Debian Live 7.6 is running an ssh server

To: "debian-live@lists.debian.org" <debian-live@lists.debian.org>
Subject: Debian Live 7.6 is running an ssh server
From: Francois L <wismuth@hotmail.com>
Date: Sat, 2 Aug 2014 07:12:48 -0700
Message-id: <[🔎] BLU170-W137B5940C2F2BC1984F1C97A6E40@phx.gbl>

I was extremely surprised to discover that I was able to ssh to a machine that I booted with Debian Live using simply user=user and password=live.

Is this a bug or a design choice? Testing a few live images, it seems to be have started in 7.0 and it's still present in 7.6.

In my opinion this is a huge security risk. It allows an attacker to not only spy on the live session, but to access the machine's hard drive, potentially modifying files to control the machine on reboot.

Looking around, it seems people agree with me: live distributions should not come with sshd enabled. People who need the feature can always start the service themselves or make their own custom live image.
https://unix.stackexchange.com/questions/43012/remote-accesible-live-distribution-aka-live-cd

    Francois

Reply to:

Prev by Date: Re: debian-live-7.6.0-amd64-gnome-desktop.iso on MBA
Next by Date: Re: debian-live-7.6.0-amd64-gnome-desktop.iso on MBA
Previous by thread: Re: debian-live-7.6.0-amd64-gnome-desktop.iso on MBA
Next by thread: Creating Installable Debian LiveCD
Index(es):
- Date
- Thread