Re: openssh-server's default config is dangerous
On Tue 12 Jul 2016 at 18:09:22 +0100, Lisi Reisz wrote:
> This was sent to me separately privately as well. I might have answered
> differently on the list, but I am not writing a second reply to the same
> post, so here is a copy-and-paste of my reply.
>
> On Tuesday 12 July 2016 17:45:58 mwnx wrote:
> > On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote:
> > > I *was* asked last time I installed open-ssh*, at installation time, but
> > > did not understand the question so went with the default. If you do not
> > > allow password log-in, what DO you allow? For ssh to be useful, one has
> > > to use it. Note that it is not installed by default, one has to actively
> > > choose to have it.
> >
> > Before writing the original post, I checked on an Ubuntu 16.04 live
> > CD and was not asked any questions during installation of
> > openssh-server.
>
> My reaction to that is "well, if you will use Ubuntu, what do you expect?
> Ubuntu is hopelessly insecure."
Your reaction is unwarranted and unsubstantiated. mwnx relates an
experience which can easily be tested. Not that anyone will; this
is -user! In fact. there is no need to install because a glance at
the templates file in the openssh-server package should be enough.
Unconvinced? Do
dpkg-reconfigure openssh-server
Any output? Why not is left as an exercise to the user.
> > I also tried right now on a debian jessie system,
> > and again, was not asked anything. What version of debian are you
> > running?
>
> Jessie and Wheezy.
The question you say was presented (and hazily recollect) was presented
because you were upgrading from Wheezy to Jessie.
> > My idea was that to be able to use ssh, you should configure it
> > first, in some way or another. A very basic configuration
> > (specifically, whether to allow password auth or not) could be done
> > through a prompt during installation.
>
> It was, last time I installed it. (ssh-server)
No question would be seen with a fresh install of openssh-server. The
question in essence is
Disable SSH password authentication for root?
Firstly, this has nothing to do with the original posting. Secondly,
disabling it is the default for a new install so there is no need to
ask any question.
So nwnx is correct. Not that his substantial first post finds any
favour in these parts.
> > > Where you are administering systems where you can expect users on your
> > > system to have weak passwords, change the defaults to suit. On my
> > > network there are no weak passwords. At least, I have chosen all
> > > passwords on the system and I go out of my way to try and make them
> > > reasonably secure. It is also (I hope) fairly difficult for anyone else
> > > to break in in the first place. I don't want *my* life made any harder!!
> >
> > You're looking at this from a sysadmin point of view, but many
> > debian users (I'm including Ubuntu users here) have no or little
> > knowledge of system administration.
>
> a) I am not. I have a small home network. And b) then they shouldn't be
> using ssh. Especially Ubuntu users. Ubuntu is hopelessly insecure in so
> many ways it is one of the main reasons why I don't like it.
>
> Weak passwords are a no-no in my opinion. If you use weak passwords and it
> causes problems, that is your problem. Don't foist a self-created problem on
> the rest of us. If your network is insecurely open to the world, that is
> also your problem. If you are administering a large network, then you are a
> sys-admin and can configure ssh to suit yourself.
Precisely. The original post sets up an Aunt Sally.
Reply to: