Default to allowing password authentication on leaves users vulnerable

> Okay, I just realized I left a friend vulnerable by guiding them through

> a Guix graphical install and telling them it would give them a decent

> setup. They turned on openssh support.

>

> Then I realized their config had password-authentication? on.

>

> That's unacceptable. We need to change this default. This is known to

> leave users open to attack, and selecting a password secure enough

> against brute forcing is fairly difficult, much more difficult than only

> allowing entry by keys. Plus, few distributions do what we're doing

> anymore, precisely because of wanting to be secure by default.

>

> Yes, I know some people want password authentication on as part of a

> bootstrapping process. Fine... those users know to put it on. Let's

> not leave our users open to attack by default though.

>

> Happy to produce a patch and change the documentation, but I'd like to

> hear that we have consensus to make this change. But we should, because

> otherwise else I think we're going to hurt users.

> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:

> > Okay, I just realized I left a friend vulnerable by guiding them

> > through a Guix graphical install and telling them it would give

> > them a decent setup. They turned on openssh support.

> >

> > Then I realized their config had password-authentication? on.

> >

> > That's unacceptable. We need to change this default. This is

> > known to leave users open to attack, and selecting a password

> > secure enough against brute forcing is fairly difficult, much more

> > difficult than only allowing entry by keys. Plus, few

> > distributions do what we're doing anymore, precisely because of

> > wanting to be secure by default.

> >

> > Yes, I know some people want password authentication on as part of a

> > bootstrapping process. Fine... those users know to put it on.

> > Let's not leave our users open to attack by default though.

> >

> > Happy to produce a patch and change the documentation, but I'd like

> > to hear that we have consensus to make this change. But we should,

> > because otherwise else I think we're going to hurt users.

>

> I think most ideal would be if the user is asked the following two

> questions, with a short explanation of what each means:

>

> - Allow root login via SSH?

>

> - Allow password authentication in SSH?

>

> (I think Debian does this.)

>

> Because as you say, on one hand password authentication in SSH can be

> a security risk. But on the other hand many machines never have

> their SSH port exposed to the Internet, and the intranet is assumed

> to be safe. In those cases it would be an annoyance to have to enable

> it manually.

>

> Both points apply to direct root login as well I think.

>

> Allowing password authentication but disabling root login might also

> be considered safe enough on machines exposed to the Internet,

> because the attacker needs to guess the username as well. Only

> presents a small increase in complexity for the attacker though.

>

>

> - Taylan

>

>

>

> ... Plus, few distributions do what we're doing anymore,

> precisely because of wanting to be secure by default.

> On Mon, 23 Nov 2020 03:32:08 +0100

> Taylan Kammer <taylan.kammer@gmail.com> wrote:

>

>> On 23.11.2020 00:20, Christopher Lemmer Webber wrote:

>> > Okay, I just realized I left a friend vulnerable by guiding them

>> > through a Guix graphical install and telling them it would give

>> > them a decent setup. They turned on openssh support.

>> >

>> > Then I realized their config had password-authentication? on.

>> >

>> > That's unacceptable. We need to change this default. This is

>> > known to leave users open to attack, and selecting a password

>> > secure enough against brute forcing is fairly difficult, much more

>> > difficult than only allowing entry by keys. Plus, few

>> > distributions do what we're doing anymore, precisely because of

>> > wanting to be secure by default.

>> >

>> > Yes, I know some people want password authentication on as part of a

>> > bootstrapping process. Fine... those users know to put it on.

>> > Let's not leave our users open to attack by default though.

>> >

>> > Happy to produce a patch and change the documentation, but I'd like

>> > to hear that we have consensus to make this change. But we should,

>> > because otherwise else I think we're going to hurt users.

>>

>> I think most ideal would be if the user is asked the following two

>> questions, with a short explanation of what each means:

>>

>> - Allow root login via SSH?

>>

>> - Allow password authentication in SSH?

>>

>> (I think Debian does this.)

>>

>> Because as you say, on one hand password authentication in SSH can be

>> a security risk. But on the other hand many machines never have

>> their SSH port exposed to the Internet, and the intranet is assumed

>> to be safe. In those cases it would be an annoyance to have to enable

>> it manually.

>>

>> Both points apply to direct root login as well I think.

>>

>> Allowing password authentication but disabling root login might also

>> be considered safe enough on machines exposed to the Internet,

>> because the attacker needs to guess the username as well. Only

>> presents a small increase in complexity for the attacker though.

>>

>>

>> - Taylan

>>

>>

>>

>

> Most people won't know why allowing password authentication is

> unsecure. Either it should be worded differently, have a warning, or

> not be an option.

>

> Same goes doubly so for allowing root login.

> Hey Chris!

>

> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:

>> ... Plus, few distributions do what we're doing anymore, precisely

>> because of wanting to be secure by default.

>

> Is this true? Debian defaults to passwords being allowed. I think it

> even allows root login by default. At least, I have always had to add

> "PermitRootLogin no" and "PasswordAuthentication no" whenever I

> install openssh-server on debian.

> I'm on board with what you're proposing, and I think Guix should

> default to the more secure option, but I'm not sure that an

> "average user" (whatever that means for Guix's demographic) would

> expect that password authentication is disabled by default.

> Carlo Zancanaro writes:

>

>> Hey Chris!

>>

>> On Mon, Nov 23 2020, Christopher Lemmer Webber wrote:

>>> ... Plus, few distributions do what we're doing anymore, precisely

>>> because of wanting to be secure by default.

>>

>> Is this true? Debian defaults to passwords being allowed. I think it

>> even allows root login by default. At least, I have always had to add

>> "PermitRootLogin no" and "PasswordAuthentication no" whenever I

>> install openssh-server on debian.

>

> Perhaps I'm wrong... I had thought that the last time I installed a

> Debian server, password based access was off by default. But I could be

> wrong.

>> I'm on board with what you're proposing, and I think Guix should

>> default to the more secure option, but I'm not sure that an

>> "average user" (whatever that means for Guix's demographic) would

>> expect that password authentication is disabled by default.

>

> That's fair... I think that

> "[ ] Password authentication? (insecure)"

> would be sufficient as an option. How do others feel?

>>> I'm on board with what you're proposing, and I think Guix should

>>> default to the more secure option, but I'm not sure that an

>>> "average user" (whatever that means for Guix's demographic) would

>>> expect that password authentication is disabled by default.

>>

>> That's fair... I think that

>> "[ ] Password authentication? (insecure)"

>> would be sufficient as an option. How do others feel?

>

> I'm +1 on disabling password access out of the box; especially since

> Guix System makes it easy to authorize SSH keys at installation time.

> We'd have to see if it breaks any of our system tests, but I doubt so.

> Hi!

>

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>

>>>> I'm on board with what you're proposing, and I think Guix should

>>>> default to the more secure option, but I'm not sure that an

>>>> "average user" (whatever that means for Guix's demographic) would

>>>> expect that password authentication is disabled by default.

>>>

>>> That's fair... I think that

>>> "[ ] Password authentication? (insecure)"

>>> would be sufficient as an option. How do others feel?

>>

>> I'm +1 on disabling password access out of the box; especially since

>> Guix System makes it easy to authorize SSH keys at installation time.

>> We'd have to see if it breaks any of our system tests, but I doubt so.

>

> Agreed. There are several ways to do that:

>

> 1. Have the installer emit an ‘openssh-configuration’ that explicitly

> disables password authentication.

>

> 2. Change the default value of the relevant field in

> <openssh-configuration>.

>

> #2 is more thorough but also more risky: people could find themselves

> locked out of their server after reconfiguration, though this could be

> mitigated by a news entry.

>

> Thoughts?

>

> Ludo’.

> Ludovic Courtès writes:

>> Agreed. There are several ways to do that:

>>

>> 1. Have the installer emit an ‘openssh-configuration’ that explicitly

>> disables password authentication.

>>

>> 2. Change the default value of the relevant field in

>> <openssh-configuration>.

>>

>> #2 is more thorough but also more risky: people could find themselves

>> locked out of their server after reconfiguration, though this could be

>> mitigated by a news entry.

>>

>> Thoughts?

>>

>> Ludo’.

>

> We could also do a combination of the above, as a transitional plan:

> do #1 for now, but try to advertise that in the future, the default will

> be changing... please explicitly set password access to #t if you need

> this! Then in the *following* release, change the default.

>

> This seems like a reasonable transition plan, kind of akin to a

> deprecation process?

>>> #2 is more thorough but also more risky: people could find themselves

>>> locked out of their server after reconfiguration, though this could be

>>> mitigated by a news entry.

>>>

>>> Thoughts?

>> We could also do a combination of the above, as a transitional plan:

>> do #1 for now, but try to advertise that in the future, the default will

>> be changing... please explicitly set password access to #t if you need

>> this! Then in the *following* release, change the default.

> Ludovic Courtès <ludo@gnu.org> writes:

>

>>>> #2 is more thorough but also more risky: people could find themselves

>>>> locked out of their server after reconfiguration, though this could be

>>>> mitigated by a news entry.

>>>>

>>>> Thoughts?

>

> My thoughts are that there is no mitigation for being locked out of a

> pre-existing server. Keep in mind that that server might not actually be

> accessible in any other way — it might be with a cheap hoster whose

> support is practically non-existent, or it might be in a sealed

> measurement container that can only be accessed via SSH without

> disassembly.

>

>>> We could also do a combination of the above, as a transitional plan:

>>> do #1 for now, but try to advertise that in the future, the default will

>>> be changing... please explicitly set password access to #t if you need

>>> this! Then in the *following* release, change the default.

>

> This sounds like trying to retroactively fixing a problem at the wrong

> place: If the installer creates a configuration which prevents

> password-authentication, there is no problem for new systems and new

> users who need password-authentication will explicitly see in the

> config, that they have to change it, otherwise it won’t work. All the

> while old systems will keep working.

>

> I do need to access my system via password+ssh from time to time,

> because I don’t want to have a key that can access my system on a

> presentation-laptop that (due to being moved regularly) is much less

> secure than the fixed system. If someone gets access to the laptop and

> compromises my keys, they can run much more efficient attacks against

> its ssh-keys' password than the attacks people can use to attack ssh via

> internet.

>

> Changing a default (an invisible setting) in a way that prevents access

> is a serious disruption.

>

> In short: please don’t break running systems on update.

>

> Best wishes,

> Arne

> > 2. Change the default value of the relevant field in

> > <openssh-configuration>.

> >

> > #2 is more thorough but also more risky: people could find themselves

> > locked out of their server after reconfiguration, though this could be

> > mitigated by a news entry.

> Dr. Arne Babenhauserheide writes:

>

>> Ludovic Courtès <ludo@gnu.org> writes:

>>

>>>>> #2 is more thorough but also more risky: people could find themselves

>>>>> locked out of their server after reconfiguration, though this could be

>>>>> mitigated by a news entry.

>>>>>

>>>>> Thoughts?

>>

>> My thoughts are that there is no mitigation for being locked out of a

>> pre-existing server. Keep in mind that that server might not actually be

>> accessible in any other way — it might be with a cheap hoster whose

>> support is practically non-existent, or it might be in a sealed

>> measurement container that can only be accessed via SSH without

>> disassembly.

>>

>>>> We could also do a combination of the above, as a transitional plan:

>>>> do #1 for now, but try to advertise that in the future, the default will

>>>> be changing... please explicitly set password access to #t if you need

>>>> this! Then in the *following* release, change the default.

>>

>> This sounds like trying to retroactively fixing a problem at the wrong

>> place: If the installer creates a configuration which prevents

>> password-authentication, there is no problem for new systems and new

>> users who need password-authentication will explicitly see in the

>> config, that they have to change it, otherwise it won’t work. All the

>> while old systems will keep working.

>>

>> I do need to access my system via password+ssh from time to time,

>> because I don’t want to have a key that can access my system on a

>> presentation-laptop that (due to being moved regularly) is much less

>> secure than the fixed system. If someone gets access to the laptop and

>> compromises my keys, they can run much more efficient attacks against

>> its ssh-keys' password than the attacks people can use to attack ssh via

>> internet.

>>

>> Changing a default (an invisible setting) in a way that prevents access

>> is a serious disruption.

>>

>> In short: please don’t break running systems on update.

>>

>> Best wishes,

>> Arne

>

> It's a serious concern. We are left in a tough bind: leave users with

> an insecure default but try to inform them as much as we can of a

> changing default, or possibly lock them out if they don't notice.

>

> Still, now feels like to me the ideal time to do it. The number of

> people running GuixSD on servers is comparatively small. I expect that

> to change. It would be better to make this change sooner than later.

> On Sat, Dec 05, 2020 at 01:22:23PM -0500, Christopher Lemmer Webber wrote:

>> > 2. Change the default value of the relevant field in

>> > <openssh-configuration>.

>> >

>> > #2 is more thorough but also more risky: people could find themselves

>> > locked out of their server after reconfiguration, though this could be

>> > mitigated by a news entry.

>

> I do think we should avoid changing the default. I know that passphrases

> are inherently riskier than keys — compromise is more likely than with a

> key, but I think it's even more likely that people will lose access to

> their servers if we change this default.

>

> How bad is the risk, from a practical perspective? How many times per

> second can a remote attacker attempt passphrase authentication? If the

> number is high, we could petition OpenSSH to introduce a delay.

> To nudge them to secure their system, guix system reconfigure could emit

> a warning that this is a potential security risk that requires setting

> an explicit value (password yes or no) to silence.

> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:

>> To nudge them to secure their system, guix system reconfigure could emit

>> a warning that this is a potential security risk that requires setting

>> an explicit value (password yes or no) to silence.

>

> I think this is a good idea. Likewise, in the Guix installer, I would

> favor asking the user whether or not to enable password authentication,

> after warning them that it is a security risk.

>

> I agree with Chris that password authentication is a significant

> security risk, but I also worry that if we simply disable it, it will

> catch some users by surprise and they may be quite unhappy about it.

> Hi,

>

> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:

>> To nudge them to secure their system, guix system reconfigure could emit

>> a warning that this is a potential security risk that requires setting

>> an explicit value (password yes or no) to silence.

>

> I think this is a good idea. Likewise, in the Guix installer, I would

> favor asking the user whether or not to enable password authentication,

> after warning them that it is a security risk.

>

> I agree with Chris that password authentication is a significant

> security risk, but I also worry that if we simply disable it, it will

> catch some users by surprise and they may be quite unhappy about it.

>

> Regards,

> Mark

> Mark H Weaver <mhw@netris.org> skribis:

>

>> "Dr. Arne Babenhauserheide" <arne_bab@web.de> writes:

>>> To nudge them to secure their system, guix system reconfigure could emit

>>> a warning that this is a potential security risk that requires setting

>>> an explicit value (password yes or no) to silence.

>>

>> I think this is a good idea. Likewise, in the Guix installer, I would

>> favor asking the user whether or not to enable password authentication,

>> after warning them that it is a security risk.

>>

>> I agree with Chris that password authentication is a significant

>> security risk, but I also worry that if we simply disable it, it will

>> catch some users by surprise and they may be quite unhappy about it.

>

> What do you think of the approach in

> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?

> The default is unchanged but the warning could be kept say until the

> next release, at which point we’d change the default.

>

> Or are you suggesting keeping the default unchanged?

> Ludovic Courtès <ludo@gnu.org> writes:

>> What do you think of the approach in

>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?

>

> One problem, which I just discovered, is that it warns users even if

> they don't have an 'openssh-service' in their system configuration.

>> The default is unchanged but the warning could be kept say until the

>> next release, at which point we’d change the default.

>>

>> Or are you suggesting keeping the default unchanged?

>

> I don't feel strongly about what the default setting should be, as long

> as we ensure that users are somehow made aware of the change before it

> happens, and are given the opportunity (and preferably easy instructions

> on how) to keep password authentication enabled if they wish.

>

> I also think that the installer should explicitly ask the user what the

> setting should be, so that we do not catch new users off guard who

> expected to be able to ssh in to their newly-installed systems using

> only a password.

> If the plan is to change the default setting and issue warnings in the

> meantime, it should be easy to silence those warnings, especially for

> those of us who don't even use openssh-service :)

> Mark H Weaver <mhw@netris.org> skribis:

>

>> Ludovic Courtès <ludo@gnu.org> writes:

>

> [...]

>

>>> What do you think of the approach in

>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?

>>

>> One problem, which I just discovered, is that it warns users even if

>> they don't have an 'openssh-service' in their system configuration.

>

> Could it be that you have a childhurd or some other service that uses

> ‘openssh-service-type’?

> What source code location is associated with that warning?

> gnu/services/ssh.scm:570:31, here:

>

> https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570

>

> Here's what I see when I build a system:

>

> mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm

> gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'

> field of 'openssh-configuration' will change from #true to #false in the

> future. Explicitly set it to #true to allow password authentication.

> /gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system

> Hi guix users,

>

> It strikes me that a better course of action here would be, rather than providing a warning that might not be noticed by the user, to remove the default and force people to explicitly put `password-authentication? #t` or `password-authentication? #f`.

>

> That way if I have set up a headless server (possibly having a temporary keyboard/mouse/monitor during initial install, then forever logging in afterwards over intranet using my super secret password "raid5isnotagooddog"), with an existing `configuration.scm` that does not explicitly give the setting, I cannot accidentally lose access to my headless server by doing a random `guix pull && sudo guix system reconfigure configuration.scm` without noticing the warning.

>

> Especially since there exists an `unattended-upgrades-service-type` which automates this `guix pull && sudo guix system reconfigure configuration.scm`, which makes changing this default ***VERY DANGEROUS*** in this use-case. I'd rather I noticeably error out in this case.