* Re: [PATCH] mark OpenSSH password authentication as insecure
[not found] <1525086052.2479471.124.camel@ipfire.org>
@ 2018-05-06 20:12 ` Peter Müller
0 siblings, 0 replies; 2+ messages in thread
From: Peter Müller @ 2018-05-06 20:12 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2787 bytes --]
Hello,
> Hello,
>
> I disagree.
>
> I do not think that we should generally warn because of this. Passwords are not
> unsafe per se. They can be brute-forced, but so can certificates. Good passwords
> provide a complexity that is good enough to not break into all sorts of
> accounts.From the point of usability, yes. My intention here is to rule out passwords
(did I mention I hate them?) since they never can be as complex as a OpenSSH
pubkey is. But this is usability vs. security again, and it is not a security
risk in general, so I can live with the status quo.
This patch is dropped.
Best regards,
Peter Müller
>
> If people use a good password or not is a different thing. That by itself does
> not render SSH authentication by password a security risk.
>
> Best,
> -Michael
>
> On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote:
>> Using password authentication for SSH access is quite risky
>> since the security depends on the password strength. People
>> should use public-key authentication instead.
>
>> This partly fixes #11538.
>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>> langs/de/cgi-bin/de.pl | 2 +-
>> langs/en/cgi-bin/en.pl | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 07bef906b..477c23920 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -2156,7 +2156,7 @@
>> 'ssh key size' => 'Länge (bits)',
>> 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen',
>> 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen;
>> dies wird Ihre Anmeldung verhindern',
>> -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen',
>> +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen
>> (Sicherheitsrisiko)',
>> 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)',
>> 'ssh portfw' => 'TCP-Weiterleitung zulassen',
>> 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index a343b3bd7..66356cc69 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -2194,7 +2194,7 @@
>> 'ssh key size' => 'Size (bits)',
>> 'ssh keys' => 'Allow public key based authentication',
>> 'ssh no auth' => 'You have not allowed any authentication methods; this will
>> stop you logging in',
>> -'ssh passwords' => 'Allow password based authentication',
>> +'ssh passwords' => 'Allow password based authentication (security risk)',
>> 'ssh port' => 'SSH port set to 22 (default is 222)',
>> 'ssh portfw' => 'Allow TCP forwarding',
>> 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] mark OpenSSH password authentication as insecure
@ 2018-04-29 9:27 Peter Müller
0 siblings, 0 replies; 2+ messages in thread
From: Peter Müller @ 2018-04-29 9:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1795 bytes --]
Using password authentication for SSH access is quite risky
since the security depends on the password strength. People
should use public-key authentication instead.
This partly fixes #11538.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
langs/de/cgi-bin/de.pl | 2 +-
langs/en/cgi-bin/en.pl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 07bef906b..477c23920 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2156,7 +2156,7 @@
'ssh key size' => 'Länge (bits)',
'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen',
'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern',
-'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen',
+'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)',
'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)',
'ssh portfw' => 'TCP-Weiterleitung zulassen',
'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a343b3bd7..66356cc69 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2194,7 +2194,7 @@
'ssh key size' => 'Size (bits)',
'ssh keys' => 'Allow public key based authentication',
'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in',
-'ssh passwords' => 'Allow password based authentication',
+'ssh passwords' => 'Allow password based authentication (security risk)',
'ssh port' => 'SSH port set to 22 (default is 222)',
'ssh portfw' => 'Allow TCP forwarding',
'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
--
2.13.6
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-06 20:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1525086052.2479471.124.camel@ipfire.org>
2018-05-06 20:12 ` [PATCH] mark OpenSSH password authentication as insecure Peter Müller
2018-04-29 9:27 Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox