openssh bugs - Nov 2014 - [Bug 2309] New: change default PreferredAuthentications order

https://bugzilla.mindrot.org/show_bug.cgi?id=2309

            Bug ID: 2309
           Summary: change default PreferredAuthentications order
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.net

Hi.

As far as I understand, one cannot "improve" the security of SSH by
disabling auth methods or changing their order... on the client
side(!).

- Even if one thinks e.g. password or hostbased are insecure, as long
as they're enabled on the server side, one cannot "protect" such
server
by disabling it on the client side.

- Neither can one improve the security of the one's own current
session, since that is already fully set up after the KEX (both plain
KEX or GSS KEX) and thus *before* auth takes places.


Right so far?

If so, then the only sense of the default order of auth methods is
probably usability, i.e. the less interaction necessary by the user,
the better.

The current default is:
gssapi-with-mic,hostbased,publickey,keyboard-interactive,password


Which is IMHO already close to perfect:

keyboard-interactive,password come last, since they always require
manual user input.

publickey - may or may not require manual input (depending on whether
the identity key is encrypted or not), thus it should be before the two
with passphrase entry


But then I'd swap gssapi-with-mic with hostbased:
gssapi-with-mic: a krb ticket may not be available, if not the user
would need create one first likely requires passphrase input as
well,... but they ticket may also be already there (thus no further
interaction needed) which is why it should come before pubkey

hostkey: well AFAIU, it either works (if enabled and ssh-keysign is
activated) or not. No interaction for the user.


Cheers,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2309

Christoph Anton Mitterer <calestyo at scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Christoph Anton Mitterer <calestyo at scientia.net>
---
Rethinking that again (which I probably should have done more carefully
before) I'll close this as invalid:

Both gssapi-with-mic (and gssapi-keyex) and hostbased won't query the
user.

- If a kerberos ticket is there, it will be used if gasapi-with-mic
comes first and one doesn't need to interact.
- If no kerberos ticket is there, gssapi-with-mic auth will fail
(respectively not tried at all) and ssh will try hostbased auth. Thus
no interaction either.

And then I think it's better to prefer the gssapi-* methods over
anything else, because if forwarding of credentials is enabled then the
user probably wants this, which wouldn't happen if hostbased kicks in
before.


Sorry for the noise O:-)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2309

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.