Using password authentication for SSH access is quite risky since the security depends on the password strength. People should use public-key authentication instead.
This partly fixes #11538.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef906b..477c23920 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2156,7 +2156,7 @@ 'ssh key size' => 'Länge (bits)', 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern', -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)', 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', 'ssh portfw' => 'TCP-Weiterleitung zulassen', 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3bd7..66356cc69 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2194,7 +2194,7 @@ 'ssh key size' => 'Size (bits)', 'ssh keys' => 'Allow public key based authentication', 'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in', -'ssh passwords' => 'Allow password based authentication', +'ssh passwords' => 'Allow password based authentication (security risk)', 'ssh port' => 'SSH port set to 22 (default is 222)', 'ssh portfw' => 'Allow TCP forwarding', 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
I disagree.
I do not think that we should generally warn because of this. Passwords are not unsafe per se. They can be brute-forced, but so can certificates. Good passwords provide a complexity that is good enough to not break into all sorts of accounts.
If people use a good password or not is a different thing. That by itself does not render SSH authentication by password a security risk.
Best, - -Michael
On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote:
Using password authentication for SSH access is quite risky since the security depends on the password strength. People should use public-key authentication instead.
This partly fixes #11538.
Signed-off-by: Peter Müller peter.mueller@link38.eu
langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef906b..477c23920 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2156,7 +2156,7 @@ 'ssh key size' => 'Länge (bits)', 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern', -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)', 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', 'ssh portfw' => 'TCP-Weiterleitung zulassen', 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3bd7..66356cc69 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2194,7 +2194,7 @@ 'ssh key size' => 'Size (bits)', 'ssh keys' => 'Allow public key based authentication', 'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in', -'ssh passwords' => 'Allow password based authentication', +'ssh passwords' => 'Allow password based authentication (security risk)', 'ssh port' => 'SSH port set to 22 (default is 222)', 'ssh portfw' => 'Allow TCP forwarding', 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
Hello,
Hello,
I disagree.
I do not think that we should generally warn because of this. Passwords are not unsafe per se. They can be brute-forced, but so can certificates. Good passwords provide a complexity that is good enough to not break into all sorts of accounts.From the point of usability, yes. My intention here is to rule out passwords
(did I mention I hate them?) since they never can be as complex as a OpenSSH pubkey is. But this is usability vs. security again, and it is not a security risk in general, so I can live with the status quo.
This patch is dropped.
Best regards, Peter Müller
If people use a good password or not is a different thing. That by itself does not render SSH authentication by password a security risk.
Best, -Michael
On Sun, 2018-04-29 at 11:27 +0200, Peter Müller wrote:
Using password authentication for SSH access is quite risky since the security depends on the password strength. People should use public-key authentication instead.
This partly fixes #11538.
Signed-off-by: Peter Müller peter.mueller@link38.eu
langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef906b..477c23920 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2156,7 +2156,7 @@ 'ssh key size' => 'Länge (bits)', 'ssh keys' => 'Authentifizierung auf Basis öffentlicher Schlüssel zulassen', 'ssh no auth' => 'Sie haben keinerlei Authentifizierungverfahren zugelassen; dies wird Ihre Anmeldung verhindern', -'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen', +'ssh passwords' => 'Passwortbasierte Authentifizierung zulassen (Sicherheitsrisiko)', 'ssh port' => 'SSH Port auf 22 setzen (Standard ist 222)', 'ssh portfw' => 'TCP-Weiterleitung zulassen', 'ssh tempstart15' => 'SSH-Deamon in 15 Minuten beenden', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3bd7..66356cc69 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2194,7 +2194,7 @@ 'ssh key size' => 'Size (bits)', 'ssh keys' => 'Allow public key based authentication', 'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in', -'ssh passwords' => 'Allow password based authentication', +'ssh passwords' => 'Allow password based authentication (security risk)', 'ssh port' => 'SSH port set to 22 (default is 222)', 'ssh portfw' => 'Allow TCP forwarding', 'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
-
Michael Tremer -
Peter Müller