On Sat, 2015-05-02 at 13:41 +0100, f0lil wrote: > The ssh service should be disabled by default because an attacker > could exploit this. I think that's actually more a general problem of Debian, i.e. that it enables most services right at installing the package, which is security-wise typically very bad, since the package is usually yet unconfigured (or perhaps just "half configured" e.g. by debconf). So this situation is quite unfortunate and actually has IMHO already lead to unnecessary security holes in the past. But when I've brought up the issue in past "security realted" discussions on debian-devel, the (loud) majority seem to have preferred works-somehow-out-of-the-box™ than works-securely. > The Live DVD comes with a default username and password making the > threat very real. It's even worse in the sense that the entropy used to generate the host keys will be typically very low,.. at least right after boot. So the keymaterial could be bad either. Anyway, what do you mean with default username/password? root? Or the normal user? Cause as for root, Debian's current default SSH config should allow login only "without-password". Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature