openssh PasswordAuthentication should default to "false"

NixOS / nixpkgs

Nix Packages collection & NixOS

MIT License

17.29k stars 13.54k forks source link

openssh PasswordAuthentication should default to "false" #279808

Open timthelion opened 8 months ago

timthelion commented 8 months ago

I noticed that the openssh setting PasswordAuthentication defaults to true on my system. I believe that the relevant line is here https://github.com/NixOS/nixpkgs/blob/f7f4ca1a9c40721968fa604ff9cfe130c9ae0a46/nixos/modules/services/networking/ssh/lshd.nix#L67 this should be false as setting this to true is insecure in most cases.

jpds commented 8 months ago

People might not necessarily have SSH keys enabled (especially so if you're trying to SSH into a minimal install ISO for NixOS) and...

This is trivial to change in configuration.nix:

  services.openssh = {
    enable = true;

    # require public key authentication for better security
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
  };

timthelion commented 8 months ago

It's trivial to change so why not default to the secure version?

jpds commented 8 months ago

You'd have to ask the upstream maintainers: https://man.openbsd.org/sshd_config#PasswordAuthentication

qbit commented 8 months ago

This shouldn't happen.

You need external configuration (generated keys, material for the public key..) before you can make use of key based auth. Defaulting PasswordAuthentication to false would lead to confusion for end users who haven't even heard of key based authentication (let alone configured it).
It would also break countless existing deployed configurations. Potentially blocking people from accessing their machines completely.

timthelion commented 8 months ago

People losing access is a good point. Would it be possible to set a warning message if the flag is not explicitly set?

h7x4 commented 7 months ago

Would it be possible to set a warning message if the flag is not explicitly set?

Not with the current option definition, but you could set the option type to be nullOr bool, allowing for a third "unset" state, that would result in a warning before defaulting to either true or false.

I agree with the points mentioned before though, this is not a sane default for most people. If you need this to be the default to meet some kind of regulation or specification (or for any other reason), I suggest you create an out-of-tree module that sets these stricter defaults, so people can import it.

teto commented 7 months ago

changing the default is asking for problems (a resounding "no" as far as I am concerned). When I introduced the freeform "settings" in the ssh module, it was with the intention of providing a "hardened" ssh config/profile that people could enable. Stuff happens and I haven't had the chance to tackle that (also I am not an ssh expert) but that could be something to think of, and at minimum act as a reference. The hardened profile could be limted to an exemple in the nixos documentation as well.

endgame commented 6 months ago

The bug tracking a "hardened" ssh profile is #193407 .

Would it be safe to update some of these defaults on a system.stateVersion change? Then it's only new installs and people who know what they're doing who would be getting the new default.