Message ID | c5b950b6-9c8f-01f7-89b2-bfcde07aa7f4@link38.eu |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 1648360726 for <patchwork@web02.i.ipfire.org>; Sun, 29 Apr 2018 11:27:54 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 6CF481109356; Sun, 29 Apr 2018 10:27:53 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 7870E108B886 for <development@lists.ipfire.org>; Sun, 29 Apr 2018 10:27:51 +0100 (BST) ARC-Authentication-Results: i=1; mx-nbg.link38.eu DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524994069; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=knW6IXCI1zxBIQqha+PMW7aP4FsdD4LX9A2wGDIc0Wg=; b=aWzm+Gpy+gNVmAWfAeTNemW7gYi4F5dkFBlWwy1sZ4miqRRyQHiE6SMZ1LEfxgSkpMfRIA xc1CjcXSPJh/7h++jpoPXZUxZwdvij7kJs6pM/18Vp3nUplfoTJiqPy+4pwEp3uPfEvPfy PdokOw9So0AEQz+OsH5UWa+N2tTaoowYkIJxIcAOA/PRVLnGuEbY3J/azQkKHWtLPvxwLV g6vkH9NtgBubwqlwcqHhz5kwXXm9yL56HC0P0bXtmVgI18RQz7FZRBqIi/9alQJBd5Wx4f QWPGIgcCiaUCDazjnOCvAb66OWSldPS839RN/5/4j7RvWqlJeLg9CbWhH6BGkA== ARC-Seal: i=1; s=201803; d=link38.eu; t=1524994069; a=rsa-sha256; cv=none; b=XAi0hTXhC5wXLxaSkcdtteQsBfURo49VouLcmA3Z5bNm63WYn7j0W+yXJGVAEPCRxIpP3T1jf4jyykEiBzscSEDZtIgBJvSR3+vPCoPgYbP0iKFbb8xyXKo6vyhqeXnpzll8z36XhtSD+lkSR/MXu5hvbA7aErEbASL10eNnQ3xaNalWPXUE6b2rOSzjRYPM+e4i6nizJUfgGivEbqRK0K3lS35BrIQQeQGMrGOwuaqLatHfkP4hyS7iLp9vyisF7POApRngd6K37qlWWF4J9rX3XEEiyxkFZhKFy4BTH75foZX07Su1svxC9Rq8zSUNXCBha+ci+CpjcUocdCeb7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524994069; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=knW6IXCI1zxBIQqha+PMW7aP4FsdD4LX9A2wGDIc0Wg=; b=DiCVCBwz2B4vegZHWJDh+kNrWMq3zKt8oy0qmT2+VShvXMOMitP9uCqdnMbxH4siGlG07w fvMStjO8QYOIxWDW6XnGXlABVvbQSbi0Db8VRVLXSrcEtWvbCMMf1z/cdbPNAsErfsHUae QwxrUbjSChozFk7xUQHg97czWfWax/M5lCd1KePylIm5/IqRfUfWm1+V7sHtRaOECMn8H5 CaMZVhAKA95uNqUYTlH0djmVb8Vbdwn7SoLTT8suZvQZJFgpDrS9KC+52gomj8hRMk2bF/ 5q6IVZ3uZNyyoePu2vq+FmQbHoOZNMmq9w5sa22j627XCX9Z1VY0Gaq3cFau5w== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Subject: [PATCH] mark OpenSSH password authentication as insecure Openpgp: preference=signencrypt Message-ID: <c5b950b6-9c8f-01f7-89b2-bfcde07aa7f4@link38.eu> Date: Sun, 29 Apr 2018 11:27:48 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="WN3wPXpCmVPuKSwcJ87WvDb6CxmN3XvoZ" X-Spamd-Result: default: False [-10.63 / 11.00]; IP_SCORE(-3.77)[ip: (-9.86), ipnet: 2a03:4000::/32(-4.93), asn: 197540(-3.95), country: DE(-0.09)]; ARC_ALLOW(-1.00)[i=1]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-10.63 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
mark OpenSSH password authentication as insecure
|
|
Commit Message
Peter Müller
April 29, 2018, 7:27 p.m. UTC
Using password authentication for SSH access is quite risky
since the security depends on the password strength. People
should use public-key authentication instead.
This partly fixes #11538.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
langs/de/cgi-bin/de.pl | 2 +-
langs/en/cgi-bin/en.pl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Comments
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I disagree. I do not think that we should generally warn because of this. Passwords are not unsafe per se. They can be brute-forced, but so can certificates. Good passwords provide a complexity that is good enough to not break into all sorts of accounts. If people use a good password or not is a different thing. That by itself does not render SSH authentication by password a security risk. Best, - -Michael On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote: > Using password authentication for SSH access is quite risky > since the security depends on the password strength. People > should use public-key authentication instead. > > This partly fixes #11538. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > langs/de/cgi-bin/de.pl | 2 +- > langs/en/cgi-bin/en.pl | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 07bef906b..477c23920 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -2156,7 +2156,7 @@ > 'ssh key size' => 'Länge (bits)', > 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', > 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; > dies wird Ihre Anmeldung verhindern', > -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', > +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen > (Sicherheitsrisiko)', > 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', > 'ssh portfw' => 'TCP-Weiterleitung zulassen', > 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index a343b3bd7..66356cc69 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -2194,7 +2194,7 @@ > 'ssh key size' => 'Size (bits)', > 'ssh keys' => 'Allow public key based authentication', > 'ssh no auth' => 'You have not allowed any authentication methods; this will > stop you logging in', > -'ssh passwords' => 'Allow password based authentication', > +'ssh passwords' => 'Allow password based authentication (security risk)', > 'ssh port' => 'SSH port set to 22 (default is 222)', > 'ssh portfw' => 'Allow TCP forwarding', > 'ssh tempstart15' => 'Stop SSH demon in 15 minutes', -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlrm92UACgkQgHnw/2+Q CQesug/+JEpw2xLS5MajcpCitpybzaYi5Pz3po9NFAnmx/grdd96GHuVo+JCcJd/ u5RFkiatvxd0plL0+V8Wp6TmTx23FCIpCI+MGhUGsSPnTf5iLV6LPx8vHyoXY1rA P30bdQNWjhb/isxVkR64RS7RTZYImuleiVj/kJEriE1dj1vzOWVa+Du0lcRheV2a 1eR8kdp2sYVOLqpPcB7yyGazv6NrQYO1chW3Bp10z/0G04VwRP9zom1j3XTdQ0LX yBpOPPmqCrHUWxMGwxgt0FWzdzv/ndU91f58REtiUCM6CEkN1Mnxi1Q9PKlI4Dz4 mzPjNvdXvio/CTbKUpK3kEfj1f9V1jR/moc9r7SRtta+ZrK7ifoIJ9Xcg3F+1VQq D/CM0NGO5bGBnoirlh2I3CEEFkrCokJfT2VZkAvULZyAS5HULlXGY/rjooBoi1WQ BxFCAmyF0V7ro3Y/FMWq5jJzxTtp6JumaxvL8YtqvhcT1ao5/g3WrAgFe5C6qr6r 48PyR5ht6qPLjdtAaNZGox6yjf35ao6Kok8uvleAt1KE7hlVON+uYluv+yrEXgA3 6CM8iRutb0WKBZ8pjDs9+4tmPY1TnOK0EIoKLKDuLdvJw6poH2B43duVCUPO86rH xQJPPB/YfBmIE88OgyM3D2nXpojn8idEYPV5quJSv71SeR36vo0= =Iqbn -----END PGP SIGNATURE-----
Hello, > Hello, > > I disagree. > > I do not think that we should generally warn because of this. Passwords are not > unsafe per se. They can be brute-forced, but so can certificates. Good passwords > provide a complexity that is good enough to not break into all sorts of > accounts.From the point of usability, yes. My intention here is to rule out passwords (did I mention I hate them?) since they never can be as complex as a OpenSSH pubkey is. But this is usability vs. security again, and it is not a security risk in general, so I can live with the status quo. This patch is dropped. Best regards, Peter Müller > > If people use a good password or not is a different thing. That by itself does > not render SSH authentication by password a security risk. > > Best, > -Michael > > On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote: >> Using password authentication for SSH access is quite risky >> since the security depends on the password strength. People >> should use public-key authentication instead. > >> This partly fixes #11538. > >> Signed-off-by: Peter Müller <peter.mueller@link38.eu> >> --- >> langs/de/cgi-bin/de.pl | 2 +- >> langs/en/cgi-bin/en.pl | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) > >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 07bef906b..477c23920 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -2156,7 +2156,7 @@ >> 'ssh key size' => 'Länge (bits)', >> 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', >> 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; >> dies wird Ihre Anmeldung verhindern', >> -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', >> +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen >> (Sicherheitsrisiko)', >> 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', >> 'ssh portfw' => 'TCP-Weiterleitung zulassen', >> 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index a343b3bd7..66356cc69 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -2194,7 +2194,7 @@ >> 'ssh key size' => 'Size (bits)', >> 'ssh keys' => 'Allow public key based authentication', >> 'ssh no auth' => 'You have not allowed any authentication methods; this will >> stop you logging in', >> -'ssh passwords' => 'Allow password based authentication', >> +'ssh passwords' => 'Allow password based authentication (security risk)', >> 'ssh port' => 'SSH port set to 22 (default is 222)', >> 'ssh portfw' => 'Allow TCP forwarding', >> 'ssh tempstart15' => 'Stop SSH demon in 15 minutes', >
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef906b..477c23920 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2156,7 +2156,7 @@ 'ssh key size' => 'Länge (bits)', 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern', -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)', 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', 'ssh portfw' => 'TCP-Weiterleitung zulassen', 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3bd7..66356cc69 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2194,7 +2194,7 @@ 'ssh key size' => 'Size (bits)', 'ssh keys' => 'Allow public key based authentication', 'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in', -'ssh passwords' => 'Allow password based authentication', +'ssh passwords' => 'Allow password based authentication (security risk)', 'ssh port' => 'SSH port set to 22 (default is 222)', 'ssh portfw' => 'Allow TCP forwarding', 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',