Re: [PATCH] mark OpenSSH password authentication as insecure

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 2787 bytes --]

Hello,

> Hello,
> 
> I disagree.
> 
> I do not think that we should generally warn because of this. Passwords are not
> unsafe per se. They can be brute-forced, but so can certificates. Good passwords
> provide a complexity that is good enough to not break into all sorts of
> accounts.From the point of usability, yes. My intention here is to rule out passwords
(did I mention I hate them?) since they never can be as complex as a OpenSSH
pubkey is. But this is usability vs. security again, and it is not a security
risk in general, so I can live with the status quo.

This patch is dropped.

Best regards,
Peter Müller
> 
> If people use a good password or not is a different thing. That by itself does
> not render SSH authentication by password a security risk.
> 
> Best,
> -Michael
> 
> On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote:
>> Using password authentication for SSH access is quite risky
>> since the security depends on the password strength. People
>> should use public-key authentication instead.
> 
>> This partly fixes #11538.
> 
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>>  langs/de/cgi-bin/de.pl | 2 +-
>>  langs/en/cgi-bin/en.pl | 2 +-
>>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 07bef906b..477c23920 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -2156,7 +2156,7 @@
>>  'ssh key size' => 'Länge (bits)',
>>  'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen',
>>  'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen;
>> dies wird Ihre Anmeldung verhindern',
>> -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen',
>> +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen
>> (Sicherheitsrisiko)',
>>  'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)',
>>  'ssh portfw' => 'TCP-Weiterleitung zulassen',
>>  'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index a343b3bd7..66356cc69 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -2194,7 +2194,7 @@
>>  'ssh key size' => 'Size (bits)',
>>  'ssh keys' => 'Allow public key based authentication',
>>  'ssh no auth' => 'You have not allowed any authentication methods; this will
>> stop you logging in',
>> -'ssh passwords' => 'Allow password based authentication',
>> +'ssh passwords' => 'Allow password based authentication (security risk)',
>>  'ssh port' => 'SSH port set to 22 (default is 222)',
>>  'ssh portfw' => 'Allow TCP forwarding',
>>  'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]