GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 8 Dec 2020 13:49:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Dec 08 08:49:14 2020
Received: from localhost ([127.0.0.1]:56905 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmdMg-0005fq-Ej
	for submit <at> debbugs.gnu.org; Tue, 08 Dec 2020 08:49:14 -0500
Received: from dustycloud.org ([50.116.34.160]:56182)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1kmdMe-0005fi-Vv
 for 44808 <at> debbugs.gnu.org; Tue, 08 Dec 2020 08:49:13 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 36BDB26679;
 Tue,  8 Dec 2020 08:49:12 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
 <87sg8hlfyu.fsf@HIDDEN> <871rg1e6js.fsf@HIDDEN>
 <87im9ddy0r.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87im9ddy0r.fsf@HIDDEN>
Date: Tue, 08 Dec 2020 08:48:34 -0500
Message-ID: <87ft4ge7d9.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>, maxim.cournoyer@HIDDEN,
 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Mark H Weaver writes:

> Hi,
>
> "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN> writes:
>> To nudge them to secure their system, guix system reconfigure could emit
>> a warning that this is a potential security risk that requires setting
>> an explicit value (password yes or no) to silence.
>
> I think this is a good idea.  Likewise, in the Guix installer, I would
> favor asking the user whether or not to enable password authentication,
> after warning them that it is a security risk.
>
> I agree with Chris that password authentication is a significant
> security risk, but I also worry that if we simply disable it, it will
> catch some users by surprise and they may be quite unhappy about it.
>
>      Regards,
>        Mark

It's clear that quite a few people are unhappy with switching the
default, fearing lockout.  I'm fine with making the above compromise
given all that, personally.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 8 Dec 2020 10:37:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Dec 08 05:37:06 2020
Received: from localhost ([127.0.0.1]:56654 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmaMj-00014Q-Rr
	for submit <at> debbugs.gnu.org; Tue, 08 Dec 2020 05:37:06 -0500
Received: from eggs.gnu.org ([209.51.188.92]:38966)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1kmaMh-00013v-Hc
 for 44808 <at> debbugs.gnu.org; Tue, 08 Dec 2020 05:37:04 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47306)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1kmaMa-00011O-L4; Tue, 08 Dec 2020 05:36:56 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=51164 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1kmaMW-0002hS-SD; Tue, 08 Dec 2020 05:36:54 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
 <87sg8hlfyu.fsf@HIDDEN> <871rg1e6js.fsf@HIDDEN>
 <87im9ddy0r.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 18 Frimaire an 229 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 08 Dec 2020 11:36:51 +0100
In-Reply-To: <87im9ddy0r.fsf@HIDDEN> (Mark H. Weaver's message of "Mon, 07
 Dec 2020 17:57:45 -0500")
Message-ID: <87wnxswpmk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@HIDDEN>,
 "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>, maxim.cournoyer@HIDDEN,
 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Mark H Weaver <mhw@HIDDEN> skribis:

> "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN> writes:
>> To nudge them to secure their system, guix system reconfigure could emit
>> a warning that this is a potential security risk that requires setting
>> an explicit value (password yes or no) to silence.
>
> I think this is a good idea.  Likewise, in the Guix installer, I would
> favor asking the user whether or not to enable password authentication,
> after warning them that it is a security risk.
>
> I agree with Chris that password authentication is a significant
> security risk, but I also worry that if we simply disable it, it will
> catch some users by surprise and they may be quite unhappy about it.

What do you think of the approach in
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Daecd2a13cbd8301d0f=
deafcacbf69e12cc3f6138>?

The default is unchanged but the warning could be kept say until the
next release, at which point we=E2=80=99d change the default.

Or are you suggesting keeping the default unchanged?

Ludo=E2=80=99.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 22:58:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 17:58:46 2020
Received: from localhost ([127.0.0.1]:55822 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmPSw-0004n7-Jt
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 17:58:46 -0500
Received: from world.peace.net ([64.112.178.59]:33256)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1kmPSu-0004mu-Qy
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 17:58:45 -0500
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1kmPSn-0003Er-Pw; Mon, 07 Dec 2020 17:58:38 -0500
From: Mark H Weaver <mhw@HIDDEN>
To: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>, Christopher Lemmer Webber
 <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-Reply-To: <871rg1e6js.fsf@HIDDEN>
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
 <87sg8hlfyu.fsf@HIDDEN> <871rg1e6js.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 17:57:45 -0500
Message-ID: <87im9ddy0r.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: maxim.cournoyer@HIDDEN, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

"Dr. Arne Babenhauserheide" <arne_bab@HIDDEN> writes:
> To nudge them to secure their system, guix system reconfigure could emit
> a warning that this is a potential security risk that requires setting
> an explicit value (password yes or no) to silence.

I think this is a good idea.  Likewise, in the Guix installer, I would
favor asking the user whether or not to enable password authentication,
after warning them that it is a security risk.

I agree with Chris that password authentication is a significant
security risk, but I also worry that if we simply disable it, it will
catch some users by surprise and they may be quite unhappy about it.

     Regards,
       Mark

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 21:39:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 16:39:17 2020
Received: from localhost ([127.0.0.1]:55743 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmOE1-0002s0-6m
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 16:39:17 -0500
Received: from dustycloud.org ([50.116.34.160]:55546)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1kmODz-0002rr-Il
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 16:39:16 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id B26B326641;
 Mon,  7 Dec 2020 16:39:14 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <X86FH7Mt3353VRGL@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <X86FH7Mt3353VRGL@HIDDEN>
Date: Mon, 07 Dec 2020 16:38:37 -0500
Message-ID: <87eek1fg9u.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Leo Famulari writes:

> On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
>> >   2. Change the default value of the relevant field in
>> >      <openssh-configuration>.
>> >
>> > #2 is more thorough but also more risky: people could find themselves
>> > locked out of their server after reconfiguration, though this could be
>> > mitigated by a news entry.
>
> I do think we should avoid changing the default. I know that passphrases
> are inherently riskier than keys =E2=80=94 compromise is more likely than=
 with a
> key, but I think it's even more likely that people will lose access to
> their servers if we change this default.
>
> How bad is the risk, from a practical perspective? How many times per
> second can a remote attacker attempt passphrase authentication? If the
> number is high, we could petition OpenSSH to introduce a delay.

Some servers try to protect against such systems with something such as
fail2ban.  It can help a little, but origin-oriented systems have
serious problems.  A simple example is that a botnet can be used to try
logging in from many origins.  But origin-oriented designs also don't
hold up in general as one tends to move towards things like p2p
systems... consider if exposing ssh over a tor onion service just how
easy it is to generate lots of onion addresses.

Consider the following though: most users have fairly weak passwords.
Sad, but true... but in the case where that password only is affected by
someone trying to gain login from physical access, it also only affects
physical access brute forcing with the computer on.

A weak password doesn't hold up as well when any server anywhere can
start hammering on it.

Looking at my auth logs, such hammering is super common... most of the
servers I've dealt with tend to have logs filled with bots trying to get
in all the time, and that's in an untargeted case.  A targeted case is
worse.

Maybe it's not a good idea to change the default, but yes, the problem
is serious.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 19:54:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 14:54:14 2020
Received: from localhost ([127.0.0.1]:55565 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmMaL-0006ae-3s
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:54:14 -0500
Received: from mout.web.de ([217.72.192.78]:35095)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arne_bab@HIDDEN>) id 1kmMaI-0006aM-AR
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:54:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1607370841;
 bh=Ig57qiuSeNWe6xGO3fHo2GTO7T+TsijTJ8IlWYMXueQ=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=d/O9X6qjeXqbU7ArxTjezLjXJyEwEeV9EsLA2mtUgD41KkPZfMehKgVA40Nd8Z1Wb
 GAZRNPIkxn/Nu3zamasCAfrqV82K3p3njWfTS6jMokd77lhPys9lP2OXxfAsraUvIK
 gmEselFPp9LzgTvFfeK4kd1ru2NysBibBZ+uWAaU=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from fluss ([84.149.87.37]) by smtp.web.de (mrweb103
 [213.165.67.124]) with ESMTPSA (Nemesis) id 0Lcy1k-1kLrXF1CUq-00iFpW; Mon, 07
 Dec 2020 20:54:01 +0100
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
 <87sg8hlfyu.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87sg8hlfyu.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 20:53:59 +0100
Message-ID: <871rg1e6js.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:/JnSviN8otrB8/sxFD5xtW7LU1DssMCekPdQtzoxUQzSY7jSGu3
 tHO0bhxHSg2gXuXPK7UtpDRq86h1THU7998yNMe1y2RAbzPFizJ31rclc4698be/Pu0XFel
 bS4JqnMkCJTFXKjX/0SDWlNwC5kzO2dlzoz9m5/RRkNVmwMUycR/S26P9oQ8rSbAqVeWVdd
 lA2UcWm6Uk8GHADMiIwJQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:LlVool96tSA=:Z92b/ycwIq5qbjeLiIfgiH
 Hd2ERuvGDMyV5p9xwj48yrOEcMlaH4aI3Zf7E+1oIdj2ZpTLj6nctSEyrAOtwH3ugxA8hJpAc
 rzLfMTm/HOJ4F9bErMlVdXsamuPaMGkwhppiWkH4rtC1t4lFZqPAUfBSSiC5DL19UHYIdyAih
 X8rRN5T+O3QTzWbY2ickaJpBGyI5XxwAlBd7V481e+YkY8rxyKhNjwLDF5s61HXd8vqion+Do
 1mkcXp5G4YJaTX/joXFoO/Y1X5eXnMnDg18+EEXFdrkWvP9Y4yoSjdMAGTY64LMxNFEJiafcN
 jFHD8ygrAmQ/vNn6bOSw48eTABoqSE+rs58iA5uziyeNALEbdVE7Sx4MdEuY9GPYGP4Ncl0iY
 hJl4NpzeTG3D3I++01yBS6CT5IQV+NrECbS23uqUMzk9a5U/e6J14WO8kmmdDWtqZyuMFd85a
 TeX4/99GhkyA89jR8Oh3qd1Mh5oyLeyEEAxMrim3+FAkOZgz6awuBKS6OFudX68ReAuekPEDJ
 d/b2anWFjraCxlatxaYzv663E7sQyXS+hrBzWIJPP0XrUj/Jrk5K5Zvo2z7V4eM56uL21Y8+J
 PVMZIdJd1ncNeeCqJTr3vxuXuTHFIToUSD0js3eoiMrq0duQJa5rpRQv29Op/6ISaMF9RqlQJ
 HYaiiJzD34kof1q+Qbh3WjjQsInY03H83orTb/jIvTCB2BeKZ2ySPIeJ0Z1SdMK25nPsnRQ22
 h6ZzEiLUen8hLxaTywD4G9M8v23+3cCpzYz7lqPjgam8fWapEboUP/V7kgfS1Z0YzYylQnlgO
 R4Su1IZ4xv+PpkX+DuNa4R53vubA7K4KZSbNyFZkQ9ummNM1JoOVxhpgm3vwfpGG2B0hXfdeH
 sBwAGrEayJzTHGFjKwZQ==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 44808
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Christopher Lemmer Webber <cwebber@HIDDEN> writes:

> Dr. Arne Babenhauserheide writes:
>
>> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>>
>>>>> #2 is more thorough but also more risky: people could find themselves
>>>>> locked out of their server after reconfiguration, though this could be
>>>>> mitigated by a news entry.
>>>>>
>>>>> Thoughts?
>>
>> My thoughts are that there is no mitigation for being locked out of a
>> pre-existing server. Keep in mind that that server might not actually be
>> accessible in any other way =E2=80=94 it might be with a cheap hoster wh=
ose
>> support is practically non-existent, or it might be in a sealed
>> measurement container that can only be accessed via SSH without
>> disassembly.
>>
>>>> We could also do a combination of the above, as a transitional plan:
>>>> do #1 for now, but try to advertise that in the future, the default wi=
ll
>>>> be changing... please explicitly set password access to #t if you need
>>>> this!  Then in the *following* release, change the default.
>>
>> This sounds like trying to retroactively fixing a problem at the wrong
>> place: If the installer creates a configuration which prevents
>> password-authentication, there is no problem for new systems and new
>> users who need password-authentication will explicitly see in the
>> config, that they have to change it, otherwise it won=E2=80=99t work. Al=
l the
>> while old systems will keep working.
>>
>> I do need to access my system via password+ssh from time to time,
>> because I don=E2=80=99t want to have a key that can access my system on a
>> presentation-laptop that (due to being moved regularly) is much less
>> secure than the fixed system. If someone gets access to the laptop and
>> compromises my keys, they can run much more efficient attacks against
>> its ssh-keys' password than the attacks people can use to attack ssh via
>> internet.
>>
>> Changing a default (an invisible setting) in a way that prevents access
>> is a serious disruption.
>>
>> In short: please don=E2=80=99t break running systems on update.
>>
>> Best wishes,
>> Arne
>
> It's a serious concern.  We are left in a tough bind: leave users with
> an insecure default but try to inform them as much as we can of a
> changing default, or possibly lock them out if they don't notice.
>
> Still, now feels like to me the ideal time to do it.  The number of
> people running GuixSD on servers is comparatively small.  I expect that
> to change.  It would be better to make this change sooner than later.

If the installer and the configuration examples are changed now, then
the number of people who unknowingly run Guix on an insecure
configuration should not rise.

To nudge them to secure their system, guix system reconfigure could emit
a warning that this is a potential security risk that requires setting
an explicit value (password yes or no) to silence.

Best wishes,
Arne
=2D-=20
Unpolitisch sein
hei=C3=9Ft politisch sein
ohne es zu merken

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAl/OiFgQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD64uSEADMFUmtHqD0E5RLG1y3Fk8liw3awm/IeXQc
iT/dtdk+1+GmQJ2QMdt180dWjz77UJratQoNxbH0iSILVYV38a+rNONxLU/t60pX
I5ye0ID/Ts9K2a2Ih+7ASP6ElD3uPlJcCud5QoDE6LX7bUrWm1310FJTz6NbJEz1
Xiv1x4xl/cMdtVSa1OEeJ2E7mrxIs2dGtSKQ0uPdZsYeKX8M6KovSxB+MyV2TLIH
AtIwZDaKJH5N/nJi3u5XAtzRf6rFcwjoDoKPicKIMmKLzCW6M8kMLngCb6AXxZf5
/P/tV+oXpOP7GN8WS4w2ScP/yph0bibP9hbj0viKDTX4YrXKYgZT9RcAD4k+tykO
CgPVGEpbMw3f/Ah/0Xi+7zkWDJSxu7FUIPlTDiGGbDetnVKtw/yXeKgSwjBCeZVL
51AEk72KzAQvELS2Gg2yyJzyI03sZzdCbO6dsqWCbdiFdrlWvPIOyZlnOavijXVA
QFNKJ7NtM9hu15yitaH3Lk01MOMc1UdUEmnVyTJu2i77xJr6M0OfxiL3v/dAVgKw
qteyerPrMkelQ/J8q7pNPCQirL6nXi20rfaahX/1DKSOOnE6E9tXPzyHLfzZ1ZcI
AA8KrFnXr8SxLX9LqbMwEpRmZXz4ZaSu5U0b1Lto5/BfTUDbjcY8zkGgyapz3jVV
QpMRDrQdlojEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAl/OiFgQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSJ9PA/9M0egTZgXt4RBUsE4pGZliYY3z
B1FL1IuEw/YFpmf53NVxqQxFrAZM1N1W/RZ5x/1cAXiEg2M4gYTDSf/ff+Mfprxd
tNeAqy0P4wPjUv/RjAWMxzOqlp6wZvNt7lLvEu1xxjy3Dd1lUW9h/+NiCEx+CiIf
/S9SDL0leN17AngDAw==
=I42Q
-----END PGP SIGNATURE-----
--=-=-=--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 7 Dec 2020 19:54:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 14:54:18 2020
Received: from localhost ([127.0.0.1]:55568 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmMaQ-0006aw-57
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:54:18 -0500
Received: from lists.gnu.org ([209.51.188.17]:41028)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arne_bab@HIDDEN>) id 1kmMaO-0006ap-Md
 for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:54:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:56868)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>) id 1kmMaO-0007b6-EW
 for bug-guix@HIDDEN; Mon, 07 Dec 2020 14:54:16 -0500
Received: from mout.web.de ([217.72.192.78]:34497)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>)
 id 1kmMaL-0003c9-Gy; Mon, 07 Dec 2020 14:54:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1607370841;
 bh=Ig57qiuSeNWe6xGO3fHo2GTO7T+TsijTJ8IlWYMXueQ=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=d/O9X6qjeXqbU7ArxTjezLjXJyEwEeV9EsLA2mtUgD41KkPZfMehKgVA40Nd8Z1Wb
 GAZRNPIkxn/Nu3zamasCAfrqV82K3p3njWfTS6jMokd77lhPys9lP2OXxfAsraUvIK
 gmEselFPp9LzgTvFfeK4kd1ru2NysBibBZ+uWAaU=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from fluss ([84.149.87.37]) by smtp.web.de (mrweb103
 [213.165.67.124]) with ESMTPSA (Nemesis) id 0Lcy1k-1kLrXF1CUq-00iFpW; Mon, 07
 Dec 2020 20:54:01 +0100
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
 <87sg8hlfyu.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87sg8hlfyu.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 20:53:59 +0100
Message-ID: <871rg1e6js.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:/JnSviN8otrB8/sxFD5xtW7LU1DssMCekPdQtzoxUQzSY7jSGu3
 tHO0bhxHSg2gXuXPK7UtpDRq86h1THU7998yNMe1y2RAbzPFizJ31rclc4698be/Pu0XFel
 bS4JqnMkCJTFXKjX/0SDWlNwC5kzO2dlzoz9m5/RRkNVmwMUycR/S26P9oQ8rSbAqVeWVdd
 lA2UcWm6Uk8GHADMiIwJQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:LlVool96tSA=:Z92b/ycwIq5qbjeLiIfgiH
 Hd2ERuvGDMyV5p9xwj48yrOEcMlaH4aI3Zf7E+1oIdj2ZpTLj6nctSEyrAOtwH3ugxA8hJpAc
 rzLfMTm/HOJ4F9bErMlVdXsamuPaMGkwhppiWkH4rtC1t4lFZqPAUfBSSiC5DL19UHYIdyAih
 X8rRN5T+O3QTzWbY2ickaJpBGyI5XxwAlBd7V481e+YkY8rxyKhNjwLDF5s61HXd8vqion+Do
 1mkcXp5G4YJaTX/joXFoO/Y1X5eXnMnDg18+EEXFdrkWvP9Y4yoSjdMAGTY64LMxNFEJiafcN
 jFHD8ygrAmQ/vNn6bOSw48eTABoqSE+rs58iA5uziyeNALEbdVE7Sx4MdEuY9GPYGP4Ncl0iY
 hJl4NpzeTG3D3I++01yBS6CT5IQV+NrECbS23uqUMzk9a5U/e6J14WO8kmmdDWtqZyuMFd85a
 TeX4/99GhkyA89jR8Oh3qd1Mh5oyLeyEEAxMrim3+FAkOZgz6awuBKS6OFudX68ReAuekPEDJ
 d/b2anWFjraCxlatxaYzv663E7sQyXS+hrBzWIJPP0XrUj/Jrk5K5Zvo2z7V4eM56uL21Y8+J
 PVMZIdJd1ncNeeCqJTr3vxuXuTHFIToUSD0js3eoiMrq0duQJa5rpRQv29Op/6ISaMF9RqlQJ
 HYaiiJzD34kof1q+Qbh3WjjQsInY03H83orTb/jIvTCB2BeKZ2ySPIeJ0Z1SdMK25nPsnRQ22
 h6ZzEiLUen8hLxaTywD4G9M8v23+3cCpzYz7lqPjgam8fWapEboUP/V7kgfS1Z0YzYylQnlgO
 R4Su1IZ4xv+PpkX+DuNa4R53vubA7K4KZSbNyFZkQ9ummNM1JoOVxhpgm3vwfpGG2B0hXfdeH
 sBwAGrEayJzTHGFjKwZQ==
Received-SPF: pass client-ip=217.72.192.78; envelope-from=arne_bab@HIDDEN;
 helo=mout.web.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Christopher Lemmer Webber <cwebber@HIDDEN> writes:

> Dr. Arne Babenhauserheide writes:
>
>> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>>
>>>>> #2 is more thorough but also more risky: people could find themselves
>>>>> locked out of their server after reconfiguration, though this could be
>>>>> mitigated by a news entry.
>>>>>
>>>>> Thoughts?
>>
>> My thoughts are that there is no mitigation for being locked out of a
>> pre-existing server. Keep in mind that that server might not actually be
>> accessible in any other way =E2=80=94 it might be with a cheap hoster wh=
ose
>> support is practically non-existent, or it might be in a sealed
>> measurement container that can only be accessed via SSH without
>> disassembly.
>>
>>>> We could also do a combination of the above, as a transitional plan:
>>>> do #1 for now, but try to advertise that in the future, the default wi=
ll
>>>> be changing... please explicitly set password access to #t if you need
>>>> this!  Then in the *following* release, change the default.
>>
>> This sounds like trying to retroactively fixing a problem at the wrong
>> place: If the installer creates a configuration which prevents
>> password-authentication, there is no problem for new systems and new
>> users who need password-authentication will explicitly see in the
>> config, that they have to change it, otherwise it won=E2=80=99t work. Al=
l the
>> while old systems will keep working.
>>
>> I do need to access my system via password+ssh from time to time,
>> because I don=E2=80=99t want to have a key that can access my system on a
>> presentation-laptop that (due to being moved regularly) is much less
>> secure than the fixed system. If someone gets access to the laptop and
>> compromises my keys, they can run much more efficient attacks against
>> its ssh-keys' password than the attacks people can use to attack ssh via
>> internet.
>>
>> Changing a default (an invisible setting) in a way that prevents access
>> is a serious disruption.
>>
>> In short: please don=E2=80=99t break running systems on update.
>>
>> Best wishes,
>> Arne
>
> It's a serious concern.  We are left in a tough bind: leave users with
> an insecure default but try to inform them as much as we can of a
> changing default, or possibly lock them out if they don't notice.
>
> Still, now feels like to me the ideal time to do it.  The number of
> people running GuixSD on servers is comparatively small.  I expect that
> to change.  It would be better to make this change sooner than later.

If the installer and the configuration examples are changed now, then
the number of people who unknowingly run Guix on an insecure
configuration should not rise.

To nudge them to secure their system, guix system reconfigure could emit
a warning that this is a potential security risk that requires setting
an explicit value (password yes or no) to silence.

Best wishes,
Arne
=2D-=20
Unpolitisch sein
hei=C3=9Ft politisch sein
ohne es zu merken

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAl/OiFgQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD64uSEADMFUmtHqD0E5RLG1y3Fk8liw3awm/IeXQc
iT/dtdk+1+GmQJ2QMdt180dWjz77UJratQoNxbH0iSILVYV38a+rNONxLU/t60pX
I5ye0ID/Ts9K2a2Ih+7ASP6ElD3uPlJcCud5QoDE6LX7bUrWm1310FJTz6NbJEz1
Xiv1x4xl/cMdtVSa1OEeJ2E7mrxIs2dGtSKQ0uPdZsYeKX8M6KovSxB+MyV2TLIH
AtIwZDaKJH5N/nJi3u5XAtzRf6rFcwjoDoKPicKIMmKLzCW6M8kMLngCb6AXxZf5
/P/tV+oXpOP7GN8WS4w2ScP/yph0bibP9hbj0viKDTX4YrXKYgZT9RcAD4k+tykO
CgPVGEpbMw3f/Ah/0Xi+7zkWDJSxu7FUIPlTDiGGbDetnVKtw/yXeKgSwjBCeZVL
51AEk72KzAQvELS2Gg2yyJzyI03sZzdCbO6dsqWCbdiFdrlWvPIOyZlnOavijXVA
QFNKJ7NtM9hu15yitaH3Lk01MOMc1UdUEmnVyTJu2i77xJr6M0OfxiL3v/dAVgKw
qteyerPrMkelQ/J8q7pNPCQirL6nXi20rfaahX/1DKSOOnE6E9tXPzyHLfzZ1ZcI
AA8KrFnXr8SxLX9LqbMwEpRmZXz4ZaSu5U0b1Lto5/BfTUDbjcY8zkGgyapz3jVV
QpMRDrQdlojEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAl/OiFgQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSJ9PA/9M0egTZgXt4RBUsE4pGZliYY3z
B1FL1IuEw/YFpmf53NVxqQxFrAZM1N1W/RZ5x/1cAXiEg2M4gYTDSf/ff+Mfprxd
tNeAqy0P4wPjUv/RjAWMxzOqlp6wZvNt7lLvEu1xxjy3Dd1lUW9h/+NiCEx+CiIf
/S9SDL0leN17AngDAw==
=I42Q
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 19:40:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 14:40:24 2020
Received: from localhost ([127.0.0.1]:55544 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmMMy-0006FM-HB
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:40:24 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43023)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1kmMMw-0006F2-LU
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 14:40:23 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 876995C0244;
 Mon,  7 Dec 2020 14:40:17 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 07 Dec 2020 14:40:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:content-transfer-encoding:in-reply-to; s=mesmtp;
 bh=OkLUasV13vkonrCMjAN6F9CEwKpNoLSIp9yj6b6Oj90=; b=Skte+A4vT7tV
 O3x5m3jlqM09/khVyOIAVBTqplyebGWaEaGSOw99b21pPzuFGQYmAYezYLQIAYN6
 l+jKfw4f1wOWzViyw/1EhktbwOwgpFYtUO8eOmsVarhJWNvP79hwaejKSEHn+R9n
 unPyf5RnecP0cVBvbsi3/jvMdG1bcSc=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; bh=OkLUasV13vkonrCMjAN6F9CEwKpNoLSIp9yj6b6Oj
 90=; b=fL4fzm0BWo5yJEN8Lz2A+t+D/819DtodPUtMUugJAyXVHEj51jW1MlXJo
 07dnG8m3lfY+pHtszRQfgWrSf9Q4PFbM7WIFFPByzl7S544oGTcYhWYhbCm5niXM
 jDcKONDCQVQzq+Zsx4PVlgvBLDIfUlzQw58Y+L82qQw1xPfEuqIJ5t3KhJj61QYq
 GzUdqrd0isbq9DHzFvfUHAXqmSoLLhEp49q0FkK7KfieTP+MwDagEoaoT4fkp40e
 gJ7byAhYPi1fk8UBSjOc+xgYKeUNx0BnctuXZOVbOKjbuZnVigrQfKJYWJgo0JWc
 SxGqvaawZ7rN3eke9Ewuci0kQEbxQ==
X-ME-Sender: <xms:IIXOX5M_Su2FhounWM04OYuON3Vnu-ByLtq3Wx6BHR1QQLtYblVDjQ>
 <xme:IIXOX78_NRvpJys9sP5u7-hGlHUXVrPJNH_elLEU9CrxiS8UX3J6cd_ChEoIHoSqy
 O3auw9tGI4pkuycNg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudejgedguddvjecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpefnvgho
 ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg
 htthgvrhhnpeegjeeggeehtddugfffuddtvdfffeffjeekffffveffheegvddvuedtffek
 jeejjeenucfkphepjeefrddugedurdduvdejrddugeeinecuvehluhhsthgvrhfuihiivg
 eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm
 vg
X-ME-Proxy: <xmx:IIXOX4QWZsqzhlFzT1wgi-l7SpI8oEBuiCRx2s7L0m4B4KeDnA9x2A>
 <xmx:IIXOX1uaRWRNWcWI8pKiKrTmdUKWJPmwt_SQQlr2Asgk4pgjRzXCXA>
 <xmx:IIXOXxc_eKwVY7oyE5X6hXCR26nje1oVqd9Pn7lmMuQ6_fy3qvTgXQ>
 <xmx:IYXOXxF2VRf8AE8bwV59tdw2mOXU6GnFKWnANQANR0LBivd70Nw9Pw>
Received: from localhost (c-73-141-127-146.hsd1.pa.comcast.net
 [73.141.127.146])
 by mail.messagingengine.com (Postfix) with ESMTPA id B5F8D240062;
 Mon,  7 Dec 2020 14:40:16 -0500 (EST)
Date: Mon, 7 Dec 2020 14:40:15 -0500
From: Leo Famulari <leo@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on leaves
 users vulnerable
Message-ID: <X86FH7Mt3353VRGL@HIDDEN>
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87k0twkt9c.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 44808
Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:
> >   2. Change the default value of the relevant field in
> >      <openssh-configuration>.
> >
> > #2 is more thorough but also more risky: people could find themselves
> > locked out of their server after reconfiguration, though this could be
> > mitigated by a news entry.

I do think we should avoid changing the default. I know that passphrases
are inherently riskier than keys — compromise is more likely than with a
key, but I think it's even more likely that people will lose access to
their servers if we change this default.

How bad is the risk, from a practical perspective? How many times per
second can a remote attacker attempt passphrase authentication? If the
number is high, we could petition OpenSSH to introduce a delay.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 16:49:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 11:49:21 2020
Received: from localhost ([127.0.0.1]:55301 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmJhR-0008K0-4E
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 11:49:21 -0500
Received: from dustycloud.org ([50.116.34.160]:55202)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1kmJhP-0008Jr-62
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 11:49:20 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 5DB8D265FA;
 Mon,  7 Dec 2020 11:49:18 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87a6upepwb.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 11:48:41 -0500
Message-ID: <87sg8hlfyu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Dr. Arne Babenhauserheide writes:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>>>> #2 is more thorough but also more risky: people could find themselves
>>>> locked out of their server after reconfiguration, though this could be
>>>> mitigated by a news entry.
>>>>
>>>> Thoughts?
>
> My thoughts are that there is no mitigation for being locked out of a
> pre-existing server. Keep in mind that that server might not actually be
> accessible in any other way =E2=80=94 it might be with a cheap hoster who=
se
> support is practically non-existent, or it might be in a sealed
> measurement container that can only be accessed via SSH without
> disassembly.
>
>>> We could also do a combination of the above, as a transitional plan:
>>> do #1 for now, but try to advertise that in the future, the default will
>>> be changing... please explicitly set password access to #t if you need
>>> this!  Then in the *following* release, change the default.
>
> This sounds like trying to retroactively fixing a problem at the wrong
> place: If the installer creates a configuration which prevents
> password-authentication, there is no problem for new systems and new
> users who need password-authentication will explicitly see in the
> config, that they have to change it, otherwise it won=E2=80=99t work. All=
 the
> while old systems will keep working.
>
> I do need to access my system via password+ssh from time to time,
> because I don=E2=80=99t want to have a key that can access my system on a
> presentation-laptop that (due to being moved regularly) is much less
> secure than the fixed system. If someone gets access to the laptop and
> compromises my keys, they can run much more efficient attacks against
> its ssh-keys' password than the attacks people can use to attack ssh via
> internet.
>
> Changing a default (an invisible setting) in a way that prevents access
> is a serious disruption.
>
> In short: please don=E2=80=99t break running systems on update.
>
> Best wishes,
> Arne

It's a serious concern.  We are left in a tough bind: leave users with
an insecure default but try to inform them as much as we can of a
changing default, or possibly lock them out if they don't notice.

Still, now feels like to me the ideal time to do it.  The number of
people running GuixSD on servers is comparatively small.  I expect that
to change.  It would be better to make this change sooner than later.

I understand your concern though...

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 7 Dec 2020 16:49:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 11:49:25 2020
Received: from localhost ([127.0.0.1]:55304 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmJhV-0008KH-DJ
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 11:49:25 -0500
Received: from lists.gnu.org ([209.51.188.17]:52242)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1kmJhT-0008K9-GJ
 for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 11:49:23 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:36880)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1kmJhR-0008FB-Sr
 for bug-guix@HIDDEN; Mon, 07 Dec 2020 11:49:23 -0500
Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:40284)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1kmJhQ-0001GP-Ec; Mon, 07 Dec 2020 11:49:21 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 5DB8D265FA;
 Mon,  7 Dec 2020 11:49:18 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN> <87a6upepwb.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87a6upepwb.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 11:48:41 -0500
Message-ID: <87sg8hlfyu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2600:3c02::f03c:91ff:feae:cb51;
 envelope-from=cwebber@HIDDEN; helo=dustycloud.org
X-Spam_score_int: 14
X-Spam_score: 1.4
X-Spam_bar: +
X-Spam_report: (1.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.2 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Dr. Arne Babenhauserheide writes: > Ludovic Courtès <ludo@HIDDEN>
    writes: > >>>> #2 is more thorough but also more risky: people could find
    themselves >>>> locked out of their server after reconfiguration, though
   this could be >>>> [...] 
 
 Content analysis details:   (2.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
                             medium trust
                             [209.51.188.17 listed in list.dnswl.org]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  3.6 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                             [2600:3c02:0:0:f03c:91ff:feae:cb51 listed in]
                             [zen.spamhaus.org]
  0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
                             [209.51.188.17 listed in wl.mailspike.net]
  0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Debbugs-Envelope-To: submit
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Dr. Arne Babenhauserheide writes: > Ludovic Courtès <ludo@HIDDEN>
    writes: > >>>> #2 is more thorough but also more risky: people could find
    themselves >>>> locked out of their server after reconfiguration, though
   this could be >>>> [...] 
 
 Content analysis details:   (1.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  3.6 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                             [2600:3c02:0:0:f03c:91ff:feae:cb51 listed in]
                             [zen.spamhaus.org]
  0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
                             [209.51.188.17 listed in wl.mailspike.net]
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
                             medium trust
                             [209.51.188.17 listed in list.dnswl.org]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

Dr. Arne Babenhauserheide writes:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>>>> #2 is more thorough but also more risky: people could find themselves
>>>> locked out of their server after reconfiguration, though this could be
>>>> mitigated by a news entry.
>>>>
>>>> Thoughts?
>
> My thoughts are that there is no mitigation for being locked out of a
> pre-existing server. Keep in mind that that server might not actually be
> accessible in any other way =E2=80=94 it might be with a cheap hoster who=
se
> support is practically non-existent, or it might be in a sealed
> measurement container that can only be accessed via SSH without
> disassembly.
>
>>> We could also do a combination of the above, as a transitional plan:
>>> do #1 for now, but try to advertise that in the future, the default will
>>> be changing... please explicitly set password access to #t if you need
>>> this!  Then in the *following* release, change the default.
>
> This sounds like trying to retroactively fixing a problem at the wrong
> place: If the installer creates a configuration which prevents
> password-authentication, there is no problem for new systems and new
> users who need password-authentication will explicitly see in the
> config, that they have to change it, otherwise it won=E2=80=99t work. All=
 the
> while old systems will keep working.
>
> I do need to access my system via password+ssh from time to time,
> because I don=E2=80=99t want to have a key that can access my system on a
> presentation-laptop that (due to being moved regularly) is much less
> secure than the fixed system. If someone gets access to the laptop and
> compromises my keys, they can run much more efficient attacks against
> its ssh-keys' password than the attacks people can use to attack ssh via
> internet.
>
> Changing a default (an invisible setting) in a way that prevents access
> is a serious disruption.
>
> In short: please don=E2=80=99t break running systems on update.
>
> Best wishes,
> Arne

It's a serious concern.  We are left in a tough bind: leave users with
an insecure default but try to inform them as much as we can of a
changing default, or possibly lock them out if they don't notice.

Still, now feels like to me the ideal time to do it.  The number of
people running GuixSD on servers is comparatively small.  I expect that
to change.  It would be better to make this change sooner than later.

I understand your concern though...

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 12:56:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 07:56:22 2020
Received: from localhost ([127.0.0.1]:52842 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmG3y-00082Q-Bt
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 07:56:22 -0500
Received: from mout.web.de ([212.227.15.4]:34327)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arne_bab@HIDDEN>) id 1kmG3t-000828-Nk
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 07:56:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1607345767;
 bh=BxlAxmAPY6PBCvEUZ/Ni5KxNO2bC1FCD+DiPpImkEaY=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=cuj4cXu3rY8LFXCwx/lki2yfKZktYJnKo6kC382/7z7se+EW4aQvWx1GW8qMbu6DC
 OjmcIaJYdzemNfuh2TqFdX/LckTgoSHHohDS6Hj9EJwmmxcwH7ki4bLpXPRfu5O4Yz
 y7qyo2DZtQFqkvTrfo4hzUs/guwLBc4X1fG5EOow=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from fluss ([84.149.87.37]) by smtp.web.de (mrweb002
 [213.165.67.108]) with ESMTPSA (Nemesis) id 0M8zdd-1ks0HT3TeX-00CUBV; Mon, 07
 Dec 2020 13:56:06 +0100
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87sg8hzvdx.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 13:56:04 +0100
Message-ID: <87a6upepwb.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:JIxta9xU1k3ipYvHmYRxogn5+dxsQ3nxTNoNvQ/+Ptdf1iiZyH1
 g/kn+XMM0GKFEyZQlk11zhEXxwgW06QV83YnTdySO5n2wCaINx+v9JGPJJLXvjd/5/rDyyM
 yKKDyOnbmj6c6yCOWhICfOE2X2ocPWosyxWKStxFoX3P5WHjnRrykLo7yz1AB7bFw0oESjd
 BFvaSvmtDvPO15EtTPMIg==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:EEkqUNcVJ1M=:m/2AQAfqHpSGbkJVWnXeHH
 +nv9OBW2fsDGznuQS9Ew+RGNvmKVLt1Buqu0Gd6qvqgze5lqpZivKiX0wkg+MORdZcP0hRg+6
 JJgAzaXk8Yy49lHjr3uR/JbtvxKF0lgxe1GroXo046K3BryJD9Ls9bKs2m7SUVUhx4e37x/mW
 oGJg46lveFjMlxP9wwpmnsPZzXWKUtfh7oIMME1n8mpH4S++cTXUxIN2q+t8Agf+NVw3allgm
 4IydCgbqHRj9jzXJsraqvYblsU6wCFGq5lAWXjKNbF3trOwITCT7dw0x6jFnte+vUT6+1T26a
 ap5xlCPArBWhXwI9DtwzI14xrrhdqj9mq8cglxgmtLv5kEuXfQ4bZF7q0x89t9fCEF6WAoMez
 vCg0L9iSfXnufJY4nZrck62AcsTdAriK60LlhoFpV0UtX6f7Amh6wKKDXhdau4V26OYAbu/Al
 /c4ft/bSUol+Z5KFmhrbjbJScsyvy0kVhCr57AsHFRD76pymn1D2wASwcYtfABNnTsykH8ZWX
 Kx0feW11ldLGfMOqFdeR0OxBveO2WsUkj81pWcJkgch2A2jN4r2gur/5bLpjmmav6/Tg03iRZ
 CmHvIMzKCpotLPhnK2j3+KVc/kVVw/RkDINSw2dzIO88a3idM57N8E0Q5z9fQXrK8cu6pFSvX
 5ONonBuAy0yOeAQv1WhZGwyS3jASALp8MCps5YjnplH8t/UCuXjDrBN4MTRjIfI8hn9foD4eo
 ICasogEaZxt8uNO2lB03rldxU3GG8q15Z+od0bY5ErdOfU5UZw9zxlGQkOkvh1/QmdVDweVCw
 kvq2uOtdDspjEREq+DBRC8ZV2bDzfw3ob/TXFebOdZkf+JfKG/0Fv5vlotFx+7wBoyCGW+jdT
 fylAChq3SVfD11P4rslQ==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

>>> #2 is more thorough but also more risky: people could find themselves
>>> locked out of their server after reconfiguration, though this could be
>>> mitigated by a news entry.
>>>
>>> Thoughts?

My thoughts are that there is no mitigation for being locked out of a
pre-existing server. Keep in mind that that server might not actually be
accessible in any other way =E2=80=94 it might be with a cheap hoster whose
support is practically non-existent, or it might be in a sealed
measurement container that can only be accessed via SSH without
disassembly.

>> We could also do a combination of the above, as a transitional plan:
>> do #1 for now, but try to advertise that in the future, the default will
>> be changing... please explicitly set password access to #t if you need
>> this!  Then in the *following* release, change the default.

This sounds like trying to retroactively fixing a problem at the wrong
place: If the installer creates a configuration which prevents
password-authentication, there is no problem for new systems and new
users who need password-authentication will explicitly see in the
config, that they have to change it, otherwise it won=E2=80=99t work. All t=
he
while old systems will keep working.

I do need to access my system via password+ssh from time to time,
because I don=E2=80=99t want to have a key that can access my system on a
presentation-laptop that (due to being moved regularly) is much less
secure than the fixed system. If someone gets access to the laptop and
compromises my keys, they can run much more efficient attacks against
its ssh-keys' password than the attacks people can use to attack ssh via
internet.

Changing a default (an invisible setting) in a way that prevents access
is a serious disruption.

In short: please don=E2=80=99t break running systems on update.

Best wishes,
Arne
=2D-=20
Unpolitisch sein
hei=C3=9Ft politisch sein
ohne es zu merken

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAl/OJmUQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD61kDEADEZc98uVkPR+pFPUf9RotGAMeF6awBwa/z
q3cGIVrelsiJulny84BWiR2PEd3j7Xbx7pSNsc1PNfye+M+gDSh1OdUsnh1xNGmH
CMYUKabyEeUUq//N0IDqXtZ0221BsxSiBA5bDBQlZxTR4MzkgWaCAmFFNoSqo+la
TcRsbzntfF1L9xSj/rGF1Q7xQ5uIYMnl2nteBidwAATkRhIUjKwmC9E2zC84mtA0
1z2n1SaQLmfBWzqfwu5ZZMZ7mwZcT30qz2MT4SRcY0jpZ978U0VkPxQbczFIxTel
EX9tYK6w7B/DHt256isVdid4oaip8Ei2umfY/HfAwmKk4Hq6FJAYYpiQnMNOb48W
UWV8VWfOc+IrAuOYoXJHhFMSSNTyNhT853K7FVAw5QFlFQO71PCYesluKuhS7DN2
xLqIoMmEAiOHn5hbBkd3ZZUkJ2nzWq9JhhRuaSDJTR7HHNjfTtHV0q8yV3KBqJHd
XqiehMDeJnsuW101dqvGEZBv9bYo0HEN3Lmuj+izNg2el8A3K/8vUOx7KYPtbhqd
0Tqek/VndIAPsJ5zlKSAUn+o8myhgDuM5eaFFvQAH+WNMnqiIh+kdc+dfDpcoEyz
JK+ExDuk0oLP1wJN3ZCFhXStYQJfgGqughGhSpF0Xg6fECPHEcNVFj3lj7ome7nU
dF0OcWd1KIjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAl/OJmUQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSAWmBACdm9rbbnnRsGmmixzxC0v0uSQe
apSAtCACFlLWreldBYHXj1VaHOuDFikEt+a4nL5B0l4XA398NMIy9TIPA2RdAotJ
dfKAYiKDCZ91aXpF+P2z6WCmzpLPQkRb9QlOWeN7y/pILtrEA6wYGL1mxNsXfmWK
QmQLZpWxRbx0CZ4Yeg==
=XUep
-----END PGP SIGNATURE-----
--=-=-=--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 7 Dec 2020 12:57:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 07:57:00 2020
Received: from localhost ([127.0.0.1]:52845 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmG4Z-00083E-Lv
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 07:56:59 -0500
Received: from lists.gnu.org ([209.51.188.17]:57072)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arne_bab@HIDDEN>) id 1kmG4U-000832-6s
 for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 07:56:58 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:58762)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>) id 1kmG4T-0003rP-P6
 for bug-guix@HIDDEN; Mon, 07 Dec 2020 07:56:53 -0500
Received: from mout.web.de ([212.227.15.4]:57743)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <arne_bab@HIDDEN>)
 id 1kmG40-00045H-Nn; Mon, 07 Dec 2020 07:56:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1607345767;
 bh=BxlAxmAPY6PBCvEUZ/Ni5KxNO2bC1FCD+DiPpImkEaY=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=cuj4cXu3rY8LFXCwx/lki2yfKZktYJnKo6kC382/7z7se+EW4aQvWx1GW8qMbu6DC
 OjmcIaJYdzemNfuh2TqFdX/LckTgoSHHohDS6Hj9EJwmmxcwH7ki4bLpXPRfu5O4Yz
 y7qyo2DZtQFqkvTrfo4hzUs/guwLBc4X1fG5EOow=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from fluss ([84.149.87.37]) by smtp.web.de (mrweb002
 [213.165.67.108]) with ESMTPSA (Nemesis) id 0M8zdd-1ks0HT3TeX-00CUBV; Mon, 07
 Dec 2020 13:56:06 +0100
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
 <87sg8hzvdx.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: "Dr. Arne Babenhauserheide" <arne_bab@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87sg8hzvdx.fsf@HIDDEN>
Date: Mon, 07 Dec 2020 13:56:04 +0100
Message-ID: <87a6upepwb.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:JIxta9xU1k3ipYvHmYRxogn5+dxsQ3nxTNoNvQ/+Ptdf1iiZyH1
 g/kn+XMM0GKFEyZQlk11zhEXxwgW06QV83YnTdySO5n2wCaINx+v9JGPJJLXvjd/5/rDyyM
 yKKDyOnbmj6c6yCOWhICfOE2X2ocPWosyxWKStxFoX3P5WHjnRrykLo7yz1AB7bFw0oESjd
 BFvaSvmtDvPO15EtTPMIg==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:EEkqUNcVJ1M=:m/2AQAfqHpSGbkJVWnXeHH
 +nv9OBW2fsDGznuQS9Ew+RGNvmKVLt1Buqu0Gd6qvqgze5lqpZivKiX0wkg+MORdZcP0hRg+6
 JJgAzaXk8Yy49lHjr3uR/JbtvxKF0lgxe1GroXo046K3BryJD9Ls9bKs2m7SUVUhx4e37x/mW
 oGJg46lveFjMlxP9wwpmnsPZzXWKUtfh7oIMME1n8mpH4S++cTXUxIN2q+t8Agf+NVw3allgm
 4IydCgbqHRj9jzXJsraqvYblsU6wCFGq5lAWXjKNbF3trOwITCT7dw0x6jFnte+vUT6+1T26a
 ap5xlCPArBWhXwI9DtwzI14xrrhdqj9mq8cglxgmtLv5kEuXfQ4bZF7q0x89t9fCEF6WAoMez
 vCg0L9iSfXnufJY4nZrck62AcsTdAriK60LlhoFpV0UtX6f7Amh6wKKDXhdau4V26OYAbu/Al
 /c4ft/bSUol+Z5KFmhrbjbJScsyvy0kVhCr57AsHFRD76pymn1D2wASwcYtfABNnTsykH8ZWX
 Kx0feW11ldLGfMOqFdeR0OxBveO2WsUkj81pWcJkgch2A2jN4r2gur/5bLpjmmav6/Tg03iRZ
 CmHvIMzKCpotLPhnK2j3+KVc/kVVw/RkDINSw2dzIO88a3idM57N8E0Q5z9fQXrK8cu6pFSvX
 5ONonBuAy0yOeAQv1WhZGwyS3jASALp8MCps5YjnplH8t/UCuXjDrBN4MTRjIfI8hn9foD4eo
 ICasogEaZxt8uNO2lB03rldxU3GG8q15Z+od0bY5ErdOfU5UZw9zxlGQkOkvh1/QmdVDweVCw
 kvq2uOtdDspjEREq+DBRC8ZV2bDzfw3ob/TXFebOdZkf+JfKG/0Fv5vlotFx+7wBoyCGW+jdT
 fylAChq3SVfD11P4rslQ==
Received-SPF: pass client-ip=212.227.15.4; envelope-from=arne_bab@HIDDEN;
 helo=mout.web.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: Christopher Lemmer Webber <cwebber@HIDDEN>, bug-guix@HIDDEN,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

>>> #2 is more thorough but also more risky: people could find themselves
>>> locked out of their server after reconfiguration, though this could be
>>> mitigated by a news entry.
>>>
>>> Thoughts?

My thoughts are that there is no mitigation for being locked out of a
pre-existing server. Keep in mind that that server might not actually be
accessible in any other way =E2=80=94 it might be with a cheap hoster whose
support is practically non-existent, or it might be in a sealed
measurement container that can only be accessed via SSH without
disassembly.

>> We could also do a combination of the above, as a transitional plan:
>> do #1 for now, but try to advertise that in the future, the default will
>> be changing... please explicitly set password access to #t if you need
>> this!  Then in the *following* release, change the default.

This sounds like trying to retroactively fixing a problem at the wrong
place: If the installer creates a configuration which prevents
password-authentication, there is no problem for new systems and new
users who need password-authentication will explicitly see in the
config, that they have to change it, otherwise it won=E2=80=99t work. All t=
he
while old systems will keep working.

I do need to access my system via password+ssh from time to time,
because I don=E2=80=99t want to have a key that can access my system on a
presentation-laptop that (due to being moved regularly) is much less
secure than the fixed system. If someone gets access to the laptop and
compromises my keys, they can run much more efficient attacks against
its ssh-keys' password than the attacks people can use to attack ssh via
internet.

Changing a default (an invisible setting) in a way that prevents access
is a serious disruption.

In short: please don=E2=80=99t break running systems on update.

Best wishes,
Arne
=2D-=20
Unpolitisch sein
hei=C3=9Ft politisch sein
ohne es zu merken

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAl/OJmUQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD61kDEADEZc98uVkPR+pFPUf9RotGAMeF6awBwa/z
q3cGIVrelsiJulny84BWiR2PEd3j7Xbx7pSNsc1PNfye+M+gDSh1OdUsnh1xNGmH
CMYUKabyEeUUq//N0IDqXtZ0221BsxSiBA5bDBQlZxTR4MzkgWaCAmFFNoSqo+la
TcRsbzntfF1L9xSj/rGF1Q7xQ5uIYMnl2nteBidwAATkRhIUjKwmC9E2zC84mtA0
1z2n1SaQLmfBWzqfwu5ZZMZ7mwZcT30qz2MT4SRcY0jpZ978U0VkPxQbczFIxTel
EX9tYK6w7B/DHt256isVdid4oaip8Ei2umfY/HfAwmKk4Hq6FJAYYpiQnMNOb48W
UWV8VWfOc+IrAuOYoXJHhFMSSNTyNhT853K7FVAw5QFlFQO71PCYesluKuhS7DN2
xLqIoMmEAiOHn5hbBkd3ZZUkJ2nzWq9JhhRuaSDJTR7HHNjfTtHV0q8yV3KBqJHd
XqiehMDeJnsuW101dqvGEZBv9bYo0HEN3Lmuj+izNg2el8A3K/8vUOx7KYPtbhqd
0Tqek/VndIAPsJ5zlKSAUn+o8myhgDuM5eaFFvQAH+WNMnqiIh+kdc+dfDpcoEyz
JK+ExDuk0oLP1wJN3ZCFhXStYQJfgGqughGhSpF0Xg6fECPHEcNVFj3lj7ome7nU
dF0OcWd1KIjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAl/OJmUQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSAWmBACdm9rbbnnRsGmmixzxC0v0uSQe
apSAtCACFlLWreldBYHXj1VaHOuDFikEt+a4nL5B0l4XA398NMIy9TIPA2RdAotJ
dfKAYiKDCZ91aXpF+P2z6WCmzpLPQkRb9QlOWeN7y/pILtrEA6wYGL1mxNsXfmWK
QmQLZpWxRbx0CZ4Yeg==
=XUep
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 7 Dec 2020 11:52:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 07 06:52:04 2020
Received: from localhost ([127.0.0.1]:52722 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kmF3j-0002BS-R7
	for submit <at> debbugs.gnu.org; Mon, 07 Dec 2020 06:52:04 -0500
Received: from eggs.gnu.org ([209.51.188.92]:55370)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1kmF3i-0002Ax-8O
 for 44808 <at> debbugs.gnu.org; Mon, 07 Dec 2020 06:52:02 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:52681)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1kmF3c-0003G4-Ex; Mon, 07 Dec 2020 06:51:56 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=47790 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1kmF3b-0000pn-VW; Mon, 07 Dec 2020 06:51:56 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN> <87k0twkt9c.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 Frimaire an 229 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 07 Dec 2020 12:51:54 +0100
In-Reply-To: <87k0twkt9c.fsf@HIDDEN> (Christopher Lemmer Webber's
 message of "Sat, 05 Dec 2020 13:22:23 -0500")
Message-ID: <87sg8hzvdx.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44808
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Chris,

Christopher Lemmer Webber <cwebber@HIDDEN> skribis:

> Ludovic Court=C3=A8s writes:

[...]

>> Agreed.  There are several ways to do that:
>>
>>   1. Have the installer emit an =E2=80=98openssh-configuration=E2=80=99 =
that explicitly
>>      disables password authentication.
>>
>>   2. Change the default value of the relevant field in
>>      <openssh-configuration>.
>>
>> #2 is more thorough but also more risky: people could find themselves
>> locked out of their server after reconfiguration, though this could be
>> mitigated by a news entry.
>>
>> Thoughts?
>>
>> Ludo=E2=80=99.
>
> We could also do a combination of the above, as a transitional plan:
> do #1 for now, but try to advertise that in the future, the default will
> be changing... please explicitly set password access to #t if you need
> this!  Then in the *following* release, change the default.
>
> This seems like a reasonable transition plan, kind of akin to a
> deprecation process?

Sounds like a plan.  I went ahead and pushed
aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138 which does this.

Thanks,
Ludo=E2=80=99.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 5 Dec 2020 18:23:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Dec 05 13:23:02 2020
Received: from localhost ([127.0.0.1]:48211 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1klcCz-0000Yx-PR
	for submit <at> debbugs.gnu.org; Sat, 05 Dec 2020 13:23:01 -0500
Received: from dustycloud.org ([50.116.34.160]:53364)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1klcCx-0000Yk-L6
 for 44808 <at> debbugs.gnu.org; Sat, 05 Dec 2020 13:23:00 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id DA02926641;
 Sat,  5 Dec 2020 13:22:58 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
 <87eek45lpg.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <87eek45lpg.fsf@HIDDEN>
Date: Sat, 05 Dec 2020 13:22:23 -0500
Message-ID: <87k0twkt9c.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Ludovic Court=C3=A8s writes:

> Hi!
>
> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>
>>>> I'm on board with what you're proposing, and I think Guix should
>>>> default to the more secure option, but I'm not sure that an=20
>>>> "average user" (whatever that means for Guix's demographic) would
>>>> expect that password authentication is disabled by default.
>>>
>>> That's fair... I think that
>>> "[ ] Password authentication? (insecure)"
>>> would be sufficient as an option.  How do others feel?
>>
>> I'm +1 on disabling password access out of the box; especially since
>> Guix System makes it easy to authorize SSH keys at installation time.
>> We'd have to see if it breaks any of our system tests, but I doubt so.
>
> Agreed.  There are several ways to do that:
>
>   1. Have the installer emit an =E2=80=98openssh-configuration=E2=80=99 t=
hat explicitly
>      disables password authentication.
>
>   2. Change the default value of the relevant field in
>      <openssh-configuration>.
>
> #2 is more thorough but also more risky: people could find themselves
> locked out of their server after reconfiguration, though this could be
> mitigated by a news entry.
>
> Thoughts?
>
> Ludo=E2=80=99.

We could also do a combination of the above, as a transitional plan:
do #1 for now, but try to advertise that in the future, the default will
be changing... please explicitly set password access to #t if you need
this!  Then in the *following* release, change the default.

This seems like a reasonable transition plan, kind of akin to a
deprecation process?

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 5 Dec 2020 15:14:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Dec 05 10:14:44 2020
Received: from localhost ([127.0.0.1]:47992 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1klZGl-000296-Tg
	for submit <at> debbugs.gnu.org; Sat, 05 Dec 2020 10:14:44 -0500
Received: from eggs.gnu.org ([209.51.188.92]:44374)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1klZGk-00028s-HD
 for 44808 <at> debbugs.gnu.org; Sat, 05 Dec 2020 10:14:42 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:46929)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1klZGf-0004hR-8H; Sat, 05 Dec 2020 10:14:37 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58522 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1klZGe-0005di-Mz; Sat, 05 Dec 2020 10:14:37 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN> <87im9nmr5u.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 15 Frimaire an 229 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 05 Dec 2020 16:14:35 +0100
In-Reply-To: <87im9nmr5u.fsf@HIDDEN> (Maxim Cournoyer's message of "Sun, 29
 Nov 2020 22:58:53 -0500")
Message-ID: <87eek45lpg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44808
Cc: Christopher Lemmer Webber <cwebber@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi!

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

>>> I'm on board with what you're proposing, and I think Guix should
>>> default to the more secure option, but I'm not sure that an=20
>>> "average user" (whatever that means for Guix's demographic) would
>>> expect that password authentication is disabled by default.
>>
>> That's fair... I think that
>> "[ ] Password authentication? (insecure)"
>> would be sufficient as an option.  How do others feel?
>
> I'm +1 on disabling password access out of the box; especially since
> Guix System makes it easy to authorize SSH keys at installation time.
> We'd have to see if it breaks any of our system tests, but I doubt so.

Agreed.  There are several ways to do that:

  1. Have the installer emit an =E2=80=98openssh-configuration=E2=80=99 tha=
t explicitly
     disables password authentication.

  2. Change the default value of the relevant field in
     <openssh-configuration>.

#2 is more thorough but also more risky: people could find themselves
locked out of their server after reconfiguration, though this could be
mitigated by a news entry.

Thoughts?

Ludo=E2=80=99.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 30 Nov 2020 03:59:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 29 22:59:03 2020
Received: from localhost ([127.0.0.1]:53129 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kjaL9-0001l6-2u
	for submit <at> debbugs.gnu.org; Sun, 29 Nov 2020 22:59:03 -0500
Received: from mail-qv1-f44.google.com ([209.85.219.44]:41694)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1kjaL6-0001ka-Uu
 for 44808 <at> debbugs.gnu.org; Sun, 29 Nov 2020 22:59:01 -0500
Received: by mail-qv1-f44.google.com with SMTP id x13so5007736qvk.8
 for <44808 <at> debbugs.gnu.org>; Sun, 29 Nov 2020 19:59:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=V02Zlx3UplLnHLExjXpHGDkluN8f4g6ZWD/mAx/gNYM=;
 b=PBMcq6mDAY2kefYvzZDU40BdG9MF5kD/ForyWLSziuS5DYUC3pk28lP98+aTagPgaG
 FKAxWOselMPj3Do+V1JBuwetG+9CJHWAszyrvf1IBzfDxBHe8c1kJGHxlUjBMcwTvnn4
 OFWtAFeJmsfPpBHD9NfqBTJft3I1g72X7eir152XVK2XtMUDhgTwXQqbI5UO+yBSt9JZ
 p106Bpr5Xv6AdC4DX4axlusLr+1Z1gfDEs7AJBoBjwL+X4WZ4TR8YDEtJvzTyyTAU/93
 7Eu9aiYyDM76XM1Du2S0SuPhsRqFdkJxOYQ+5Jc32vnJF/AUtTmeMIc0SL7qk4zYJSGt
 jBug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=V02Zlx3UplLnHLExjXpHGDkluN8f4g6ZWD/mAx/gNYM=;
 b=cBQOV2jDuKfaN4+/w1Laz6qd9NMolpbgoe+iY872LUa9d41m3MYsgfmAfataNhJXyx
 Ha3IBwnoKgB1baAm47zgcrMIoQyYnBZYZgqcEUrnb0d8sFO3p2KYXURegzGXKuS2YRVo
 82a6CnzwvkZUbwCNrIqIHlSQCvUFfC7q2tpMq42jbFS0SeM15mfubo9De+RiwTbMYaRk
 lEJulJofmGAhIKwxXTaMsapY6Av52uvH69NeFeptBUU5VC10xWY9Cql3lSG6ENSECX6C
 1jaBSehNrmieMqNoshuLMU4nkPhlaZ8B79R7hx/mM/srBAO4jSfVvB16LsF+6hHKbZfo
 1/dg==
X-Gm-Message-State: AOAM530/D+Uloh7fts1cFxugLnVLlYVdWZgT5P+qXP15zpns7vVXyxju
 oNNCpP19OkIND/mKqVWm+SzzGXDxg2ePsQ4O
X-Google-Smtp-Source: ABdhPJy6f1d3eAjF356UBVIyRqA5Fr27+d67u36ZPgA1FoZBg7fXlKanB8Lpn85E9qLrZD+szKznAg==
X-Received: by 2002:ad4:4584:: with SMTP id x4mr20375614qvu.47.1606708735178; 
 Sun, 29 Nov 2020 19:58:55 -0800 (PST)
Received: from hurd (dsl-150-82.b2b2c.ca. [66.158.150.82])
 by smtp.gmail.com with ESMTPSA id m10sm1910989qtp.46.2020.11.29.19.58.54
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 29 Nov 2020 19:58:54 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
 <87im9w2gjt.fsf@HIDDEN>
Date: Sun, 29 Nov 2020 22:58:53 -0500
In-Reply-To: <87im9w2gjt.fsf@HIDDEN> (Christopher Lemmer Webber's
 message of "Mon, 23 Nov 2020 11:17:58 -0500")
Message-ID: <87im9nmr5u.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: Carlo Zancanaro <carlo@HIDDEN>, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

Christopher Lemmer Webber <cwebber@HIDDEN> writes:

> Carlo Zancanaro writes:
>
>> Hey Chris!
>>
>> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>>> ... Plus, few distributions do what we're doing anymore, precisely
>>> because of wanting to be secure by default.
>>
>> Is this true? Debian defaults to passwords being allowed. I think it
>> even allows root login by default. At least, I have always had to add
>> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
>> install openssh-server on debian.
>
> Perhaps I'm wrong... I had thought that the last time I installed a
> Debian server, password based access was off by default.  But I could be
> wrong.

I just tried with a Debian Buster VM; password access is enabled out of
the box.

>> I'm on board with what you're proposing, and I think Guix should
>> default to the more secure option, but I'm not sure that an 
>> "average user" (whatever that means for Guix's demographic) would
>> expect that password authentication is disabled by default.
>
> That's fair... I think that
> "[ ] Password authentication? (insecure)"
> would be sufficient as an option.  How do others feel?

I'm +1 on disabling password access out of the box; especially since
Guix System makes it easy to authorize SSH keys at installation time.
We'd have to see if it breaks any of our system tests, but I doubt so.

Patch welcome!

Maxim

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 16:18:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 23 11:18:53 2020
Received: from localhost ([127.0.0.1]:50841 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1khEYH-0005Gt-5n
	for submit <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:18:53 -0500
Received: from dustycloud.org ([50.116.34.160]:58008)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1khEYF-0005Gl-LY
 for 44808 <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:18:51 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 4E8E2266EC;
 Mon, 23 Nov 2020 11:18:27 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN> <874klgybbs.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: Carlo Zancanaro <carlo@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <874klgybbs.fsf@HIDDEN>
Date: Mon, 23 Nov 2020 11:17:58 -0500
Message-ID: <87im9w2gjt.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Carlo Zancanaro writes:

> Hey Chris!
>
> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
>> ... Plus, few distributions do what we're doing anymore, precisely
>> because of wanting to be secure by default.
>
> Is this true? Debian defaults to passwords being allowed. I think it
> even allows root login by default. At least, I have always had to add
> "PermitRootLogin no" and "PasswordAuthentication no" whenever I
> install openssh-server on debian.

Perhaps I'm wrong... I had thought that the last time I installed a
Debian server, password based access was off by default.  But I could be
wrong.

> I'm on board with what you're proposing, and I think Guix should
> default to the more secure option, but I'm not sure that an 
> "average user" (whatever that means for Guix's demographic) would
> expect that password authentication is disabled by default.

That's fair... I think that
"[ ] Password authentication? (insecure)"
would be sufficient as an option.  How do others feel?

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 16:16:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 23 11:16:14 2020
Received: from localhost ([127.0.0.1]:50827 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1khEVi-0005CQ-0O
	for submit <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:16:14 -0500
Received: from dustycloud.org ([50.116.34.160]:57998)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1khEVg-0005CJ-Ij
 for 44808 <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:16:12 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id A2D4C266EC;
 Mon, 23 Nov 2020 11:15:47 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN>
 <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@HIDDEN>
 <20201123044615.13cc0898@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: raingloom <raingloom@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <20201123044615.13cc0898@HIDDEN>
Date: Mon, 23 Nov 2020 11:15:18 -0500
Message-ID: <87r1ok2go9.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: bug-guix@HIDDEN, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

raingloom writes:

> On Mon, 23 Nov 2020 03:32:08 +0100
> Taylan Kammer <taylan.kammer@HIDDEN> wrote:
>
>> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
>> > Okay, I just realized I left a friend vulnerable by guiding them
>> > through a Guix graphical install and telling them it would give
>> > them a decent setup.  They turned on openssh support.
>> > 
>> > Then I realized their config had password-authentication? on.
>> > 
>> > That's unacceptable.  We need to change this default.  This is
>> > known to leave users open to attack, and selecting a password
>> > secure enough against brute forcing is fairly difficult, much more
>> > difficult than only allowing entry by keys.  Plus, few
>> > distributions do what we're doing anymore, precisely because of
>> > wanting to be secure by default.
>> > 
>> > Yes, I know some people want password authentication on as part of a
>> > bootstrapping process.  Fine... those users know to put it on.
>> > Let's not leave our users open to attack by default though.
>> > 
>> > Happy to produce a patch and change the documentation, but I'd like
>> > to hear that we have consensus to make this change.  But we should,
>> > because otherwise else I think we're going to hurt users.  
>> 
>> I think most ideal would be if the user is asked the following two 
>> questions, with a short explanation of what each means:
>> 
>> - Allow root login via SSH?
>> 
>> - Allow password authentication in SSH?
>> 
>> (I think Debian does this.)
>> 
>> Because as you say, on one hand password authentication in SSH can be
>> a security risk.  But on the other hand many machines never have
>> their SSH port exposed to the Internet, and the intranet is assumed
>> to be safe. In those cases it would be an annoyance to have to enable
>> it manually.
>> 
>> Both points apply to direct root login as well I think.
>> 
>> Allowing password authentication but disabling root login might also
>> be considered safe enough on machines exposed to the Internet,
>> because the attacker needs to guess the username as well.  Only
>> presents a small increase in complexity for the attacker though.
>> 
>> 
>> - Taylan
>> 
>> 
>> 
>
> Most people won't know why allowing password authentication is
> unsecure. Either it should be worded differently, have a warning, or
> not be an option.
>
> Same goes doubly so for allowing root login.

Agreed on both counts.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 23 Nov 2020 16:16:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 23 11:16:17 2020
Received: from localhost ([127.0.0.1]:50830 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1khEVl-0005Ch-8u
	for submit <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:16:17 -0500
Received: from lists.gnu.org ([209.51.188.17]:36760)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1khEVj-0005CY-1V
 for submit <at> debbugs.gnu.org; Mon, 23 Nov 2020 11:16:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43222)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1khEVi-0006nZ-SX
 for bug-guix@HIDDEN; Mon, 23 Nov 2020 11:16:14 -0500
Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:33816)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1khEVh-000336-4p
 for bug-guix@HIDDEN; Mon, 23 Nov 2020 11:16:14 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id A2D4C266EC;
 Mon, 23 Nov 2020 11:15:47 -0500 (EST)
References: <878sat3rnn.fsf@HIDDEN>
 <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@HIDDEN>
 <20201123044615.13cc0898@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: raingloom <raingloom@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <20201123044615.13cc0898@HIDDEN>
Date: Mon, 23 Nov 2020 11:15:18 -0500
Message-ID: <87r1ok2go9.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2600:3c02::f03c:91ff:feae:cb51;
 envelope-from=cwebber@HIDDEN; helo=dustycloud.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: bug-guix@HIDDEN, 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

raingloom writes:

> On Mon, 23 Nov 2020 03:32:08 +0100
> Taylan Kammer <taylan.kammer@HIDDEN> wrote:
>
>> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
>> > Okay, I just realized I left a friend vulnerable by guiding them
>> > through a Guix graphical install and telling them it would give
>> > them a decent setup.  They turned on openssh support.
>> > 
>> > Then I realized their config had password-authentication? on.
>> > 
>> > That's unacceptable.  We need to change this default.  This is
>> > known to leave users open to attack, and selecting a password
>> > secure enough against brute forcing is fairly difficult, much more
>> > difficult than only allowing entry by keys.  Plus, few
>> > distributions do what we're doing anymore, precisely because of
>> > wanting to be secure by default.
>> > 
>> > Yes, I know some people want password authentication on as part of a
>> > bootstrapping process.  Fine... those users know to put it on.
>> > Let's not leave our users open to attack by default though.
>> > 
>> > Happy to produce a patch and change the documentation, but I'd like
>> > to hear that we have consensus to make this change.  But we should,
>> > because otherwise else I think we're going to hurt users.  
>> 
>> I think most ideal would be if the user is asked the following two 
>> questions, with a short explanation of what each means:
>> 
>> - Allow root login via SSH?
>> 
>> - Allow password authentication in SSH?
>> 
>> (I think Debian does this.)
>> 
>> Because as you say, on one hand password authentication in SSH can be
>> a security risk.  But on the other hand many machines never have
>> their SSH port exposed to the Internet, and the intranet is assumed
>> to be safe. In those cases it would be an annoyance to have to enable
>> it manually.
>> 
>> Both points apply to direct root login as well I think.
>> 
>> Allowing password authentication but disabling root login might also
>> be considered safe enough on machines exposed to the Internet,
>> because the attacker needs to guess the username as well.  Only
>> presents a small increase in complexity for the attacker though.
>> 
>> 
>> - Taylan
>> 
>> 
>> 
>
> Most people won't know why allowing password authentication is
> unsecure. Either it should be worded differently, have a warning, or
> not be an option.
>
> Same goes doubly so for allowing root login.

Agreed on both counts.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 03:57:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 22 22:57:32 2020
Received: from localhost ([127.0.0.1]:48704 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kh2yq-0004uq-4Y
	for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 22:57:32 -0500
Received: from zancanaro.com.au ([45.76.117.151]:42246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <carlo@HIDDEN>) id 1kh2yo-0004ue-I6
 for 44808 <at> debbugs.gnu.org; Sun, 22 Nov 2020 22:57:31 -0500
Received: by zancanaro.com.au (Postfix, from userid 116)
 id 6DE5632A5E; Mon, 23 Nov 2020 03:57:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on vultr
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.2
Received: from jolteon (ec2-13-55-194-30.ap-southeast-2.compute.amazonaws.com
 [13.55.194.30])
 by zancanaro.com.au (Postfix) with ESMTPSA id 0200932A45;
 Mon, 23 Nov 2020 03:57:27 +0000 (UTC)
References: <878sat3rnn.fsf@HIDDEN>
User-agent: mu4e 1.4.13; emacs 27.1
From: Carlo Zancanaro <carlo@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
In-reply-to: <878sat3rnn.fsf@HIDDEN>
Date: Mon, 23 Nov 2020 14:57:27 +1100
Message-ID: <874klgybbs.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
Cc: 44808 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hey Chris!

On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:
> ... Plus, few distributions do what we're doing anymore, 
> precisely because of wanting to be secure by default.

Is this true? Debian defaults to passwords being allowed. I think 
it even allows root login by default. At least, I have always had 
to add "PermitRootLogin no" and "PasswordAuthentication no" 
whenever I install openssh-server on debian.

I'm on board with what you're proposing, and I think Guix should 
default to the more secure option, but I'm not sure that an 
"average user" (whatever that means for Guix's demographic) would 
expect that password authentication is disabled by default.

Carlo

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 23 Nov 2020 03:54:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 22 22:54:16 2020
Received: from localhost ([127.0.0.1]:48700 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kh2vg-0004q9-Jx
	for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 22:54:16 -0500
Received: from lists.gnu.org ([209.51.188.17]:47112)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <raingloom@HIDDEN>) id 1kh2ve-0004q0-4H
 for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 22:54:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:52830)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <raingloom@HIDDEN>)
 id 1kh2vd-0002jr-RL
 for bug-guix@HIDDEN; Sun, 22 Nov 2020 22:54:13 -0500
Received: from mx1.riseup.net ([198.252.153.129]:59306)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <raingloom@HIDDEN>)
 id 1kh2vb-0006Al-Px
 for bug-guix@HIDDEN; Sun, 22 Nov 2020 22:54:13 -0500
Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4CfYDd4QfVzFdtw
 for <bug-guix@HIDDEN>; Sun, 22 Nov 2020 19:54:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1606103649; bh=TytooyQ30Y3ZOFbaSCuzcRcQGk5MK9FZ+gocuqLJHN8=;
 h=Date:From:To:Subject:In-Reply-To:References:From;
 b=ZtTfDuKuO2BPuii+aiFesMc4bxRPIoukF1Bperz2cJu5Z0fhD+x6kXUc9R7otLVb+
 6IleCeSor17ht/TocMS+Rvr+JD/5VIRlTMRxL7Verp3VKfgOKSI/95EeF4JMx3oNYd
 Nz91yFyuki+SsQmDaNOxZvZOfc1F7snwDu6+kct8=
X-Riseup-User-ID: 9991ABB925FAA18817FA3B04813F70BCEA830BE739F902AFB765BE488AE2ACA0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by bell.riseup.net (Postfix) with ESMTPSA id 4CfYDd0ZLFzJmm0
 for <bug-guix@HIDDEN>; Sun, 22 Nov 2020 19:54:08 -0800 (PST)
Date: Mon, 23 Nov 2020 04:46:15 +0100
From: raingloom <raingloom@HIDDEN>
To: bug-guix@HIDDEN
Subject: Re: bug#44808: Default to allowing password authentication on
 leaves users vulnerable
Message-ID: <20201123044615.13cc0898@HIDDEN>
In-Reply-To: <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@HIDDEN>
References: <878sat3rnn.fsf@HIDDEN>
 <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=198.252.153.129;
 envelope-from=raingloom@HIDDEN; helo=mx1.riseup.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

On Mon, 23 Nov 2020 03:32:08 +0100
Taylan Kammer <taylan.kammer@HIDDEN> wrote:

> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> > Okay, I just realized I left a friend vulnerable by guiding them
> > through a Guix graphical install and telling them it would give
> > them a decent setup.  They turned on openssh support.
> > 
> > Then I realized their config had password-authentication? on.
> > 
> > That's unacceptable.  We need to change this default.  This is
> > known to leave users open to attack, and selecting a password
> > secure enough against brute forcing is fairly difficult, much more
> > difficult than only allowing entry by keys.  Plus, few
> > distributions do what we're doing anymore, precisely because of
> > wanting to be secure by default.
> > 
> > Yes, I know some people want password authentication on as part of a
> > bootstrapping process.  Fine... those users know to put it on.
> > Let's not leave our users open to attack by default though.
> > 
> > Happy to produce a patch and change the documentation, but I'd like
> > to hear that we have consensus to make this change.  But we should,
> > because otherwise else I think we're going to hurt users.  
> 
> I think most ideal would be if the user is asked the following two 
> questions, with a short explanation of what each means:
> 
> - Allow root login via SSH?
> 
> - Allow password authentication in SSH?
> 
> (I think Debian does this.)
> 
> Because as you say, on one hand password authentication in SSH can be
> a security risk.  But on the other hand many machines never have
> their SSH port exposed to the Internet, and the intranet is assumed
> to be safe. In those cases it would be an annoyance to have to enable
> it manually.
> 
> Both points apply to direct root login as well I think.
> 
> Allowing password authentication but disabling root login might also
> be considered safe enough on machines exposed to the Internet,
> because the attacker needs to guess the username as well.  Only
> presents a small increase in complexity for the attacker though.
> 
> 
> - Taylan
> 
> 
> 

Most people won't know why allowing password authentication is
unsecure. Either it should be worded differently, have a warning, or
not be an option.

Same goes doubly so for allowing root login.

Message received at 44808 <at> debbugs.gnu.org:

Received: (at 44808) by debbugs.gnu.org; 23 Nov 2020 02:32:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 22 21:32:21 2020
Received: from localhost ([127.0.0.1]:48636 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kh1eP-0000mh-0O
	for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 21:32:21 -0500
Received: from mail-wr1-f42.google.com ([209.85.221.42]:34309)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <taylan.kammer@HIDDEN>) id 1kh1eL-0000mS-KF
 for 44808 <at> debbugs.gnu.org; Sun, 22 Nov 2020 21:32:19 -0500
Received: by mail-wr1-f42.google.com with SMTP id r17so17176915wrw.1
 for <44808 <at> debbugs.gnu.org>; Sun, 22 Nov 2020 18:32:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=Bj7d6Ko666gQTLpIqD0zL9x1Q2KlM+on5Q24MbcrcCk=;
 b=oGBPXoQkAFNs0F5fblG11iYtitOJHIG0/8s5uG1Idz7BpFLCuONMm/JP5DG7iFFkfj
 BvYnPS6JTSpDmYdnYd44NMJ7LN8xY9+jtRE9AFGQxjUXTALiNIcPthWdiyIoPTy2rocF
 NTcglFw3gjVAWl9ISz6cfEZwAvw6jqj+/IJi6uNoioLZVWpLdgZX981cMtSBx2OjrGpo
 7EkJIm60UC8EQrnq8WN4sbZgHNI+a37f+psXOYt68GRDIK4ysSMhbwIJC64/mFGQg2N0
 L77kDxsrmF+QSlx82ZZXW6JbjYtDF3ACooJBwZd/HbEYYj2TI02FsYP90Ht+q34g8ZdQ
 xfkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=Bj7d6Ko666gQTLpIqD0zL9x1Q2KlM+on5Q24MbcrcCk=;
 b=H5j7ncuxAb04bfJuKGTf4j2PrXTsQLkrR2w5uuVW93PrTQiMrRZCppfn4wKhc9d1ng
 peNO7Ud+HZD0XBdKS0O9EcmDRlx6vvfy6dyYdFaPcjhia6xu/MgKI0+T73j32AWCo2X+
 51mQaTXY7a/FrarOFMaHITg90Z15SmUVVhDng/VZ6lP7SPmL1siU3OckLUBTlrB8szhQ
 MyLt0NAeShdFdRDqdBeeqxs63/w7uARm3h2D+8rSjVdV3R706UKAxIwNoH+lSHLuRCHO
 MCJXlos85B5Qpqxv8w3XSPQNYZixZnJB9Ys6keZm1LdrlzuWrX/fOu+VzGTTUVr0Lg7n
 CU0g==
X-Gm-Message-State: AOAM530AeK7ceip9tA4ECmp6rM9kZBnSRbeqBUsPysmkdVC+UTq6MS1P
 mtjL9Dier2qsliNn/V9uq0mFCL6o50c=
X-Google-Smtp-Source: ABdhPJyn2fdUCYYr8Jhy+UKIK5TZdivJN6X6cTRDhou9F9nU9V3q3qonD7Q/jX54UpvNvchRQ92Tmw==
X-Received: by 2002:adf:f84e:: with SMTP id d14mr4422718wrq.390.1606098731307; 
 Sun, 22 Nov 2020 18:32:11 -0800 (PST)
Received: from [192.168.178.20] ([109.90.125.150])
 by smtp.gmail.com with ESMTPSA id q12sm14137844wmc.45.2020.11.22.18.32.10
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sun, 22 Nov 2020 18:32:10 -0800 (PST)
Subject: Re: bug#44808: Default to allowing password authentication on leaves
 users vulnerable
To: Christopher Lemmer Webber <cwebber@HIDDEN>, 44808 <at> debbugs.gnu.org
References: <878sat3rnn.fsf@HIDDEN>
From: Taylan Kammer <taylan.kammer@HIDDEN>
Message-ID: <4383f179-8e3a-7ce6-0fc0-f4cefeaf613e@HIDDEN>
Date: Mon, 23 Nov 2020 03:32:08 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <878sat3rnn.fsf@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44808
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> Okay, I just realized I left a friend vulnerable by guiding them through
> a Guix graphical install and telling them it would give them a decent
> setup.  They turned on openssh support.
> 
> Then I realized their config had password-authentication? on.
> 
> That's unacceptable.  We need to change this default.  This is known to
> leave users open to attack, and selecting a password secure enough
> against brute forcing is fairly difficult, much more difficult than only
> allowing entry by keys.  Plus, few distributions do what we're doing
> anymore, precisely because of wanting to be secure by default.
> 
> Yes, I know some people want password authentication on as part of a
> bootstrapping process.  Fine... those users know to put it on.  Let's
> not leave our users open to attack by default though.
> 
> Happy to produce a patch and change the documentation, but I'd like to
> hear that we have consensus to make this change.  But we should, because
> otherwise else I think we're going to hurt users.

I think most ideal would be if the user is asked the following two 
questions, with a short explanation of what each means:

- Allow root login via SSH?

- Allow password authentication in SSH?

(I think Debian does this.)

Because as you say, on one hand password authentication in SSH can be a 
security risk.  But on the other hand many machines never have their SSH 
port exposed to the Internet, and the intranet is assumed to be safe. 
In those cases it would be an annoyance to have to enable it manually.

Both points apply to direct root login as well I think.

Allowing password authentication but disabling root login might also be 
considered safe enough on machines exposed to the Internet, because the 
attacker needs to guess the username as well.  Only presents a small 
increase in complexity for the attacker though.


- Taylan

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 22 Nov 2020 23:21:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 22 18:21:25 2020
Received: from localhost ([127.0.0.1]:48534 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kgyfc-0004dh-TG
	for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 18:21:25 -0500
Received: from lists.gnu.org ([209.51.188.17]:39152)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1kgyfa-0004dZ-KG
 for submit <at> debbugs.gnu.org; Sun, 22 Nov 2020 18:21:23 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43282)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1kgyfa-00081C-F9
 for bug-guix@HIDDEN; Sun, 22 Nov 2020 18:21:22 -0500
Received: from dustycloud.org ([50.116.34.160]:35190)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cwebber@HIDDEN>)
 id 1kgyfZ-0001NT-1v
 for bug-guix@HIDDEN; Sun, 22 Nov 2020 18:21:22 -0500
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 3D5CF26650
 for <bug-guix@HIDDEN>; Sun, 22 Nov 2020 18:20:56 -0500 (EST)
User-agent: mu4e 1.4.13; emacs 27.1
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: bug-guix@HIDDEN
Subject: Default to allowing password authentication on leaves users vulnerable
Date: Sun, 22 Nov 2020 18:20:28 -0500
Message-ID: <878sat3rnn.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=50.116.34.160;
 envelope-from=cwebber@HIDDEN; helo=dustycloud.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Okay, I just realized I left a friend vulnerable by guiding them through
a Guix graphical install and telling them it would give them a decent
setup.  They turned on openssh support.

Then I realized their config had password-authentication? on.

That's unacceptable.  We need to change this default.  This is known to
leave users open to attack, and selecting a password secure enough
against brute forcing is fairly difficult, much more difficult than only
allowing entry by keys.  Plus, few distributions do what we're doing
anymore, precisely because of wanting to be secure by default.

Yes, I know some people want password authentication on as part of a
bootstrapping process.  Fine... those users know to put it on.  Let's
not leave our users open to attack by default though.

Happy to produce a patch and change the documentation, but I'd like to
hear that we have consensus to make this change.  But we should, because
otherwise else I think we're going to hurt users.

 - Chris