GNU bug report logs - #44808
Default to allowing password authentication on leaves users vulnerable

Previous Next

Full log

View this message in rfc822 format

From: Mark H Weaver <mhw <at> netris.org>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Lemmer Webber <cwebber <at> dustycloud.org>, "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>, maxim.cournoyer <at> gmail.com, 44808 <at> debbugs.gnu.org
Subject: bug#44808: Default to allowing password authentication on leaves users vulnerable
Date: Thu, 10 Dec 2020 20:43:45 -0500

Hi Ludovic,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Mark H Weaver <mhw <at> netris.org> skribis:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>
> [...]
>
>>> What do you think of the approach in
>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>>
>> One problem, which I just discovered, is that it warns users even if
>> they don't have an 'openssh-service' in their system configuration.
>
> Could it be that you have a childhurd or some other service that uses
> ‘openssh-service-type’?

I highly doubt it.  In any case, there's certainly no ssh daemon
running.  See below for my system configuration.

> What source code location is associated with that warning?

gnu/services/ssh.scm:570:31, here:

  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570

Here's what I see when I build a system:

--8<---------------cut here---------------start------------->8---
mhw <at> jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
gnu/services/ssh.scm:570:31: warning: The default value of the 'password-authentication?'
field of 'openssh-configuration' will change from #true to #false in the
future.  Explicitly set it to #true to allow password authentication.
/gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system
--8<---------------cut here---------------end--------------->8---

Could it be related to the fact that I always run Guix via
./pre-inst-env from a git checkout?

If this problem only affect me, due to the unusual way in which I use
Guix, feel free to disregard this issue.  It's easy enough for me add
one more to my collection of reverted patches on my private branch :)

     Thanks,
       Mark


--8<---------------cut here---------------start------------->8---
(use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages))
(use-service-modules base desktop networking xorg dbus sound)
(use-package-modules certs gnome cryptsetup linux admin guile firmware xdisorg libusb suckless ratpoison wm vpn)

(operating-system
  (host-name "jojen")
  (timezone "right/US/Eastern")
  (locale "en_US.utf8")

  (bootloader (bootloader-configuration
	       (bootloader grub-bootloader)
	       (target "/dev/sda")))

  (kernel linux-libre)
  (kernel-arguments '("page_alloc.shuffle=1"))

  (firmware (list ath9k-htc-firmware))
  ;;(firmware '())

  (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3"))
          (target "jojen-root")
          (type luks-device-mapping))))

  (file-systems (cons* (file-system
                         ;; FIXME: reference by the file system label?
                         (device "/dev/mapper/jojen-root")
                         (mount-point "/")
                         (type "btrfs")
                         (dependencies mapped-devices))
                       %base-file-systems))

  (users (cons* (user-account
                 (name "mhw")
                 (uid 1000)
                 (group "mhw")
                 (supplementary-groups '("wheel" "users" "netdev"
                                         "audio" "video" "dialout"))
                 (home-directory "/home/mhw"))
                %base-user-accounts))

  (groups (cons* (user-group
                  (name "mhw")
                  (id 1000))
                 %base-groups))

  (setuid-programs
   (list (file-append shadow "/bin/passwd")
         (file-append inetutils "/bin/ping")))

  ;; This is where we specify system-wide packages.
  (packages (cons* nss-certs         ;for HTTPS access
                   gvfs              ;for user mounts
                   cryptsetup
                   btrfs-progs
                   wpa-supplicant
                   network-manager
                   network-manager-applet
		   network-manager-openvpn
		   openvpn
		   ratpoison
		   i3-wm
		   dwm
                   (delete sudo %base-packages)))

  (services (cons* (service gnome-desktop-service-type)
		   ;;(service xfce-desktop-service-type)

                   (service gdm-service-type)
                   ;;(service slim-service-type)
                   (screen-locker-service slock)
                   ;;(screen-locker-service xlockmore "xlock")

		   ;; Add udev rules for MTP devices so that non-root
		   ;; users can access them.
                   (simple-service 'mtp udev-service-type (list libmtp))
		   ;; Add udev rules for scanners.
		   (service sane-service-type)
		   ;; Add polkit rules, so that non-root users in the
		   ;; wheel group can perform administrative tasks
		   ;; (similar to "sudo").
		   polkit-wheel-service

		   ;; NetworkManager and its dependents.
                   (service network-manager-service-type)
                   (service wpa-supplicant-service-type)
		   ;; (simple-service 'network-manager-applet
                   ;;                 profile-service-type
                   ;;                 (list network-manager-applet))
		   ;; (service modem-manager-service-type)
		   ;; (service usb-modeswitch-service-type)

		   ;; The D-Bus clique.
		   ;;(service avahi-service-type)    ; I don't trust this
                   (udisks-service)
                   (service upower-service-type)
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)
		   (service colord-service-type)
		   ;;(geoclue-service)  ; I don't want this
                   (service polkit-service-type)
                   (elogind-service)
                   (dbus-service)

                   ;;(service ntp-service-type)   ; I don't trust this

                   (service pulseaudio-service-type)
		   (service alsa-service-type)

		   ;;;; Disabled for now
		   ;;
		   ;;(accountsservice-service)
		   ;;(service cups-pk-helper-service-type)

		   ;; TOR: The Onion Router
		   (service tor-service-type)

                   ;; Optional OpenNTPd, below
		   #;
		   (service
		    openntpd-service-type
		    (openntpd-configuration
		     (listen-on '("127.0.0.1" "::1"))
		     ;;(constraint-from '("www.gnu.org"))
		     (allow-large-adjustment? #t)))

		   x11-socket-directory-service

		   ;;;; Disabled for now
		   ;;
		   ;;(service alsa-service-type)

                   (modify-services %base-services
                     ;; I don't trust the build farm
                     (guix-service-type config =>
                                        (guix-configuration
                                          (inherit config)
                                          (use-substitutes? #f)
                                          (authorize-key?   #f)
                                          (authorized-keys '())
                                          (substitute-urls '())
                                          (extra-options '("--gc-keep-derivations=yes"
                                                           "--gc-keep-outputs=yes")))))))

  ;; Allow resolution of '.local' host names with mDNS.
  ;;(name-service-switch %mdns-host-lookup-nss)  ; disabled for now
  )
--8<---------------cut here---------------end--------------->8---

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.