Your message dated Wed, 2 Aug 2023 15:21:58 +0200 with message-id <8bd7acd7-40d0-d99d-4a86-1d073fe2a04c@berhoerster.name> and subject line Re: Bug#1042823: Cannot log into SLBackup web frontend with sshd default configuration has caused the Debian Bug report #1042823, regarding Cannot log into SLBackup web frontend with sshd default configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1042823: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042823 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Cannot log into SLBackup web frontend with sshd default configuration
- From: Guido Berhoerster <guido@berhoerster.name>
- Date: Tue, 1 Aug 2023 14:52:38 +0200
- Message-id: <[🔎] 151d0406-9fc2-b401-a220-42527bb61967@berhoerster.name>
Package: debian-edu-config Version: 2.12.33 The Debian openssh-server disables login as root using a password by default. As noted in the DebianEdu documentation this must be changed manually for the SLBackup web frontend to work: > Note: the site will only work if you temporarily allow SSH root login on the backup server, which is the main server (tjener.intern) by default. I'm wondering whether we should allow password-based logins from localhost by default? E.g. through a drop in file /etc/ssh/sshd_config.d/debia-edu.conf: Match Address 127.0.0.1,10.0.2.2 PermitRootLogin yes -- Guido Berhoerster
--- End Message ---
--- Begin Message ---
- To: 1042823-done@bugs.debian.org
- Subject: Re: Bug#1042823: Cannot log into SLBackup web frontend with sshd default configuration
- From: Guido Berhoerster <guido@berhoerster.name>
- Date: Wed, 2 Aug 2023 15:21:58 +0200
- Message-id: <8bd7acd7-40d0-d99d-4a86-1d073fe2a04c@berhoerster.name>
- In-reply-to: <[🔎] ZMksyq97jYmKi4mI@layer-acht.org>
- References: <[🔎] 151d0406-9fc2-b401-a220-42527bb61967@berhoerster.name> <[🔎] ZMksyq97jYmKi4mI@layer-acht.org> <[🔎] ZMksyq97jYmKi4mI@layer-acht.org>
On Tue, 1 Aug 2023 16:03:22 +0000 Holger Levsen <holger@layer-acht.org> wrote: > On Tue, Aug 01, 2023 at 02:52:38PM +0200, Guido Berhoerster wrote: > > The Debian openssh-server disables login as root using a password by > > default. As noted in the DebianEdu documentation this must be > > changed manually for the SLBackup web frontend to work: > > > > > Note: the site will only work if you temporarily allow SSH root login on the backup server, which is the main server (tjener.intern) by default. > > > > I'm wondering whether we should allow password-based logins from > > localhost by default? E.g. through a drop in file > > /etc/ssh/sshd_config.d/debia-edu.conf: > > can't we teach slbackup to work with ssh-key authentication? > it's 2023. Well, that would give the www-data user basically unrestricted root access. After spending more time on fixing the frontend than I intended and examining the code I've come to the conclusion this feature request is a bad idea. The web frontend uses SSH password login both as a way to authenticate a user and then run commands as root. It also stores the root password in a cookie, protected by some homemade encryption, i.e. xoring it with a hash of the current time of day, which is then presented to everything else running under www… So, instead of enabling this frontend by default we should rather strongly discourage its use in bookworm and remove the package from unstable. Nobody should use something like this in 2023, there are plenty of alternative backup solutions available in Debian. -- Guido Berhoerster
--- End Message ---