwFKrXUxNmepjXLBCETKRvtLhK3QrrBbutg7SBjGC+RCIwW8gEBiQPQNkBxOeN
 GlOabGIfKncJ2vfW7qqpNL+Fh5HTI76XHT1HBe9s1QoxMz5tX27ShoFSyakXkU2q
 xqhe4VutRfh7oXRyF9htyBEV1gyPXgW4VO+aOD9OQm0GIy2s5ehDj7khzrAE7PBk
 KFYmaGVZgUtu3fIuWMWyHpSxqjSWg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=IgUzB1l5Ks5vG/mGJf
 BFguo3so7ShcA3GvKI+m2ELx8=; b=YYfgDrYJkNSM6GIe1j4bqHHbYFTC/8ktiG
 wVCZjdHgil+D0oIMoWSb2CxaWak8BRSaxrBwG8cOJDyvxaaMJbKQigk3kwnOtRA8
 ncTyHuOl5yjJMvEoYdPuwGU9enRQWyrxpaU8/4EPOtd3GbQEhNKi2ByUhYwncS94
 YQdDi0+zIqarH8Kj0de0d8l5HhrsAlD1wJeKD0U/zopJ9U+3Y4CpW079ANoRfPt+
 k5QCmcb/AkPi2lE7BiRCVyEVQHza/bJ2ldu5UM8vQIM3mv3yV6ySBJnoQ3RS6B85
 yAj1ASkDPr/n1mer1scQyErXxJCT9277Ny+KtHluoKwW16M7VubA==
X-ME-Sender: <xms:qHoDWRervTm3oeHEl2KpK-UJUIGF6L3DC0dqPQmk7pQ89ZpJ09yheA>
X-Sasl-enc: wdZTft4jIuntd+ZQ3yzYuTx4S8z0i/ChBfnzEE+dajhj 1493400232
Received: from localhost (unknown [188.113.81.93])
 by mail.messagingengine.com (Postfix) with ESMTPA id 5E406241E1;
 Fri, 28 Apr 2017 13:23:52 -0400 (EDT)
From: Marius Bakke <mbakke@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
In-Reply-To: <87h9184heg.fsf@HIDDEN>
References: <87k264tx8m.fsf@HIDDEN>
 <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
 <87h9184heg.fsf@HIDDEN>
User-Agent: Notmuch/0.24.1 (https://notmuchmail.org) Emacs/25.2.1
 (x86_64-unknown-linux-gnu)
Date: Fri, 28 Apr 2017 19:23:50 +0200
Message-ID: <87efwcbg49.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 26695
Cc: 26695 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--=-=-=
Content-Type: text/plain

Christopher Allan Webber <cwebber@HIDDEN> writes:

> Maxim Cournoyer writes:
>
>> +1. Although it means the keys will have to be copied by another mean
>> than the "ssh-copy-id" script. Maybe the configuration could accept
>> the public key? :) I haven't checked if this is already possible.
>
> We have discussed in the past having some service that just copies some
> static files on init.  That would be enough to set up public keys
> appropriately.

I think that can already be done with 'special-file-service-type'.

https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html

Another approach could be a small program that reads a configuration
file and can also pull from e.g. the ec2 metadata service which should
work with many "cloud" providers. Similar to "cloud-init" but Guile of
course :)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlkDeqYACgkQoqBt8qM6
VPqQcggAsOZNTZCFhFeY2gD4IV//lSXmFI8fhzuoeB56JeDlzf+3+qQQHzsgii0r
ySF9Gv9jZXm4xppqXUoSZksRF+JACYUVp50Z/PwkekLbEmT+NVeVOjkNxWQvSyZr
giWQwalq+kNdRLQw+YIGECCuTTbudpJ7iwj+UxNka80JJmzRotWBkNyB5ABHeJRY
ElXI6gPK90lTiRcR3BVjTMSkbt5cD1Kbqvy+JsYhAsaBRx6NP4o6I524ec3V6AL0
dYGhUNJPowtu2FxGaG6xaEf43kUnqbcRFk7ORrxpemU55ofKV7WNW2TyXJNh/OAQ
qH85jFMfWp+g7erpE0clH1DoTVzU9Q==
=Hxbh
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:40:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 12:40:42 2017
Received: from localhost ([127.0.0.1]:44939 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d48wk-0003mY-M8
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:40:42 -0400
Received: from mail-pg0-f44.google.com ([74.125.83.44]:33157)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48wk-0003mF-20
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:40:42 -0400
Received: by mail-pg0-f44.google.com with SMTP id y4so12141308pge.0
 for <26695 <at> debbugs.gnu.org>; Fri, 28 Apr 2017 09:40:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=date:user-agent:in-reply-to:references:mime-version
 :content-transfer-encoding:subject:to:cc:from:message-id;
 bh=gP3D4WG1O7pvGq98V32O84R88kCW1To7LKAeHhM5eDE=;
 b=irp9i0/MsEH6f9897nka2dY8zs50dCWqv7s686c2jg9lemPu1/1YTgqyq8LPTr3SvZ
 moHBH9SUpvsYPqmYHaiDwtiyPQMEz9K8X2XsUw9WpETf7qP5MrQAWOQcqnF4u4CMz/ZH
 NJINGwh8hPRXWUrU2FS7DQFUf/MPgqFqLA/TubewjWhvK3GE6OSYdBx4+UcwJzmTCRLt
 UZK9712WMCHXU95Hjvz95U12HkjZNXAPhJXUM2gLtIKwoHmzaqGqpSKlhQS0eypvKpO+
 z3wSNalcff700jK0AiicFS7mgxe1iEm7WPFMwR/qu2ARvVZ2HqKeQ2SHL0QLry4ZAX/f
 O6AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:user-agent:in-reply-to:references
 :mime-version:content-transfer-encoding:subject:to:cc:from
 :message-id;
 bh=gP3D4WG1O7pvGq98V32O84R88kCW1To7LKAeHhM5eDE=;
 b=hWnA5PEbK7w/srYP2NQA3hVX+yyMv733vfwBcyPR9BtBuMb2xDXzZSLUI7kr6TFdbe
 6kWvyIs/6a5azUrsmPAQUEAOiZcDPkawCZHVnQuYyTnDXwdHf5u6U2GAGQ5upgdy28IK
 ET4dTjccU0br+o7+qnGxd9ghj4U5dCDTleTWLEsO5v7YK34WtA7G9oyJLRL/ZTnBioic
 cHIjHZboKuXusiQfKrVqYupuvbFiaXWOIeBBrrDbyQlhwlioPBPScsekA5C7/cSXURIk
 Akqmp9Bzh9uQTk1ouvtkoGRVW2Yekm55z9wWNbqBuv8TqfQDR9P0Qd9v43eP8KxpRVq7
 B7fA==
X-Gm-Message-State: AN3rC/6KHo/FoAoi2ugonl/6iVcX71PBMRtEohgo2psbpFfT1OtZIzV4
 vCsAMqkFAErrnw==
X-Received: by 10.84.202.12 with SMTP id w12mr16250029pld.55.1493397636362;
 Fri, 28 Apr 2017 09:40:36 -0700 (PDT)
Received: from [192.168.1.140] (c-73-231-189-138.hsd1.ca.comcast.net.
 [73.231.189.138])
 by smtp.gmail.com with ESMTPSA id 3sm9590015pfe.20.2017.04.28.09.40.35
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 28 Apr 2017 09:40:35 -0700 (PDT)
Date: Fri, 28 Apr 2017 09:40:35 -0700
User-Agent: K-9 Mail for Android
In-Reply-To: <87h9184heg.fsf@HIDDEN>
References: <87k264tx8m.fsf@HIDDEN>
 <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
 <87h9184heg.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
To: Christopher Allan Webber <cwebber@HIDDEN>
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Message-ID: <579FDA43-57E9-434D-B563-A29D21A42338@HIDDEN>
X-Spam-Score: -2.8 (--)
X-Debbugs-Envelope-To: 26695
Cc: 26695 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.8 (--)

On April 28, 2017 9:37:59 AM PDT, Christopher Allan Webber <cwebber@dustycl=
oud=2Eorg> wrote:
>Maxim Cournoyer writes:
>
>> +1=2E Although it means the keys will have to be copied by another mean
>> than the "ssh-copy-id" script=2E Maybe the configuration could accept
>> the public key? :) I haven't checked if this is already possible=2E
>
>We have discussed in the past having some service that just copies some
>static files on init=2E  That would be enough to set up public keys
>appropriately=2E
>
>That's a different, but related bug :)

I see! Indeed, it seems it would solve the problem to have such service=2E=
 Thanks for the reply!




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:38:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 12:38:02 2017
Received: from localhost ([127.0.0.1]:44932 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d48u9-0003iW-R5
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:38:01 -0400
Received: from dustycloud.org ([50.116.34.160]:38906)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1d48u8-0003iO-5U
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:38:00 -0400
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 67C0226632;
 Fri, 28 Apr 2017 12:37:59 -0400 (EDT)
References: <87k264tx8m.fsf@HIDDEN>
 <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
In-reply-to: <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
Date: Fri, 28 Apr 2017 11:37:59 -0500
Message-ID: <87h9184heg.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 26695
Cc: 26695 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Maxim Cournoyer writes:

> +1. Although it means the keys will have to be copied by another mean
> than the "ssh-copy-id" script. Maybe the configuration could accept
> the public key? :) I haven't checked if this is already possible.

We have discussed in the past having some service that just copies some
static files on init.  That would be enough to set up public keys
appropriately.

That's a different, but related bug :)




Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 16:10:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 12:10:11 2017
Received: from localhost ([127.0.0.1]:44914 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d48TD-000321-7f
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:10:11 -0400
Received: from eggs.gnu.org ([208.118.235.92]:53751)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48TA-00031o-Ng
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:10:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48T4-0000Nh-Qf
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:10:03 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:47553)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1d48T4-0000NW-Nx
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:10:02 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44684)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48T3-000801-NN
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 12:10:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48Sw-0000LF-Vd
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 12:09:59 -0400
Received: from mail-pg0-x243.google.com ([2607:f8b0:400e:c05::243]:34792)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1d48Sw-0000L0-QH
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 12:09:54 -0400
Received: by mail-pg0-x243.google.com with SMTP id t7so6063403pgt.1
 for <bug-guix@HIDDEN>; Fri, 28 Apr 2017 09:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=date:user-agent:in-reply-to:references:mime-version
 :content-transfer-encoding:subject:to:from:message-id;
 bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=;
 b=BwiPyv9/OjFM/y40kz56s4mDbe3ku1xxCopuRxPh0WkITQ99DxidGGPJO6jbpiXAPn
 uqjdBCD+DaYF1YdoOSh50Y0hxHZPlA+X/FRWsmfupBpLO07/PKsrhHkE9BeGRWYrdAtd
 Ag73srEDoA7TCHeSTifqE71G2f/sWxauxp1dFrox1C9rOq6DXEWfT7DhtC5ceBeepbqz
 njR9lw8sjRnx7wKckirw9zc4nduQY11cRcMGQXjcVrln46e3nCP/09CUwKXpBFbRpC7I
 x91z1gKX+QbQcZVjIc+zXankACFGBsYgVckMWg7iGnc00gCg+dmiKo1UBDhCMZSk/lsC
 KuDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:user-agent:in-reply-to:references
 :mime-version:content-transfer-encoding:subject:to:from:message-id;
 bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=;
 b=m87nYK3ZNkNCTBlzrpcQjTB+wvdqn2QSVNA9IbPmA+Ou8vu+MdGZIIJgllWB3/F1gS
 ujwD+tO1d1GFxog8fLV0bJyIFDHa9RYcuwrJLPcmvkCTvzOIqYuc79nCVNtaLoXGXSEX
 ROxn+FZL7Oj1YpyOhWk+oPhdCGvLchX5MJxYixKLYVJgvVaE0aps5Yjyc7doGdVGQOmn
 IO9CX0PgPMvNaZeJNb92gDdjtt71NNUx4ZaHVuXtqDhvix1sFTWp9j2h+pUjil1VXtD1
 WgvLO9jbDNJUYgyUQkY/3G+y8Vog3oNCCoT/awOPaPKmVmp3+dSLHYQJwHwPSML6WPdd
 x0kQ==
X-Gm-Message-State: AN3rC/7/LNiVQHAC3mZPn2rXOhE+2yGdf/CGvUvpASRb6wZnUAEEh7cs
 OFVBiZ7Ci2DHfkQk9/8=
X-Received: by 10.84.224.12 with SMTP id r12mr15827606plj.69.1493395793661;
 Fri, 28 Apr 2017 09:09:53 -0700 (PDT)
Received: from [192.168.1.140] (c-73-231-189-138.hsd1.ca.comcast.net.
 [73.231.189.138])
 by smtp.gmail.com with ESMTPSA id c28sm11052232pfj.19.2017.04.28.09.09.52
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 28 Apr 2017 09:09:52 -0700 (PDT)
Date: Fri, 28 Apr 2017 09:09:51 -0700
User-Agent: K-9 Mail for Android
In-Reply-To: <87k264tx8m.fsf@HIDDEN>
References: <87k264tx8m.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
To: bug-guix@HIDDEN, Christopher Allan Webber <cwebber@HIDDEN>,
 26695 <at> debbugs.gnu.org
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Message-ID: <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

On April 28, 2017 7:37:13 AM PDT, Christopher Allan Webber <cwebber@dustycl=
oud=2Eorg> wrote:
>Our default permits password authentication for the openssh service
>(and
>the others it seems) by default in Guix=2E  This is somewhat dangerous
>because this is a much easier to break in this way, and some users
>might
>not assume the default is reasonably safe=2E  If users really want
>password-authentication, they should turn it on explicitly=2E

+1=2E Although it means the keys will have to be copied by another mean th=
an the "ssh-copy-id" script=2E Maybe the configuration could accept the pub=
lic key? :) I haven't checked if this is already possible=2E





Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at 26695 <at> debbugs.gnu.org:


Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:10:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 12:10:00 2017
Received: from localhost ([127.0.0.1]:44910 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d48T2-00031B-0P
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:10:00 -0400
Received: from mail-pg0-f67.google.com ([74.125.83.67]:36810)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1d48T1-000310-B4
 for 26695 <at> debbugs.gnu.org; Fri, 28 Apr 2017 12:09:59 -0400
Received: by mail-pg0-f67.google.com with SMTP id v1so6044348pgv.3
 for <26695 <at> debbugs.gnu.org>; Fri, 28 Apr 2017 09:09:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=date:user-agent:in-reply-to:references:mime-version
 :content-transfer-encoding:subject:to:from:message-id;
 bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=;
 b=BwiPyv9/OjFM/y40kz56s4mDbe3ku1xxCopuRxPh0WkITQ99DxidGGPJO6jbpiXAPn
 uqjdBCD+DaYF1YdoOSh50Y0hxHZPlA+X/FRWsmfupBpLO07/PKsrhHkE9BeGRWYrdAtd
 Ag73srEDoA7TCHeSTifqE71G2f/sWxauxp1dFrox1C9rOq6DXEWfT7DhtC5ceBeepbqz
 njR9lw8sjRnx7wKckirw9zc4nduQY11cRcMGQXjcVrln46e3nCP/09CUwKXpBFbRpC7I
 x91z1gKX+QbQcZVjIc+zXankACFGBsYgVckMWg7iGnc00gCg+dmiKo1UBDhCMZSk/lsC
 KuDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:user-agent:in-reply-to:references
 :mime-version:content-transfer-encoding:subject:to:from:message-id;
 bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=;
 b=p7Jvt0R2O8hg8+I+m+gEXneDNEj32EfjumFwY6llHbfQRLTDiAr5dlfRv3LNDGxxzx
 TMjeVb8XtT/BH/RGHoDvyOFh/+Msuq8CQYQMDkTXc5LBXSfXtPDMwyiWNOzm6kmOA2WG
 CN6tspxpdouWMqnJD2SbRH+2pQO77LWRYqsjkdJI+MjyXrWYfoi/liqo2ySOji9qz4+z
 +OncTPwwoDilY8LvbuRGEIUTf3zqvxc9JcAHEuAIlDOLu0X7iSojB2DgW3IEbyPqEFLC
 a095mpmUzwYSs5nBTCC/NMwyHm53AHIpZ9izUd6bgf9iCMZZvUaj1e8IUycpdI6TzsEY
 J4IA==
X-Gm-Message-State: AN3rC/43KaGU6Cz3fLHM/6HDUKa9c3spvMz0dgFUbHy0rxCraL1mnh1L
 yX4414uk1EBTug==
X-Received: by 10.84.224.12 with SMTP id r12mr15827606plj.69.1493395793661;
 Fri, 28 Apr 2017 09:09:53 -0700 (PDT)
Received: from [192.168.1.140] (c-73-231-189-138.hsd1.ca.comcast.net.
 [73.231.189.138])
 by smtp.gmail.com with ESMTPSA id c28sm11052232pfj.19.2017.04.28.09.09.52
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 28 Apr 2017 09:09:52 -0700 (PDT)
Date: Fri, 28 Apr 2017 09:09:51 -0700
User-Agent: K-9 Mail for Android
In-Reply-To: <87k264tx8m.fsf@HIDDEN>
References: <87k264tx8m.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: bug#26695: openssh password-authentication? should be #f by
 default
To: bug-guix@HIDDEN, Christopher Allan Webber <cwebber@HIDDEN>,
 26695 <at> debbugs.gnu.org
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Message-ID: <01F8858C-D359-42CA-96A6-45F6C4A3B80C@HIDDEN>
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 26695
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.5 (/)

On April 28, 2017 7:37:13 AM PDT, Christopher Allan Webber <cwebber@dustycl=
oud=2Eorg> wrote:
>Our default permits password authentication for the openssh service
>(and
>the others it seems) by default in Guix=2E  This is somewhat dangerous
>because this is a much easier to break in this way, and some users
>might
>not assume the default is reasonably safe=2E  If users really want
>password-authentication, they should turn it on explicitly=2E

+1=2E Although it means the keys will have to be copied by another mean th=
an the "ssh-copy-id" script=2E Maybe the configuration could accept the pub=
lic key? :) I haven't checked if this is already possible=2E





Information forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 14:37:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 10:37:29 2017
Received: from localhost ([127.0.0.1]:44833 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1d471V-0007Px-Ef
	for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:37:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:55439)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1d471T-0007Pk-Hn
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:37:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1d471N-0002kE-Rp
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:37:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:41305)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <cwebber@HIDDEN>)
 id 1d471N-0002k6-OV
 for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:37:21 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46406)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1d471M-0003ru-Qh
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:37:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1d471I-0002fj-Tm
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:37:20 -0400
Received: from dustycloud.org ([50.116.34.160]:60710)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <cwebber@HIDDEN>)
 id 1d471I-0002eZ-Og
 for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:37:16 -0400
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 1297D26632
 for <bug-guix@HIDDEN>; Fri, 28 Apr 2017 10:37:14 -0400 (EDT)
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: bug-guix@HIDDEN
Subject: openssh password-authentication? should be #f by default
Message-ID: <87k264tx8m.fsf@HIDDEN>
Date: Fri, 28 Apr 2017 09:37:13 -0500
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

Our default permits password authentication for the openssh service (and
the others it seems) by default in Guix.  This is somewhat dangerous
because this is a much easier to break in this way, and some users might
not assume the default is reasonably safe.  If users really want
password-authentication, they should turn it on explicitly.




Acknowledgement sent to Christopher Allan Webber <cwebber@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#26695; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.