Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Lisi Reisz <lisi.reisz@gmail.com>
Date: Tue, 12 Jul 2016 18:09:22 +0100
Message-id: <[🔎] 201607121809.22777.lisi.reisz@gmail.com>
In-reply-to: <[🔎] 20160712164750.GB4114@debian>
References: <[🔎] 20160712092610.GA6945@debian> <[🔎] 201607121418.58938.lisi.reisz@gmail.com> <[🔎] 20160712164750.GB4114@debian>

This was sent to me separately privately as well.  I  might have answered 
differently on the list, but I am not writing a second reply to the same 
post, so here is a copy-and-paste of my reply.

On Tuesday 12 July 2016 17:45:58 mwnx wrote:
> On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote:
> > I *was* asked last time I installed open-ssh*, at installation time, but
> > did not understand the question so went with the default.  If you do not
> > allow password log-in, what DO you allow?  For ssh to be useful, one has
> > to use it. Note that it is not installed by default, one has to actively
> > choose to have it.
>
> Before writing the original post, I checked on an Ubuntu 16.04 live
> CD and was not asked any questions during installation of
> openssh-server. 

My reaction to that is "well, if you will use Ubuntu, what do you expect?  
Ubuntu is hopelessly insecure."

> I also tried right now on a debian jessie system, 
> and again, was not asked anything. What version of debian are you
> running?

Jessie and Wheezy.
>
> My idea was that to be able to use ssh, you should configure it
> first, in some way or another. A very basic configuration
> (specifically, whether to allow password auth or not) could be done
> through a prompt during installation.

It was, last time I installed it.  (ssh-server)  

> > Where you are administering systems where you can expect users on your
> > system to have weak passwords, change the defaults to suit.  On my
> > network there are no weak passwords.  At least, I have chosen all
> > passwords on the system and I go out of my way to try and make them
> > reasonably secure.  It is also (I hope) fairly difficult for anyone else
> > to break in in the first place.  I don't want *my* life made any harder!!
>
> You're looking at this from a sysadmin point of view, but many
> debian users (I'm including Ubuntu users here) have no or little
> knowledge of system administration.

a) I am not.  I have a small home network.  And b) then they shouldn't be 
using ssh.  Especially Ubuntu users.  Ubuntu is hopelessly insecure in so 
many ways it is one of the main reasons why I don't like it.

Weak passwords are a no-no in my opinion.  If you use weak passwords and it 
causes problems, that is your problem.  Don't foist a self-created problem on 
the rest of us.  If your network is insecurely open to the world, that is 
also your problem.  If you are administering a large network, then you are a 
sys-admin and can configure ssh to suit yourself.

Lisi

Reply to:

Follow-Ups:
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>

References:
- openssh-server's default config is dangerous
  - From: mwnx <mwnx@gmx.com>
- Re: openssh-server's default config is dangerous
  - From: Lisi Reisz <lisi.reisz@gmail.com>
- Re: openssh-server's default config is dangerous
  - From: mwnx <mwnx@gmx.com>

Prev by Date: Re: epson L210 scan
Next by Date: Re: openssh-server's default config is dangerous
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread