Re: openssh-server's default config is dangerous

[Don Armstrong <don@debian.org>]

On Tue, 12 Jul 2016, Nicolas George wrote:
> Le quintidi 25 messidor, an CCXXIV, Don Armstrong a écrit :
> > If a services default configuration is insecure, it should be fixed.
> > File a bug.
> 
> If you think about it slightly more than two seconds,

This is incredibly rude. Considering that I maintain multiple things
which install daemons in Debian, I've thought about this for
significantly more than two seconds.

> you will realize that if the default configuration does ANYTHING, even
> something that is completely harmless in 99.99% of the cases, then
> there will be some cases where this is a serious issue, where the
> administrator really did not want it to happen. Even if it is only
> 0.01% of the cases, that is still too many.

This is the endless security vs utility debate. The most secure system
is a system which is completely useless. Discussing this issue in the
abstract isn't particularly useful. Discussing it in particular cases
(like openssh-server's configuration) is useful, and then it becomes a
question of where to draw the line.

There's a reason why many daemons that do start only listen on
localhost. Or only listen on sockets. Or don't do anything but serve
static files out of very specific directories.

> I am flabbergasted too see how many people oppose the obviously
> correct solution to that kind of issue: have a global option "Start
> services after installing? always / ask / never".

That option already exists. See policy-rc.d. For example:

https://jpetazzo.github.io/2013/10/06/policy-rc-d-do-not-start-services-automatically/

-- 
Don Armstrong                      https://www.donarmstrong.com

in Just-
spring      when the world is mud-
luscious the little lame baloonman 

whistles       far       and wee 
 -- e.e. cummings "[in Just-]"