Re: openssh-server's default config is dangerous

[mwnx <mwnx@gmx.com>]

On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote:
> I was asked last time I installed open-ssh*, at installation time, but did
> not understand the question so went with the default.  If you do not allow
> password log-in, what DO you allow?  For ssh to be useful, one has to use it.
> Note that it is not installed by default, one has to actively choose to have
> it.

Before writing the original post, I checked on an Ubuntu 16.04 live
CD and was not asked any questions during installation of
openssh-server. I also tried right now on a debian jessie system,
and again, was not asked anything. What version of debian are you
running?

My idea was that to be able to use ssh, you should configure it
first, in some way or another. A very basic configuration
(specifically, whether to allow password auth or not) could be done
through a prompt during installation.

> Where you are administering systems where you can expect users on your system
> to have weak passwords, change the defaults to suit.  On my network there are
> no weak passwords.  At least, I have chosen all passwords on the system and I
> go out of my way to try and make them reasonably secure.  It is also (I hope)
> fairly difficult for anyone else to break in in the first place.  I don't
> want my life made any harder!!

You're looking at this from a sysadmin point of view, but many
debian users (I'm including Ubuntu users here) have no or little
knowledge of system administration.

-- 
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726