Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Lisi Reisz <lisi.reisz@gmail.com>
Date: Tue, 12 Jul 2016 19:54:41 +0100
Message-id: <[🔎] 201607121954.41386.lisi.reisz@gmail.com>
In-reply-to: <[🔎] 20160712181637.GH5156@copernicus.demon.co.uk>
References: <[🔎] 20160712092610.GA6945@debian> <[🔎] 201607121809.22777.lisi.reisz@gmail.com> <[🔎] 20160712181637.GH5156@copernicus.demon.co.uk>

On Tuesday 12 July 2016 19:16:37 Brian wrote:
> On Tue 12 Jul 2016 at 18:09:22 +0100, Lisi Reisz wrote:
> > This was sent to me separately privately as well.  I  might have answered
> > differently on the list, but I am not writing a second reply to the same
> > post, so here is a copy-and-paste of my reply.
> >
> > On Tuesday 12 July 2016 17:45:58 mwnx wrote:
> > > On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote:
> > > > I *was* asked last time I installed open-ssh*, at installation time,
> > > > but did not understand the question so went with the default.  If you
> > > > do not allow password log-in, what DO you allow?  For ssh to be
> > > > useful, one has to use it. Note that it is not installed by default,
> > > > one has to actively choose to have it.
> > >
> > > Before writing the original post, I checked on an Ubuntu 16.04 live
> > > CD and was not asked any questions during installation of
> > > openssh-server.
> >
> > My reaction to that is "well, if you will use Ubuntu, what do you expect?
> > Ubuntu is hopelessly insecure."
>
> Your reaction is unwarranted and unsubstantiated.

Yes, probably.  It was my reaction, and has been my experience in general - 
but I did not test this.  I was annoyed that mwnx had gone personal in that 
way.  Mea culpa.

> mwnx relates an 
> experience which can easily be tested. Not that anyone will; this
> is -user! In fact. there is no need to install because a glance at
> the templates file in the openssh-server package should be enough.
>
> Unconvinced? Do
>
>   dpkg-reconfigure openssh-server
>
> Any output? Why not is left as an exercise to the user.
>
> > > I also tried right now on a debian jessie system,
> > > and again, was not asked anything. What version of debian are you
> > > running?
> >
> > Jessie and Wheezy.
>
> The question you say was presented (and hazily recollect) was presented
> because you were upgrading from Wheezy to Jessie.

No, that is neither what I said nor what I meant.  I do not have ssh on any of 
my systems unless I need it.  So the last twice I did 

# aptitude install openssh-client openssh-server

I think once on Wheezy and once on Jessie, but am not absolutle certain that 
that was the order in which I did it, so it could have been the two Jessie 
computers that I did last.  I have installed ssh recently on one Wheezy 
computer and two Jessie ones.  I did not write the question down, but I was 
asked it.
>
> > > My idea was that to be able to use ssh, you should configure it
> > > first, in some way or another. A very basic configuration
> > > (specifically, whether to allow password auth or not) could be done
> > > through a prompt during installation.
> >
> > It was, last time I installed it.  (ssh-server)
>
> No question would be seen with a fresh install of openssh-server. The
>  question in essence is
>
>   Disable SSH password authentication for root?

No it was an a or b choice.
>
> Firstly, this has nothing to do with the original posting. Secondly,
> disabling it is the default for a new install so there is no need to
> ask any question.

It wasn't I who wanted it.  Though I want password access, so if the default 
is now no password access I am glad to have the information you give above.

Lisi
>
> So nwnx is correct. Not that his substantial first post finds any
> favour in these parts.
>
> > > > Where you are administering systems where you can expect users on
> > > > your system to have weak passwords, change the defaults to suit.  On
> > > > my network there are no weak passwords.  At least, I have chosen all
> > > > passwords on the system and I go out of my way to try and make them
> > > > reasonably secure.  It is also (I hope) fairly difficult for anyone
> > > > else to break in in the first place.  I don't want *my* life made any
> > > > harder!!
> > >
> > > You're looking at this from a sysadmin point of view, but many
> > > debian users (I'm including Ubuntu users here) have no or little
> > > knowledge of system administration.
> >
> > a) I am not.  I have a small home network.  And b) then they shouldn't be
> > using ssh.  Especially Ubuntu users.  Ubuntu is hopelessly insecure in so
> > many ways it is one of the main reasons why I don't like it.
> >
> > Weak passwords are a no-no in my opinion.  If you use weak passwords and
> > it causes problems, that is your problem.  Don't foist a self-created
> > problem on the rest of us.  If your network is insecurely open to the
> > world, that is also your problem.  If you are administering a large
> > network, then you are a sys-admin and can configure ssh to suit yourself.
>
> Precisely. The original post sets up an Aunt Sally.

Reply to:

Follow-Ups:
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>

References:
- openssh-server's default config is dangerous
  - From: mwnx <mwnx@gmx.com>
- Re: openssh-server's default config is dangerous
  - From: Lisi Reisz <lisi.reisz@gmail.com>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: openssh-server's default config is dangerous
Next by Date: Re: openssh-server's default config is dangerous
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread