From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Christopher Allan Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 14:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 26695@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.149339024928521 (code B ref -1); Fri, 28 Apr 2017 14:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 14:37:29 +0000 Received: from localhost ([127.0.0.1]:44833 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d471V-0007Px-Ef for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55439) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d471T-0007Pk-Hn for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d471N-0002kE-Rp for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41305) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d471N-0002k6-OV for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46406) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d471M-0003ru-Qh for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d471I-0002fj-Tm for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:20 -0400 Received: from dustycloud.org ([50.116.34.160]:60710) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d471I-0002eZ-Og for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:16 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 1297D26632 for ; Fri, 28 Apr 2017 10:37:14 -0400 (EDT) User-agent: mu4e 0.9.18; emacs 25.2.1 From: Christopher Allan Webber Message-ID: <87k264tx8m.fsf@dustycloud.org> Date: Fri, 28 Apr 2017 09:37:13 -0500 MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Our default permits password authentication for the openssh service (and the others it seems) by default in Guix. This is somewhat dangerous because this is a much easier to break in this way, and some users might not assume the default is reasonably safe. If users really want password-authentication, they should turn it on explicitly. From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 16:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 26695@debbugs.gnu.org, cwebber@dustycloud.org X-Debbugs-Original-To: bug-guix@gnu.org, Christopher Allan Webber , 26695@debbugs.gnu.org Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149339580011609 (code B ref 26695); Fri, 28 Apr 2017 16:10:02 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:10:00 +0000 Received: from localhost ([127.0.0.1]:44910 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48T2-00031B-0P for submit@debbugs.gnu.org; Fri, 28 Apr 2017 12:10:00 -0400 Received: from mail-pg0-f67.google.com ([74.125.83.67]:36810) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48T1-000310-B4 for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 12:09:59 -0400 Received: by mail-pg0-f67.google.com with SMTP id v1so6044348pgv.3 for <26695@debbugs.gnu.org>; Fri, 28 Apr 2017 09:09:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:from:message-id; bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=; b=BwiPyv9/OjFM/y40kz56s4mDbe3ku1xxCopuRxPh0WkITQ99DxidGGPJO6jbpiXAPn uqjdBCD+DaYF1YdoOSh50Y0hxHZPlA+X/FRWsmfupBpLO07/PKsrhHkE9BeGRWYrdAtd Ag73srEDoA7TCHeSTifqE71G2f/sWxauxp1dFrox1C9rOq6DXEWfT7DhtC5ceBeepbqz njR9lw8sjRnx7wKckirw9zc4nduQY11cRcMGQXjcVrln46e3nCP/09CUwKXpBFbRpC7I x91z1gKX+QbQcZVjIc+zXankACFGBsYgVckMWg7iGnc00gCg+dmiKo1UBDhCMZSk/lsC KuDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:subject:to:from:message-id; bh=emxL+GJ9gIKd6JWJTxbkat9ewfMKcbdnPMnQyqCs/Zw=; b=p7Jvt0R2O8hg8+I+m+gEXneDNEj32EfjumFwY6llHbfQRLTDiAr5dlfRv3LNDGxxzx TMjeVb8XtT/BH/RGHoDvyOFh/+Msuq8CQYQMDkTXc5LBXSfXtPDMwyiWNOzm6kmOA2WG CN6tspxpdouWMqnJD2SbRH+2pQO77LWRYqsjkdJI+MjyXrWYfoi/liqo2ySOji9qz4+z +OncTPwwoDilY8LvbuRGEIUTf3zqvxc9JcAHEuAIlDOLu0X7iSojB2DgW3IEbyPqEFLC a095mpmUzwYSs5nBTCC/NMwyHm53AHIpZ9izUd6bgf9iCMZZvUaj1e8IUycpdI6TzsEY J4IA== X-Gm-Message-State: AN3rC/43KaGU6Cz3fLHM/6HDUKa9c3spvMz0dgFUbHy0rxCraL1mnh1L yX4414uk1EBTug== X-Received: by 10.84.224.12 with SMTP id r12mr15827606plj.69.1493395793661; Fri, 28 Apr 2017 09:09:53 -0700 (PDT) Received: from [192.168.1.140] (c-73-231-189-138.hsd1.ca.comcast.net. [73.231.189.138]) by smtp.gmail.com with ESMTPSA id c28sm11052232pfj.19.2017.04.28.09.09.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Apr 2017 09:09:52 -0700 (PDT) Date: Fri, 28 Apr 2017 09:09:51 -0700 User-Agent: K-9 Mail for Android In-Reply-To: <87k264tx8m.fsf@dustycloud.org> References: <87k264tx8m.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Maxim Cournoyer Message-ID: <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> X-Spam-Score: 0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) On April 28, 2017 7:37:13 AM PDT, Christopher Allan Webber wrote: >Our default permits password authentication for the openssh service >(and >the others it seems) by default in Guix=2E This is somewhat dangerous >because this is a much easier to break in this way, and some users >might >not assume the default is reasonably safe=2E If users really want >password-authentication, they should turn it on explicitly=2E +1=2E Although it means the keys will have to be copied by another mean th= an the "ssh-copy-id" script=2E Maybe the configuration could accept the pub= lic key? :) I haven't checked if this is already possible=2E From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Christopher Allan Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 16:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 26695@debbugs.gnu.org Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149339748214299 (code B ref 26695); Fri, 28 Apr 2017 16:39:02 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:38:02 +0000 Received: from localhost ([127.0.0.1]:44932 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48u9-0003iW-R5 for submit@debbugs.gnu.org; Fri, 28 Apr 2017 12:38:01 -0400 Received: from dustycloud.org ([50.116.34.160]:38906) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48u8-0003iO-5U for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 12:38:00 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 67C0226632; Fri, 28 Apr 2017 12:37:59 -0400 (EDT) References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Christopher Allan Webber In-reply-to: <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> Date: Fri, 28 Apr 2017 11:37:59 -0500 Message-ID: <87h9184heg.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Maxim Cournoyer writes: > +1. Although it means the keys will have to be copied by another mean > than the "ssh-copy-id" script. Maybe the configuration could accept > the public key? :) I haven't checked if this is already possible. We have discussed in the past having some service that just copies some static files on init. That would be enough to set up public keys appropriately. That's a different, but related bug :) From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 16:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Allan Webber Cc: 26695@debbugs.gnu.org Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149339764314547 (code B ref 26695); Fri, 28 Apr 2017 16:41:02 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 16:40:43 +0000 Received: from localhost ([127.0.0.1]:44939 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48wk-0003mY-M8 for submit@debbugs.gnu.org; Fri, 28 Apr 2017 12:40:42 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:33157) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d48wk-0003mF-20 for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 12:40:42 -0400 Received: by mail-pg0-f44.google.com with SMTP id y4so12141308pge.0 for <26695@debbugs.gnu.org>; Fri, 28 Apr 2017 09:40:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:cc:from:message-id; bh=gP3D4WG1O7pvGq98V32O84R88kCW1To7LKAeHhM5eDE=; b=irp9i0/MsEH6f9897nka2dY8zs50dCWqv7s686c2jg9lemPu1/1YTgqyq8LPTr3SvZ moHBH9SUpvsYPqmYHaiDwtiyPQMEz9K8X2XsUw9WpETf7qP5MrQAWOQcqnF4u4CMz/ZH NJINGwh8hPRXWUrU2FS7DQFUf/MPgqFqLA/TubewjWhvK3GE6OSYdBx4+UcwJzmTCRLt UZK9712WMCHXU95Hjvz95U12HkjZNXAPhJXUM2gLtIKwoHmzaqGqpSKlhQS0eypvKpO+ z3wSNalcff700jK0AiicFS7mgxe1iEm7WPFMwR/qu2ARvVZ2HqKeQ2SHL0QLry4ZAX/f O6AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:subject:to:cc:from :message-id; bh=gP3D4WG1O7pvGq98V32O84R88kCW1To7LKAeHhM5eDE=; b=hWnA5PEbK7w/srYP2NQA3hVX+yyMv733vfwBcyPR9BtBuMb2xDXzZSLUI7kr6TFdbe 6kWvyIs/6a5azUrsmPAQUEAOiZcDPkawCZHVnQuYyTnDXwdHf5u6U2GAGQ5upgdy28IK ET4dTjccU0br+o7+qnGxd9ghj4U5dCDTleTWLEsO5v7YK34WtA7G9oyJLRL/ZTnBioic cHIjHZboKuXusiQfKrVqYupuvbFiaXWOIeBBrrDbyQlhwlioPBPScsekA5C7/cSXURIk Akqmp9Bzh9uQTk1ouvtkoGRVW2Yekm55z9wWNbqBuv8TqfQDR9P0Qd9v43eP8KxpRVq7 B7fA== X-Gm-Message-State: AN3rC/6KHo/FoAoi2ugonl/6iVcX71PBMRtEohgo2psbpFfT1OtZIzV4 vCsAMqkFAErrnw== X-Received: by 10.84.202.12 with SMTP id w12mr16250029pld.55.1493397636362; Fri, 28 Apr 2017 09:40:36 -0700 (PDT) Received: from [192.168.1.140] (c-73-231-189-138.hsd1.ca.comcast.net. [73.231.189.138]) by smtp.gmail.com with ESMTPSA id 3sm9590015pfe.20.2017.04.28.09.40.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Apr 2017 09:40:35 -0700 (PDT) Date: Fri, 28 Apr 2017 09:40:35 -0700 User-Agent: K-9 Mail for Android In-Reply-To: <87h9184heg.fsf@dustycloud.org> References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> <87h9184heg.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Maxim Cournoyer Message-ID: <579FDA43-57E9-434D-B563-A29D21A42338@gmail.com> X-Spam-Score: -2.8 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) On April 28, 2017 9:37:59 AM PDT, Christopher Allan Webber wrote: >Maxim Cournoyer writes: > >> +1=2E Although it means the keys will have to be copied by another mean >> than the "ssh-copy-id" script=2E Maybe the configuration could accept >> the public key? :) I haven't checked if this is already possible=2E > >We have discussed in the past having some service that just copies some >static files on init=2E That would be enough to set up public keys >appropriately=2E > >That's a different, but related bug :) I see! Indeed, it seems it would solve the problem to have such service=2E= Thanks for the reply! From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 17:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Allan Webber , Maxim Cournoyer Cc: 26695@debbugs.gnu.org Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149340023719062 (code B ref 26695); Fri, 28 Apr 2017 17:24:02 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 17:23:57 +0000 Received: from localhost ([127.0.0.1]:44963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d49ca-0004xN-I8 for submit@debbugs.gnu.org; Fri, 28 Apr 2017 13:23:57 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:53601) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d49cY-0004xF-As for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 13:23:54 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id CE69820C46; Fri, 28 Apr 2017 13:23:52 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Fri, 28 Apr 2017 13:23:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=IgUzB1l5Ks5vG/mGJfBFguo3so7ShcA3GvKI+m2EL x8=; b=sI6FTSHcHr4XAFSxt30IOElBMB/NjCq07LBQZ9TXXznNA082l3FO0yfz9 x6xJkfSz8DVsOVno5l4iuaulVLTL4xWLLGdCdU7SbOg1NHrk+KO1RJNtX2o6Nbyf bNrwFKrXUxNmepjXLBCETKRvtLhK3QrrBbutg7SBjGC+RCIwW8gEBiQPQNkBxOeN GlOabGIfKncJ2vfW7qqpNL+Fh5HTI76XHT1HBe9s1QoxMz5tX27ShoFSyakXkU2q xqhe4VutRfh7oXRyF9htyBEV1gyPXgW4VO+aOD9OQm0GIy2s5ehDj7khzrAE7PBk KFYmaGVZgUtu3fIuWMWyHpSxqjSWg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=IgUzB1l5Ks5vG/mGJf BFguo3so7ShcA3GvKI+m2ELx8=; b=YYfgDrYJkNSM6GIe1j4bqHHbYFTC/8ktiG wVCZjdHgil+D0oIMoWSb2CxaWak8BRSaxrBwG8cOJDyvxaaMJbKQigk3kwnOtRA8 ncTyHuOl5yjJMvEoYdPuwGU9enRQWyrxpaU8/4EPOtd3GbQEhNKi2ByUhYwncS94 YQdDi0+zIqarH8Kj0de0d8l5HhrsAlD1wJeKD0U/zopJ9U+3Y4CpW079ANoRfPt+ k5QCmcb/AkPi2lE7BiRCVyEVQHza/bJ2ldu5UM8vQIM3mv3yV6ySBJnoQ3RS6B85 yAj1ASkDPr/n1mer1scQyErXxJCT9277Ny+KtHluoKwW16M7VubA== X-ME-Sender: X-Sasl-enc: wdZTft4jIuntd+ZQ3yzYuTx4S8z0i/ChBfnzEE+dajhj 1493400232 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 5E406241E1; Fri, 28 Apr 2017 13:23:52 -0400 (EDT) From: Marius Bakke In-Reply-To: <87h9184heg.fsf@dustycloud.org> References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> <87h9184heg.fsf@dustycloud.org> User-Agent: Notmuch/0.24.1 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Fri, 28 Apr 2017 19:23:50 +0200 Message-ID: <87efwcbg49.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Christopher Allan Webber writes: > Maxim Cournoyer writes: > >> +1. Although it means the keys will have to be copied by another mean >> than the "ssh-copy-id" script. Maybe the configuration could accept >> the public key? :) I haven't checked if this is already possible. > > We have discussed in the past having some service that just copies some > static files on init. That would be enough to set up public keys > appropriately. I think that can already be done with 'special-file-service-type'. https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html Another approach could be a small program that reads a configuration file and can also pull from e.g. the ec2 metadata service which should work with many "cloud" providers. Similar to "cloud-init" but Guile of course :) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlkDeqYACgkQoqBt8qM6 VPqQcggAsOZNTZCFhFeY2gD4IV//lSXmFI8fhzuoeB56JeDlzf+3+qQQHzsgii0r ySF9Gv9jZXm4xppqXUoSZksRF+JACYUVp50Z/PwkekLbEmT+NVeVOjkNxWQvSyZr giWQwalq+kNdRLQw+YIGECCuTTbudpJ7iwj+UxNka80JJmzRotWBkNyB5ABHeJRY ElXI6gPK90lTiRcR3BVjTMSkbt5cD1Kbqvy+JsYhAsaBRx6NP4o6I524ec3V6AL0 dYGhUNJPowtu2FxGaG6xaEf43kUnqbcRFk7ORrxpemU55ofKV7WNW2TyXJNh/OAQ qH85jFMfWp+g7erpE0clH1DoTVzU9Q== =Hxbh -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Christopher Allan Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 18:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Marius Bakke Cc: 26695@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149340395724831 (code B ref 26695); Fri, 28 Apr 2017 18:26:01 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 18:25:57 +0000 Received: from localhost ([127.0.0.1]:44981 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4Aab-0006SR-0B for submit@debbugs.gnu.org; Fri, 28 Apr 2017 14:25:57 -0400 Received: from dustycloud.org ([50.116.34.160]:39072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4AaZ-0006SJ-36 for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 14:25:56 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 6B9FC265EE; Fri, 28 Apr 2017 14:25:52 -0400 (EDT) References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> <87h9184heg.fsf@dustycloud.org> <87efwcbg49.fsf@fastmail.com> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Christopher Allan Webber In-reply-to: <87efwcbg49.fsf@fastmail.com> Date: Fri, 28 Apr 2017 13:25:51 -0500 Message-ID: <87efwc4ceo.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Marius Bakke writes: >> We have discussed in the past having some service that just copies some >> static files on init. That would be enough to set up public keys >> appropriately. > > I think that can already be done with 'special-file-service-type'. > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html Interesting! I'll have to try this route. From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 28 Apr 2017 19:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Allan Webber Cc: 26695@debbugs.gnu.org Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.149340772030799 (code B ref 26695); Fri, 28 Apr 2017 19:29:01 +0000 Received: (at 26695) by debbugs.gnu.org; 28 Apr 2017 19:28:40 +0000 Received: from localhost ([127.0.0.1]:45052 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4BZH-00080f-PF for submit@debbugs.gnu.org; Fri, 28 Apr 2017 15:28:39 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:33015) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4BZF-00080W-DD for 26695@debbugs.gnu.org; Fri, 28 Apr 2017 15:28:39 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id EA4EC20C07; Fri, 28 Apr 2017 15:28:35 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 28 Apr 2017 15:28:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=zwQcE1MhcgyLSN2v7Xgt0hwGbz2K7gHJK/Pr8T RTXX0=; b=heg9qgAV2+PdizRwozVlvpMD24vAm3G/zJ78xdLzbq9T5u6Q7tQ14e B5RbVfO3QIRKKx16JLRFlOkZsMJiRhqYjZjFKMut+pCoJ2ONS20rsrgOinyPO4wF oYQ8KDc/Csul+BPhrALHVkeq0Fx7+rGX3MtDmnLuN5QTiVNCyiT54= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=zwQcE1MhcgyLSN2v7X gt0hwGbz2K7gHJK/Pr8TRTXX0=; b=JB75QShJRkidDIt518HOFjDMDzlHJPNr9H JPfOuwfUUsCupDZ14OfXmAhhaUgMNWzNJIrE/UpzXH85RdfiHnpHkbpgy3gyAPfz HcKOzI+dSGG0DaUvGYlyewHTQRFFlfli3FLFCuf/UQUH3alN0nhLTGf1jCImg691 r+pgROm+s21cWkfAqqDj0Z7X5FlFB/QbeW0h4JRO0CY5Avn/R+QLVKym8MHpXwv3 y0Iv5VgEIoCb/3Khy2RaiBNAZYON7oA9KM3Q7A5E4LcDl4dXjFWPT2xQlmnvpg0j yIDRtiRzoQSwaz7c37FJ8qZrH8viycFxICQSL9TywUQQdEo3Fuqw== X-ME-Sender: X-Sasl-enc: Jn+rzUx+1M3+/Eqp0ytsFzRuP/9PKmdIbxhO5KiwOsCx 1493407715 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id A849B2415E; Fri, 28 Apr 2017 15:28:35 -0400 (EDT) Date: Fri, 28 Apr 2017 15:28:34 -0400 From: Leo Famulari Message-ID: <20170428192834.GB6736@jasmine> References: <87k264tx8m.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lEGEL1/lMxI0MVQ2" Content-Disposition: inline In-Reply-To: <87k264tx8m.fsf@dustycloud.org> User-Agent: Mutt/1.8.2 (2017-04-18) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --lEGEL1/lMxI0MVQ2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote: > Our default permits password authentication for the openssh service (and > the others it seems) by default in Guix. This is somewhat dangerous > because this is a much easier to break in this way, and some users might > not assume the default is reasonably safe. If users really want > password-authentication, they should turn it on explicitly. The upstream default is to allow password authentication (see sshdconfig(5)). With the current GuixSD defaults, my understanding is that nobody will be able to login remotely to a new GuixSD system with the default openssh-service, unless they make the effort to insert the user's password in their GuixSD declaration. Remote root login and empty password login is disabled by default. So the current situation seems safe to me. Please let us know if you see a hole. Allowing passwords is not the best practice for securing sshd, but I think it's a good default for the openssh-service until we have a better way to deploy keys. If we do change the password authentication default to #f, I think we should do it in a new Guix release, since it will probably break GuixSD provisioning scripts that people are using. --lEGEL1/lMxI0MVQ2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDl+IACgkQJkb6MLrK fwg11w//XrL4cjkmxk0s6TvE88/xQdXNbwLfkvzRJbjbyzo2JLmH/mng16O3e00p WYCJ1U+dJOVj02KnjkwbVWC6NlaFDFUQoqilnlZhNIUz8Kp++5IEcLNC/DBInvZc vXi0v+85uLIu8r+AvKgi66vfHHBNN+ZaNpr9SOg3yK4jxMaRr5Q9MdHI+AqZZqxV Uuun6SjSjv2KOVkDyvcLR16Caa2G3TqnWXLWWomMb18vl5omxqb5TV33XVndUIk2 0HB4lxjlanukXX1Sbp9CItsGbLGDBNHRczDMjMDC4azJ43NmDPp1qN4oH6nKW9WP 2Y7C9KOX/SgjjqdKo0z+OxmRLFxRc2/7pik1G4DAsQ1+i4O1x5g2a1W35B3fJKRf viW8K2zS4ad5voBPYtWuvpoeHLHu0V2hy1cT1NKrMDChYc+i3BycYcTBIiHo+IqA 1S1TzintiQ6fHwreZs67k4tw34q9W49cxrg2KR61YNvonL98w3edkvHPp/ICqqv8 ZXDJMWmLP1WRjpIwRI/XZD9VZfUWod8oy8WgChffxxTnetPE9hrmfbLaLtdbJjFn Tc/K2GWetNj2U4v6bfr5zeM/eJ65Az4m9J/FrvV6R2lyyknMTap9LYSUnGn3uZFI wViM5ADjxuCaaaAv2B9RA1Q5K9Esfq5FBe0MyIUDfITr1kspAO4= =qlcz -----END PGP SIGNATURE----- --lEGEL1/lMxI0MVQ2-- From unknown Fri Jun 13 10:25:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26695: openssh password-authentication? should be #f by default Resent-From: Chris Marusich Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 30 Apr 2017 19:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26695 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Marius Bakke Cc: Christopher Allan Webber , 26695@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 26695-submit@debbugs.gnu.org id=B26695.14935816564939 (code B ref 26695); Sun, 30 Apr 2017 19:48:01 +0000 Received: (at 26695) by debbugs.gnu.org; 30 Apr 2017 19:47:36 +0000 Received: from localhost ([127.0.0.1]:48082 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4uoh-0001Hb-PL for submit@debbugs.gnu.org; Sun, 30 Apr 2017 15:47:35 -0400 Received: from mail-pg0-f43.google.com ([74.125.83.43]:35481) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4uog-0001HN-7E for 26695@debbugs.gnu.org; Sun, 30 Apr 2017 15:47:34 -0400 Received: by mail-pg0-f43.google.com with SMTP id o3so32145112pgn.2 for <26695@debbugs.gnu.org>; Sun, 30 Apr 2017 12:47:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=Bvl/XyGFB+SUhG1Cq/g0ZLk2V9y46BCDHcV/ecYlxiY=; b=kDmlrS8O6A8dh6ENL7Wwf+8RlhlfM641/WZ1dwigGI73pqL4tlMBLD5qmn4fdpUnw/ xeskPlGnsjp3OOZblrbb6WxiLc9G2s4CfBwmNCNx/58rYDMqVXKgYVdRvsyN7Iw7sGNc 8yatOWrgwZHPVPCpsDdfInsrDW1V8BNsRBEepSNXKSWwmw1lWkRwtSajeM/X7k4tHB1a 5T8GvWv5GFwEnXNic31q2tuheS+ki6VUf5Pjl+BQWpSd0yE999Bm+sii2o3v9KbDGqLQ hDGqnNOUavXU5Vps4zpSIy4iotO+xVzMfNLSLTgzgT6xua48URstXLTg20muwCpcp6ml EGjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=Bvl/XyGFB+SUhG1Cq/g0ZLk2V9y46BCDHcV/ecYlxiY=; b=lNJFzNXJw8Izt9rX7mCm1i2PHgdIaRotpxMCCvif5lyKzvKHi8dUr+cVUvlN6O7qJA 1SsncPBDlVXai6TQD2Q4aqUwbrGJR43eRXxpxAwRq5LLN1TKO+aqNv4lwaJX1/awBMf5 irCgkrl4cETcvLMSA5B6seQ1jtBemdgZ61QdSCUp2QAqfchO94pgyZ42cbHIrNdN+i1V kjbvejEYYDxZHQPyPOsTte0lAQ0BWi50n+xVcM/D+sdUAbtJ1mSah3YeWtfRKPAH6rSw XgisaM1RSBjBiFGx4rByNP/IFr7oRvbgTBZTfXX7KgigrIWdkEPKPQeZ5qxV1Bn6lK66 B2mA== X-Gm-Message-State: AN3rC/4aPucT3SvsHxJOmZhByew1xUMLwJCQpLFJlqOakHgRXlxz5SDZ O6ccVpwRXmaZJg== X-Received: by 10.98.220.8 with SMTP id t8mr22641290pfg.144.1493581647950; Sun, 30 Apr 2017 12:47:27 -0700 (PDT) Received: from garuda (c-24-18-189-215.hsd1.wa.comcast.net. [24.18.189.215]) by smtp.gmail.com with ESMTPSA id m8sm20093514pgd.59.2017.04.30.12.47.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 30 Apr 2017 12:47:26 -0700 (PDT) From: Chris Marusich References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> <87h9184heg.fsf@dustycloud.org> <87efwcbg49.fsf@fastmail.com> Date: Sun, 30 Apr 2017 12:47:22 -0700 In-Reply-To: <87efwcbg49.fsf@fastmail.com> (Marius Bakke's message of "Fri, 28 Apr 2017 19:23:50 +0200") Message-ID: <87ziexfzjp.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -2.8 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Christopher Allan Webber writes: > >> Maxim Cournoyer writes: >> >>> +1. Although it means the keys will have to be copied by another mean >>> than the "ssh-copy-id" script. Maybe the configuration could accept >>> the public key? :) I haven't checked if this is already possible. >> >> We have discussed in the past having some service that just copies some >> static files on init. That would be enough to set up public keys >> appropriately. > > I think that can already be done with 'special-file-service-type'. > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html Will OpenSSH know where to look, in that case? I think a little more work would be needed to tell OpenSSH where to look. For example, you would have to customize the value of AuthorizedKeysFile in the OpenSSH daemon's config file (see 'man opensshd_config' for details). In any case, it would be better if we could hide all of that in the abstraction we have for the OpenSSH service. For instance, it would be nice if we could just specify the public keys in the operating system configuration file, as part of the record type. > Another approach could be a small program that reads a configuration > file and can also pull from e.g. the ec2 metadata service which should > work with many "cloud" providers. Similar to "cloud-init" but Guile of > course :) This topic has come up before. Cloud-init (specifically, the idea of pulling SSH credentials in at first boot via the EC2 metadata service) is a useful hack for systems that cannot be declaratively defined, but for GuixSD it should not be needed. See here for details: https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html Somebody just needs to implement the changes to our OpenSSH service abstraction so that we can declare the public keys in the operating system configuration file. Of course, to deploy onto EC2 without manual intervention would also require more changes, but that's a separate issue from the issue of how to get credentials onto the host. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGP0oACgkQ3UCaFdgi Rp2esA/9EynXEf+d1ZILmFHnCLqhQxDV0tt8bk77NvfzSfIIDSJUFK67VrlvK0Ao nQiJefk0oiS7/2amCr88tiwuz2n7F2Fq5quW+cd8qbrvQzV/A4+bkB/08lj+zuSB XYzq3/6Gu27EEnEyrNlMjmGrgokBCxfjgiOPHQQnwa7jALjTE7S9sxQJkxeVPfE3 2uinXUGuRXWjjEdzaUA7K8QhfXWTft3A4W+XavtXYkeYksvJVTnwarE8GBwqucw0 Lqf2jMzs4KQGHQ7zkdbyjy4Sww0rBe6C+2oZMWOVKBAsp/dltacbNEK3IABKdl9b CLKpSUjKMhzzyojJsKlCLqbGGpmarWWcnMUUlC541zwYpcEYxiuD4IEYMRdzFgzB GyWZHT1oN9mvMN9Lm43kUlTXMxeSOLMew4DZQCVUS7whW1G4my6k80kEqj8si6SU 9bo+qVQWvdjsoG2am8oelG2CrTUlCipuPvVa4SXHheKk1Vtrncq/KYLuicShA2Qs EP6AWRrV03LJnzyGo3XB3s9n16NyqhX3jSF9pWfMCUjnpwNMGUjq9Fw5OXawo9Vv NjFxh1FvcYHhHOE6r8z4ojb+hHkopt1C7MPZC1Vwnzz+LG3Gv3rDaJSkPguaY+21 tNC1bNxy7wTFpDyKWigEHJGd1xcJu8nLUTC3bmw7JodypZ8VXbE= =oGFT -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 13 10:25:15 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Christopher Allan Webber Subject: bug#26695: closed (Re: bug#26695: openssh password-authentication? should be #f by default) Message-ID: References: <87jzteedj5.fsf@gmail.com> <87k264tx8m.fsf@dustycloud.org> X-Gnu-PR-Message: they-closed 26695 X-Gnu-PR-Package: guix Reply-To: 26695@debbugs.gnu.org Date: Tue, 29 Aug 2023 03:26:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1693279563-7220-1" This is a multi-part message in MIME format... ------------=_1693279563-7220-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #26695: openssh password-authentication? should be #f by default which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 26695@debbugs.gnu.org. --=20 26695: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D26695 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1693279563-7220-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 26695-done) by debbugs.gnu.org; 29 Aug 2023 03:25:03 +0000 Received: from localhost ([127.0.0.1]:49257 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qapLi-0001qG-QZ for submit@debbugs.gnu.org; Mon, 28 Aug 2023 23:25:03 -0400 Received: from mail-qv1-xf29.google.com ([2607:f8b0:4864:20::f29]:58763) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qapLg-0001pg-DJ for 26695-done@debbugs.gnu.org; Mon, 28 Aug 2023 23:25:01 -0400 Received: by mail-qv1-xf29.google.com with SMTP id 6a1803df08f44-64a5f9a165eso21426866d6.1 for <26695-done@debbugs.gnu.org>; Mon, 28 Aug 2023 20:24:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693279488; x=1693884288; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=t6w6a/CyOVrx7yVCuAj9Qy4TdytwmEpWEFhJAjPJfW8=; b=P1P5QZ+GxGYYlxpxuffwUjsKgIrfv/cZwoSCF7Qc0vry4dq+HwLgo3h36PpkQbmHVF dt9kX/+l9xd6UA1BdqUNhjl2W0ByiBev/TIlA4OZt8qBIiL0/+evSf48lEnj/R6cOv+v slLNC76uCYDFI1zFNQHOunZG92G78FI4dCg+bQdhKrgVPqNCDm0Z1erzFnAcQW9u5fzA gS3654oOa0Rk9VDFWJVIl+HGAx/ubpJsL3v5arvy5PuJetAXnjQ51MzIhmcMCSPj1EQe YxPGRosrghZ7YXy3hLGF63T0mVj+MxbFRUagkYrTmwBt2FDpQLXTkcMLGrLp4vXhO3sB xypA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693279488; x=1693884288; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=t6w6a/CyOVrx7yVCuAj9Qy4TdytwmEpWEFhJAjPJfW8=; b=PU9H3mkeMSA1niY0eI4vq+qjXC5r7TJF0LU4PYni+xLMU35OelJ03FaxNwR922m5Tw 6I6OtVcHVFeFdW3+CzVI0thtGt/IlnTgfNIsVtbqqTsHpNqh7G8nQx68mwygX8PgE6xI YkcnRJJAsBtvF9qdKo0owwRYdwpfYcEBn7r2B4oyPsbz2ks57SROsTjW7VolVDLpsAVQ GhuhXzWoFWQC/vlGiMLHdHy1I66IDdjuGKnysawS2pwxYE33kXbMelRLknvtbqmICwq+ q+tEVU5Jxfx8QNMAtZHn5DFotgejsKq1Q8zl6MHf+Hkq+qgYeG7fzM94ZilJriPInbMn ZB2A== X-Gm-Message-State: AOJu0Yyevg2DED5Tjfo2WUvB6u9V14C0VKOHG355n+OWLZceocoQkCgH I1Czsvrtt4dwp9ZZcURCF7Nx0xUV0ooZ0Q== X-Google-Smtp-Source: AGHT+IFjNLfRylGH+cNv6FLjDWi8OZC+HoInp3WxsgwoYz/aH7tl5jof9y/zaunUS42hb7MKS+u2pg== X-Received: by 2002:a05:6214:890:b0:626:290f:3e80 with SMTP id cz16-20020a056214089000b00626290f3e80mr25679833qvb.50.1693279487836; Mon, 28 Aug 2023 20:24:47 -0700 (PDT) Received: from hurd (dsl-10-132-204.b2b2c.ca. [72.10.132.204]) by smtp.gmail.com with ESMTPSA id y12-20020a0ce04c000000b00647290bd591sm3050441qvk.121.2023.08.28.20.24.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Aug 2023 20:24:47 -0700 (PDT) From: Maxim Cournoyer To: Leo Famulari Subject: Re: bug#26695: openssh password-authentication? should be #f by default References: <87k264tx8m.fsf@dustycloud.org> <20170428192834.GB6736@jasmine> Date: Mon, 28 Aug 2023 23:24:46 -0400 In-Reply-To: <20170428192834.GB6736@jasmine> (Leo Famulari's message of "Fri, 28 Apr 2017 15:28:34 -0400") Message-ID: <87jzteedj5.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 26695-done Cc: Christopher Allan Webber , 26695-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Leo Famulari writes: > On Fri, Apr 28, 2017 at 09:37:13AM -0500, Christopher Allan Webber wrote: >> Our default permits password authentication for the openssh service (and >> the others it seems) by default in Guix. This is somewhat dangerous >> because this is a much easier to break in this way, and some users might >> not assume the default is reasonably safe. If users really want >> password-authentication, they should turn it on explicitly. > > The upstream default is to allow password authentication (see > sshdconfig(5)). > > With the current GuixSD defaults, my understanding is that nobody will > be able to login remotely to a new GuixSD system with the default > openssh-service, unless they make the effort to insert the user's > password in their GuixSD declaration. Remote root login and empty > password login is disabled by default. > > So the current situation seems safe to me. Please let us know if you see > a hole. I agree with your assessment. I think there's probably more hurt than benefit in diverging from upstream's choice of defaults here. I'm thus closing this old forgotten report. -- Thanks, Maxim ------------=_1693279563-7220-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 14:37:29 +0000 Received: from localhost ([127.0.0.1]:44833 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d471V-0007Px-Ef for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55439) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d471T-0007Pk-Hn for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d471N-0002kE-Rp for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41305) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d471N-0002k6-OV for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:37:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46406) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d471M-0003ru-Qh for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d471I-0002fj-Tm for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:20 -0400 Received: from dustycloud.org ([50.116.34.160]:60710) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d471I-0002eZ-Og for bug-guix@gnu.org; Fri, 28 Apr 2017 10:37:16 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 1297D26632 for ; Fri, 28 Apr 2017 10:37:14 -0400 (EDT) User-agent: mu4e 0.9.18; emacs 25.2.1 From: Christopher Allan Webber To: bug-guix@gnu.org Subject: openssh password-authentication? should be #f by default Message-ID: <87k264tx8m.fsf@dustycloud.org> Date: Fri, 28 Apr 2017 09:37:13 -0500 MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Our default permits password authentication for the openssh service (and the others it seems) by default in Guix. This is somewhat dangerous because this is a much easier to break in this way, and some users might not assume the default is reasonably safe. If users really want password-authentication, they should turn it on explicitly. ------------=_1693279563-7220-1--