[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#784043: Debian Live DVD 8.0.0 ssh server enabled by default



On Sat, 2015-05-02 at 13:41 +0100, f0lil wrote:
> The ssh service should be disabled by default because an attacker
> could exploit this.
I think that's actually more a general problem of Debian, i.e. that it
enables most services right at installing the package, which is
security-wise typically very bad, since the package is usually yet
unconfigured (or perhaps just "half configured" e.g. by debconf).

So this situation is quite unfortunate and actually has IMHO already
lead to unnecessary security holes in the past.

But when I've brought up the issue in past "security realted"
discussions on debian-devel, the (loud) majority seem to have preferred
works-somehow-out-of-the-box™ than works-securely.


> The Live DVD comes with a default username and password making the
> threat very real.
It's even worse in the sense that the entropy used to generate the host
keys will be typically very low,.. at least right after boot.
So the keymaterial could be bad either.

Anyway, what do you mean with default username/password? root? Or the
normal user?
Cause as for root, Debian's current default SSH config should allow
login only "without-password".


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Reply to: