[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44808: Default to allowing password authentication on leaves users v
From: |
Mark H Weaver |
Subject: |
bug#44808: Default to allowing password authentication on leaves users vulnerable |
Date: |
Thu, 10 Dec 2020 20:43:45 -0500 |
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
>>> What do you think of the approach in
>>> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138>?
>>
>> One problem, which I just discovered, is that it warns users even if
>> they don't have an 'openssh-service' in their system configuration.
>
> Could it be that you have a childhurd or some other service that uses
> ‘openssh-service-type’?
I highly doubt it. In any case, there's certainly no ssh daemon
running. See below for my system configuration.
> What source code location is associated with that warning?
gnu/services/ssh.scm:570:31, here:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/ssh.scm?id=ec2eccbf3d1a6378c5ebf1e3d17ec72b4b2a4cd0#n570
Here's what I see when I build a system:
--8<---------------cut here---------------start------------->8---
mhw@jojen ~/guix$ ./pre-inst-env guix system build /etc/config.scm
gnu/services/ssh.scm:570:31: warning: The default value of the
'password-authentication?'
field of 'openssh-configuration' will change from #true to #false in the
future. Explicitly set it to #true to allow password authentication.
/gnu/store/v9ri5ya4xb1fxnmckg1j1qr2qki73w36-system
--8<---------------cut here---------------end--------------->8---
Could it be related to the fact that I always run Guix via
./pre-inst-env from a git checkout?
If this problem only affect me, due to the unusual way in which I use
Guix, feel free to disregard this issue. It's easy enough for me add
one more to my collection of reverted patches on my private branch :)
Thanks,
Mark
--8<---------------cut here---------------start------------->8---
(use-modules (gnu) (gnu system nss) (srfi srfi-1) (guix packages))
(use-service-modules base desktop networking xorg dbus sound)
(use-package-modules certs gnome cryptsetup linux admin guile firmware xdisorg
libusb suckless ratpoison wm vpn)
(operating-system
(host-name "jojen")
(timezone "right/US/Eastern")
(locale "en_US.utf8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")))
(kernel linux-libre)
(kernel-arguments '("page_alloc.shuffle=1"))
(firmware (list ath9k-htc-firmware))
;;(firmware '())
(keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "a56c53e7-b345-4e24-a17b-6cf158dbc7d3"))
(target "jojen-root")
(type luks-device-mapping))))
(file-systems (cons* (file-system
;; FIXME: reference by the file system label?
(device "/dev/mapper/jojen-root")
(mount-point "/")
(type "btrfs")
(dependencies mapped-devices))
%base-file-systems))
(users (cons* (user-account
(name "mhw")
(uid 1000)
(group "mhw")
(supplementary-groups '("wheel" "users" "netdev"
"audio" "video" "dialout"))
(home-directory "/home/mhw"))
%base-user-accounts))
(groups (cons* (user-group
(name "mhw")
(id 1000))
%base-groups))
(setuid-programs
(list (file-append shadow "/bin/passwd")
(file-append inetutils "/bin/ping")))
;; This is where we specify system-wide packages.
(packages (cons* nss-certs ;for HTTPS access
gvfs ;for user mounts
cryptsetup
btrfs-progs
wpa-supplicant
network-manager
network-manager-applet
network-manager-openvpn
openvpn
ratpoison
i3-wm
dwm
(delete sudo %base-packages)))
(services (cons* (service gnome-desktop-service-type)
;;(service xfce-desktop-service-type)
(service gdm-service-type)
;;(service slim-service-type)
(screen-locker-service slock)
;;(screen-locker-service xlockmore "xlock")
;; Add udev rules for MTP devices so that non-root
;; users can access them.
(simple-service 'mtp udev-service-type (list libmtp))
;; Add udev rules for scanners.
(service sane-service-type)
;; Add polkit rules, so that non-root users in the
;; wheel group can perform administrative tasks
;; (similar to "sudo").
polkit-wheel-service
;; NetworkManager and its dependents.
(service network-manager-service-type)
(service wpa-supplicant-service-type)
;; (simple-service 'network-manager-applet
;; profile-service-type
;; (list network-manager-applet))
;; (service modem-manager-service-type)
;; (service usb-modeswitch-service-type)
;; The D-Bus clique.
;;(service avahi-service-type) ; I don't trust this
(udisks-service)
(service upower-service-type)
;;(accountsservice-service)
;;(service cups-pk-helper-service-type)
(service colord-service-type)
;;(geoclue-service) ; I don't want this
(service polkit-service-type)
(elogind-service)
(dbus-service)
;;(service ntp-service-type) ; I don't trust this
(service pulseaudio-service-type)
(service alsa-service-type)
;;;; Disabled for now
;;
;;(accountsservice-service)
;;(service cups-pk-helper-service-type)
;; TOR: The Onion Router
(service tor-service-type)
;; Optional OpenNTPd, below
#;
(service
openntpd-service-type
(openntpd-configuration
(listen-on '("127.0.0.1" "::1"))
;;(constraint-from '("www.gnu.org"))
(allow-large-adjustment? #t)))
x11-socket-directory-service
;;;; Disabled for now
;;
;;(service alsa-service-type)
(modify-services %base-services
;; I don't trust the build farm
(guix-service-type config =>
(guix-configuration
(inherit config)
(use-substitutes? #f)
(authorize-key? #f)
(authorized-keys '())
(substitute-urls '())
(extra-options
'("--gc-keep-derivations=yes"
"--gc-keep-outputs=yes")))))))
;; Allow resolution of '.local' host names with mDNS.
;;(name-service-switch %mdns-host-lookup-nss) ; disabled for now
)
--8<---------------cut here---------------end--------------->8---
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/05
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/05
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Dr. Arne Babenhauserheide, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/07
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Mark H Weaver, 2020/12/08
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/10
- bug#44808: Default to allowing password authentication on leaves users vulnerable,
Mark H Weaver <=
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Ludovic Courtès, 2020/12/11
- bug#44808: Default to allowing password authentication on leaves users vulnerable, Christopher Lemmer Webber, 2020/12/08
bug#44808: Default to allowing password authentication on leaves users vulnerable, Leo Famulari, 2020/12/07