GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Package: guix;

Reported by: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Date: Sun, 22 Nov 2020 23:22:01 UTC

Severity: normal

Tags: security

Full log

View this message in rfc822 format

From: Taylan Kammer <taylan.kammer <at> gmail.com>
To: Christopher Lemmer Webber <cwebber <at> dustycloud.org>, 44808 <at> debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Mon, 23 Nov 2020 03:32:08 +0100

On 23.11.2020 00:20, Christopher Lemmer Webber wrote:
> Okay, I just realized I left a friend vulnerable by guiding them through
> a Guix graphical install and telling them it would give them a decent
> setup.  They turned on openssh support.
> 
> Then I realized their config had password-authentication? on.
> 
> That's unacceptable.  We need to change this default.  This is known to
> leave users open to attack, and selecting a password secure enough
> against brute forcing is fairly difficult, much more difficult than only
> allowing entry by keys.  Plus, few distributions do what we're doing
> anymore, precisely because of wanting to be secure by default.
> 
> Yes, I know some people want password authentication on as part of a
> bootstrapping process.  Fine... those users know to put it on.  Let's
> not leave our users open to attack by default though.
> 
> Happy to produce a patch and change the documentation, but I'd like to
> hear that we have consensus to make this change.  But we should, because
> otherwise else I think we're going to hurt users.

I think most ideal would be if the user is asked the following two 
questions, with a short explanation of what each means:

- Allow root login via SSH?

- Allow password authentication in SSH?

(I think Debian does this.)

Because as you say, on one hand password authentication in SSH can be a 
security risk.  But on the other hand many machines never have their SSH 
port exposed to the Internet, and the intranet is assumed to be safe. 
In those cases it would be an annoyance to have to enable it manually.

Both points apply to direct root login as well I think.

Allowing password authentication but disabling root login might also be 
considered safe enough on machines exposed to the Internet, because the 
attacker needs to guess the username as well.  Only presents a small 
increase in complexity for the attacker though.


- Taylan
This bug report was last modified 4 years and 122 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.