From patchwork Sun Apr 29 19:27:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1734 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 1648360726 for ; Sun, 29 Apr 2018 11:27:54 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 6CF481109356; Sun, 29 Apr 2018 10:27:53 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 7870E108B886 for ; Sun, 29 Apr 2018 10:27:51 +0100 (BST) ARC-Authentication-Results: i=1; mx-nbg.link38.eu DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524994069; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=knW6IXCI1zxBIQqha+PMW7aP4FsdD4LX9A2wGDIc0Wg=; b=aWzm+Gpy+gNVmAWfAeTNemW7gYi4F5dkFBlWwy1sZ4miqRRyQHiE6SMZ1LEfxgSkpMfRIA xc1CjcXSPJh/7h++jpoPXZUxZwdvij7kJs6pM/18Vp3nUplfoTJiqPy+4pwEp3uPfEvPfy PdokOw9So0AEQz+OsH5UWa+N2tTaoowYkIJxIcAOA/PRVLnGuEbY3J/azQkKHWtLPvxwLV g6vkH9NtgBubwqlwcqHhz5kwXXm9yL56HC0P0bXtmVgI18RQz7FZRBqIi/9alQJBd5Wx4f QWPGIgcCiaUCDazjnOCvAb66OWSldPS839RN/5/4j7RvWqlJeLg9CbWhH6BGkA== ARC-Seal: i=1; s=201803; d=link38.eu; t=1524994069; a=rsa-sha256; cv=none; b=XAi0hTXhC5wXLxaSkcdtteQsBfURo49VouLcmA3Z5bNm63WYn7j0W+yXJGVAEPCRxIpP3T1jf4jyykEiBzscSEDZtIgBJvSR3+vPCoPgYbP0iKFbb8xyXKo6vyhqeXnpzll8z36XhtSD+lkSR/MXu5hvbA7aErEbASL10eNnQ3xaNalWPXUE6b2rOSzjRYPM+e4i6nizJUfgGivEbqRK0K3lS35BrIQQeQGMrGOwuaqLatHfkP4hyS7iLp9vyisF7POApRngd6K37qlWWF4J9rX3XEEiyxkFZhKFy4BTH75foZX07Su1svxC9Rq8zSUNXCBha+ci+CpjcUocdCeb7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524994069; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=knW6IXCI1zxBIQqha+PMW7aP4FsdD4LX9A2wGDIc0Wg=; b=DiCVCBwz2B4vegZHWJDh+kNrWMq3zKt8oy0qmT2+VShvXMOMitP9uCqdnMbxH4siGlG07w fvMStjO8QYOIxWDW6XnGXlABVvbQSbi0Db8VRVLXSrcEtWvbCMMf1z/cdbPNAsErfsHUae QwxrUbjSChozFk7xUQHg97czWfWax/M5lCd1KePylIm5/IqRfUfWm1+V7sHtRaOECMn8H5 CaMZVhAKA95uNqUYTlH0djmVb8Vbdwn7SoLTT8suZvQZJFgpDrS9KC+52gomj8hRMk2bF/ 5q6IVZ3uZNyyoePu2vq+FmQbHoOZNMmq9w5sa22j627XCX9Z1VY0Gaq3cFau5w== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] mark OpenSSH password authentication as insecure Openpgp: preference=signencrypt Message-ID: Date: Sun, 29 Apr 2018 11:27:48 +0200 MIME-Version: 1.0 X-Spamd-Result: default: False [-10.63 / 11.00]; IP_SCORE(-3.77)[ip: (-9.86), ipnet: 2a03:4000::/32(-4.93), asn: 197540(-3.95), country: DE(-0.09)]; ARC_ALLOW(-1.00)[i=1]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-10.63 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Using password authentication for SSH access is quite risky since the security depends on the password strength. People should use public-key authentication instead. This partly fixes #11538. Signed-off-by: Peter Müller --- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef906b..477c23920 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2156,7 +2156,7 @@ 'ssh key size' => 'Länge (bits)', 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern', -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)', 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', 'ssh portfw' => 'TCP-Weiterleitung zulassen', 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3bd7..66356cc69 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2194,7 +2194,7 @@ 'ssh key size' => 'Size (bits)', 'ssh keys' => 'Allow public key based authentication', 'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in', -'ssh passwords' => 'Allow password based authentication', +'ssh passwords' => 'Allow password based authentication (security risk)', 'ssh port' => 'SSH port set to 22 (default is 222)', 'ssh portfw' => 'Allow TCP forwarding', 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',