From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 14:54:18 2020 Received: (at submit) by debbugs.gnu.org; 7 Dec 2020 19:54:18 +0000 Received: from localhost ([127.0.0.1]:55568 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMaQ-0006aw-57 for submit@debbugs.gnu.org; Mon, 07 Dec 2020 14:54:18 -0500 Received: from lists.gnu.org ([209.51.188.17]:41028) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMaO-0006ap-Md for submit@debbugs.gnu.org; Mon, 07 Dec 2020 14:54:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56868) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmMaO-0007b6-EW for bug-guix@gnu.org; Mon, 07 Dec 2020 14:54:16 -0500 Received: from mout.web.de ([217.72.192.78]:34497) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmMaL-0003c9-Gy; Mon, 07 Dec 2020 14:54:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1607370841; bh=Ig57qiuSeNWe6xGO3fHo2GTO7T+TsijTJ8IlWYMXueQ=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date; b=d/O9X6qjeXqbU7ArxTjezLjXJyEwEeV9EsLA2mtUgD41KkPZfMehKgVA40Nd8Z1Wb GAZRNPIkxn/Nu3zamasCAfrqV82K3p3njWfTS6jMokd77lhPys9lP2OXxfAsraUvIK gmEselFPp9LzgTvFfeK4kd1ru2NysBibBZ+uWAaU= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from fluss ([84.149.87.37]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0Lcy1k-1kLrXF1CUq-00iFpW; Mon, 07 Dec 2020 20:54:01 +0100 References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> <87k0twkt9c.fsf@dustycloud.org> <87sg8hzvdx.fsf@gnu.org> <87a6upepwb.fsf@web.de> <87sg8hlfyu.fsf@dustycloud.org> User-agent: mu4e 1.4.13; emacs 27.1 From: "Dr. Arne Babenhauserheide" To: Christopher Lemmer Webber Subject: Re: bug#44808: Default to allowing password authentication on leaves users vulnerable In-reply-to: <87sg8hlfyu.fsf@dustycloud.org> Date: Mon, 07 Dec 2020 20:53:59 +0100 Message-ID: <871rg1e6js.fsf@web.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Provags-ID: V03:K1:/JnSviN8otrB8/sxFD5xtW7LU1DssMCekPdQtzoxUQzSY7jSGu3 tHO0bhxHSg2gXuXPK7UtpDRq86h1THU7998yNMe1y2RAbzPFizJ31rclc4698be/Pu0XFel bS4JqnMkCJTFXKjX/0SDWlNwC5kzO2dlzoz9m5/RRkNVmwMUycR/S26P9oQ8rSbAqVeWVdd lA2UcWm6Uk8GHADMiIwJQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:LlVool96tSA=:Z92b/ycwIq5qbjeLiIfgiH Hd2ERuvGDMyV5p9xwj48yrOEcMlaH4aI3Zf7E+1oIdj2ZpTLj6nctSEyrAOtwH3ugxA8hJpAc rzLfMTm/HOJ4F9bErMlVdXsamuPaMGkwhppiWkH4rtC1t4lFZqPAUfBSSiC5DL19UHYIdyAih X8rRN5T+O3QTzWbY2ickaJpBGyI5XxwAlBd7V481e+YkY8rxyKhNjwLDF5s61HXd8vqion+Do 1mkcXp5G4YJaTX/joXFoO/Y1X5eXnMnDg18+EEXFdrkWvP9Y4yoSjdMAGTY64LMxNFEJiafcN jFHD8ygrAmQ/vNn6bOSw48eTABoqSE+rs58iA5uziyeNALEbdVE7Sx4MdEuY9GPYGP4Ncl0iY hJl4NpzeTG3D3I++01yBS6CT5IQV+NrECbS23uqUMzk9a5U/e6J14WO8kmmdDWtqZyuMFd85a TeX4/99GhkyA89jR8Oh3qd1Mh5oyLeyEEAxMrim3+FAkOZgz6awuBKS6OFudX68ReAuekPEDJ d/b2anWFjraCxlatxaYzv663E7sQyXS+hrBzWIJPP0XrUj/Jrk5K5Zvo2z7V4eM56uL21Y8+J PVMZIdJd1ncNeeCqJTr3vxuXuTHFIToUSD0js3eoiMrq0duQJa5rpRQv29Op/6ISaMF9RqlQJ HYaiiJzD34kof1q+Qbh3WjjQsInY03H83orTb/jIvTCB2BeKZ2ySPIeJ0Z1SdMK25nPsnRQ22 h6ZzEiLUen8hLxaTywD4G9M8v23+3cCpzYz7lqPjgam8fWapEboUP/V7kgfS1Z0YzYylQnlgO R4Su1IZ4xv+PpkX+DuNa4R53vubA7K4KZSbNyFZkQ9ummNM1JoOVxhpgm3vwfpGG2B0hXfdeH sBwAGrEayJzTHGFjKwZQ== Received-SPF: pass client-ip=217.72.192.78; envelope-from=arne_bab@web.de; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , bug-guix@gnu.org, Maxim Cournoyer , 44808@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Christopher Lemmer Webber writes: > Dr. Arne Babenhauserheide writes: > >> Ludovic Court=C3=A8s writes: >> >>>>> #2 is more thorough but also more risky: people could find themselves >>>>> locked out of their server after reconfiguration, though this could be >>>>> mitigated by a news entry. >>>>> >>>>> Thoughts? >> >> My thoughts are that there is no mitigation for being locked out of a >> pre-existing server. Keep in mind that that server might not actually be >> accessible in any other way =E2=80=94 it might be with a cheap hoster wh= ose >> support is practically non-existent, or it might be in a sealed >> measurement container that can only be accessed via SSH without >> disassembly. >> >>>> We could also do a combination of the above, as a transitional plan: >>>> do #1 for now, but try to advertise that in the future, the default wi= ll >>>> be changing... please explicitly set password access to #t if you need >>>> this! Then in the *following* release, change the default. >> >> This sounds like trying to retroactively fixing a problem at the wrong >> place: If the installer creates a configuration which prevents >> password-authentication, there is no problem for new systems and new >> users who need password-authentication will explicitly see in the >> config, that they have to change it, otherwise it won=E2=80=99t work. Al= l the >> while old systems will keep working. >> >> I do need to access my system via password+ssh from time to time, >> because I don=E2=80=99t want to have a key that can access my system on a >> presentation-laptop that (due to being moved regularly) is much less >> secure than the fixed system. If someone gets access to the laptop and >> compromises my keys, they can run much more efficient attacks against >> its ssh-keys' password than the attacks people can use to attack ssh via >> internet. >> >> Changing a default (an invisible setting) in a way that prevents access >> is a serious disruption. >> >> In short: please don=E2=80=99t break running systems on update. >> >> Best wishes, >> Arne > > It's a serious concern. We are left in a tough bind: leave users with > an insecure default but try to inform them as much as we can of a > changing default, or possibly lock them out if they don't notice. > > Still, now feels like to me the ideal time to do it. The number of > people running GuixSD on servers is comparatively small. I expect that > to change. It would be better to make this change sooner than later. If the installer and the configuration examples are changed now, then the number of people who unknowingly run Guix on an insecure configuration should not rise. To nudge them to secure their system, guix system reconfigure could emit a warning that this is a potential security risk that requires setting an explicit value (password yes or no) to silence. Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein ohne es zu merken --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAl/OiFgQHGFybmVfYmFi QHdlYi5kZQAKCRAT741FJAPD64uSEADMFUmtHqD0E5RLG1y3Fk8liw3awm/IeXQc iT/dtdk+1+GmQJ2QMdt180dWjz77UJratQoNxbH0iSILVYV38a+rNONxLU/t60pX I5ye0ID/Ts9K2a2Ih+7ASP6ElD3uPlJcCud5QoDE6LX7bUrWm1310FJTz6NbJEz1 Xiv1x4xl/cMdtVSa1OEeJ2E7mrxIs2dGtSKQ0uPdZsYeKX8M6KovSxB+MyV2TLIH AtIwZDaKJH5N/nJi3u5XAtzRf6rFcwjoDoKPicKIMmKLzCW6M8kMLngCb6AXxZf5 /P/tV+oXpOP7GN8WS4w2ScP/yph0bibP9hbj0viKDTX4YrXKYgZT9RcAD4k+tykO CgPVGEpbMw3f/Ah/0Xi+7zkWDJSxu7FUIPlTDiGGbDetnVKtw/yXeKgSwjBCeZVL 51AEk72KzAQvELS2Gg2yyJzyI03sZzdCbO6dsqWCbdiFdrlWvPIOyZlnOavijXVA QFNKJ7NtM9hu15yitaH3Lk01MOMc1UdUEmnVyTJu2i77xJr6M0OfxiL3v/dAVgKw qteyerPrMkelQ/J8q7pNPCQirL6nXi20rfaahX/1DKSOOnE6E9tXPzyHLfzZ1ZcI AA8KrFnXr8SxLX9LqbMwEpRmZXz4ZaSu5U0b1Lto5/BfTUDbjcY8zkGgyapz3jVV QpMRDrQdlojEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAl/OiFgQHGFy bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSJ9PA/9M0egTZgXt4RBUsE4pGZliYY3z B1FL1IuEw/YFpmf53NVxqQxFrAZM1N1W/RZ5x/1cAXiEg2M4gYTDSf/ff+Mfprxd tNeAqy0P4wPjUv/RjAWMxzOqlp6wZvNt7lLvEu1xxjy3Dd1lUW9h/+NiCEx+CiIf /S9SDL0leN17AngDAw== =I42Q -----END PGP SIGNATURE----- --=-=-=--