From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] mark OpenSSH password authentication as insecure Date: Sun, 06 May 2018 22:12:53 +0200 Message-ID: <1875a793-8ac1-1c93-0050-ca3ed45ab222@link38.eu> In-Reply-To: <1525086052.2479471.124.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4167713649703467782==" List-Id: --===============4167713649703467782== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > Hello, >=20 > I disagree. >=20 > I do not think that we should generally warn because of this. Passwords are= not > unsafe per se. They can be brute-forced, but so can certificates. Good pass= words > provide a complexity that is good enough to not break into all sorts of > accounts.From the point of usability, yes. My intention here is to rule out= passwords (did I mention I hate them?) since they never can be as complex as a OpenSSH pubkey is. But this is usability vs. security again, and it is not a security risk in general, so I can live with the status quo. This patch is dropped. Best regards, Peter M=C3=BCller >=20 > If people use a good password or not is a different thing. That by itself d= oes > not render SSH authentication by password a security risk. >=20 > Best, > -Michael >=20 > On Sun, 2018-04-29 at 11:27 +0200, Peter M=C3=BCller wrote: >> Using password authentication for SSH access is quite risky >> since the security depends on the password strength. People >> should use public-key authentication instead. >=20 >> This partly fixes #11538. >=20 >> Signed-off-by: Peter M=C3=BCller >> --- >> langs/de/cgi-bin/de.pl | 2 +- >> langs/en/cgi-bin/en.pl | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >=20 >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 07bef906b..477c23920 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -2156,7 +2156,7 @@ >> 'ssh key size' =3D> 'L=C3=A4nge (bits)', >> 'ssh keys' =3D> 'Authentifizierung auf Basis =C3=B6ffentlicher Schl=C3=BC= ssel zulassen', >> 'ssh no auth' =3D> 'Sie haben keinerlei Authentifizierungverfahren zugela= ssen; >> dies wird Ihre Anmeldung verhindern', >> -'ssh passwords' =3D> 'Passwortbasierte Authentifizierung zulassen', >> +'ssh passwords' =3D> 'Passwortbasierte Authentifizierung zulassen >> (Sicherheitsrisiko)', >> 'ssh port' =3D> 'SSH Port auf 22 setzen (Standard ist 222)', >> 'ssh portfw' =3D> 'TCP-Weiterleitung zulassen', >> 'ssh tempstart15' =3D> 'SSH-Deamon in 15 Minuten beenden', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index a343b3bd7..66356cc69 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -2194,7 +2194,7 @@ >> 'ssh key size' =3D> 'Size (bits)', >> 'ssh keys' =3D> 'Allow public key based authentication', >> 'ssh no auth' =3D> 'You have not allowed any authentication methods; this= will >> stop you logging in', >> -'ssh passwords' =3D> 'Allow password based authentication', >> +'ssh passwords' =3D> 'Allow password based authentication (security risk)= ', >> 'ssh port' =3D> 'SSH port set to 22 (default is 222)', >> 'ssh portfw' =3D> 'Allow TCP forwarding', >> 'ssh tempstart15' =3D> 'Stop SSH demon in 15 minutes', >=20 --===============4167713649703467782== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSmE3MkhGQUFvSkVObEk4Zzk5ZTU5b2kvQVAvM0dHSTFtK2dsNVB1b1hPK2tST2JkNk4K MURaRzY1Yll6RnI2Mmlqb3RKSFVtcVJRMEUrbUlLLzBnaG1KYklLdi9uSHpEQld6U3Zqc29CS3hN T3RmNHRVdQpRa1kvNnBYS2ZTMkdjRDZNdFcxT1JZUmkyc0o4djM2VnlkYlF3OFVTUjlaTzN4eTVr R1Z6RC9FcWJCWCtsYU5kCkNnUzMyNjZaMkpCcWdmaDhmZmM1YVd5a0x1bW5RYklLNHlyalBiNGxD ZjV2Z0IyRC80RnlUaEVQam02NWJJVXMKWHE2YzlyZUFHQ3FkV2dteVZLSWs2VnQzeU9FS0Q3OS9u ZTFvdktnK29TcUtONlRpbVhMdWNNVkZBT0IrZFZ4NAo3NnhvWEg5enhyRXpzUkhXajI0OG1CZlc0 OWtYWlhwSGwwZXZYUTJoZGt0cU1nSEhVMmdVYlpWMCtFci9MS21DCitSUjdBQ2hDaTdLeXpuaG9Q dHBDVytuT0NoLzF0Z3dySXZOZExSSzhrMEdSUHdlL1FIVHNoN0RWN3lXY1JvaWQKVUtsblhCUytQ ZnozOXU4M1k2VlFQeHFmZTVIUE5YMTBzQjE1SW5QODEzU0FRU2MxOXUvYjZtU3lBRTFNd0wyZAo4 VlBSQVgybytiTDF1MFNCazhEWGVGUXk0SDhCQ2F0YzZtd2FmN0xqNVd3eG9aUm9xTHZaSnFERm4r MjhQcjF3ClNsK2xwN2RlY0lnSVRtNUVyR1d4STVzSmxBcGtXU1hmTWdKN0NSeksxRll5Wm96ZFh0 eDJ2RUQyRndQWFJ5ODcKdFZyYis0dHpEcFd1bEgvTWlidUdod1dkckNjYnZJV2VTeCtLcWlrWUJD RGd2M0FiWGVQcU1rSzZSeHhDKzd1cwpCMnpBWHlzdGtzeUNVTUVaRS9YKwo9YjlyNgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4167713649703467782==--