[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

openssh-server's default config is dangerous


I would like to initiate a discussion about the security
implications of the default sshd_config file, created after an
installation of the openssh-server package.

Currently, after installing openssh-server, anyone can gain access
to any user's account on the system using only the corresponding
user's password. As we know, people do not necessarily use the most
secure of passwords. This will especially be the case if the user
does not expect his computer to be accessible in any way from the

But wait, why would someone install openssh-server if he does not
plan on having his account being accessible through a network?
Well, there are several possible scenarios:
- The user is unsure what package he should install to e.g. get
  access to an ssh client, and so installs several related looking
- The user installs it by mistake by using e.g. a regex
    sudo apt-get install ^openssh
  not knowing there is an openssh-server package.
- The user installs it to perform a task temporarily, e.g. to make a
  backup via rsync, and forgets to remove it.
- Someone maliciously instructs the user to install the package. The
  user thinks this is safe since the package is part of the official
- But the main cause will be all of openssh-server's reverse
  dependencies. They can be listed with
    apt-cache rdepends openssh-server
  The worse offender I can see is the 'ssh' package: many people
  wanting an ssh client will likely just do a
    sudo apt-get install ssh
  and unwittingly end up with the server as well.
- And so on...

In any case, I feel that the mere installation of a package should
never expose the system to new vulnerabilities, save in the case of
an unknown bug of course.

Furthermore, it would be considered bad security practice by pretty
much any competent system administrator to use password
authentication for ssh anyway. Why do the debian packagers feel it
is okay to have bad security be the default?

I have found that even I –a reasonably seasoned debian user– have
accidentally exposed some machines on my network. Indeed, the
reason, I started writing this is that I very recently found an
affected device on my home network using nmap. And I dearly hope I
have not left such a gaping security hole in a family member or a
friend's laptop on which I helped install Ubuntu, which has the same
problem by the way.

I believe the current behaviour to be extremely dangerous, and that
it could be (and probably has been) used to attack laptops,
especially on public wifi, employees' computers on corporate
networks, and personal computers on home networks (especially with
IPv6 and no or poorly configured firewall).

I do not know if this is the best place to start this discussion,
but hopefully some changes can come of it.

GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726

Reply to: