Re: [suse-security] suggestion for ssh packaging
Hi Bob... 1) I do not think ssh is such an insecure service to be worried about the fact that it's installed by default. 2) anyone who is a little bit interested in his/her system will/should at least once check the settings in /etc/rc.config. The various START_* variables are really quite easy to understand (even for a novice) so all you have to do is set the value to "no" for all services that you dont know/need. A little reading in your handbook will give you enough info to make the right decision. The real problem nowadays is that most people dont want to be bothered reading anything anymore :-) At 12:36 04.01.01 +0000, you wrote:
Hello,
I have 2 suggestions that I believe will increase both security and usability:
(1) split the ssh packages into client and server parts
Uh I think I wouldn't like that. If SuSE starts doing that with all client/server stuff I will switch distro :-)
(2) have an ssh client installed as default
It is absurd that someone who installs an ssh client should find themselves running an ssh server. I would like to see most desktops in the world running an ssh client, but only a tiny minority should be running ssh servers.
The current situation could lead to people who have installed ssh so that they can access remote servers securely finding their home computers have been compromised because they unknowingly run an ssh service.
Ssh is not _that_ easy to compromise (if I compare it to telnet for instance) so if we are talking security I'd rather have a few services disabled in /etc/inetd.conf
The second suggestion is just to make my life easier...part of my job is to explain to people how to install ssh clients on their home machine, and the less they have to do the better.
rpm -ql ssh will tell you what files are installed, /etc/ssh* will be sufficient to configure the package for your needs and /etc/rc.config needs START_SSHD=no. Thats pretty much it as far as manual intervention goes and with that everyone can use ssh clients and no server is running.
Happy new year, Bob
Happy new year to you as well! Erwin Erwin Zierler | Web-/Hostmaster - Stubainet | Email: Erwin.Zierler@stubainet.at / webmaster@stubainet.at | Tel.: 05225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
Erwin, Any service is potentially insecure, and sshd is intrinsically insecure because it is *designed* to let people login to a machine and start a shell. I don't think you are putting yourself in the place of a typical user. We want Linux to be available to everybody, right? We want it to take over from Windows as the operating system of choice for a home user, don't we? I'm afraid we don't stand a chance if we demand that people be 'interested' in their system and wade through fat manuals. A typical user wants to run applications, play games, surf the net, that sort of thing. They are probably not used to the idea of setting a password so will set it to be the same as their name. After all, they trust everyone else in their family. It will never occur to them that by connecting to the internet they enable anyone in the world to login to the computer in their bedroom and start doing damage. You are right that it is easy to look through rc.config and change things. But most users would never think of doing it. In contrast the sort of person who needs to run an ssh server will probably be well-used to that kind of system admin and will be very happy to edit rc.config . Regards, Bob On Thu, 4 Jan 2001, Erwin Zierler - Stubainet wrote:
Hi Bob...
1) I do not think ssh is such an insecure service to be worried about the fact that it's installed by default.
2) anyone who is a little bit interested in his/her system will/should at least once check the settings in /etc/rc.config. The various START_* variables are really quite easy to understand (even for a novice) so all you have to do is set the value to "no" for all services that you dont know/need. A little reading in your handbook will give you enough info to make the right decision. The real problem nowadays is that most people dont want to be bothered reading anything anymore :-)
At 12:36 04.01.01 +0000, you wrote:
Hello,
I have 2 suggestions that I believe will increase both security and usability:
(1) split the ssh packages into client and server parts
Uh I think I wouldn't like that. If SuSE starts doing that with all client/server stuff I will switch distro :-)
(2) have an ssh client installed as default
It is absurd that someone who installs an ssh client should find themselves running an ssh server. I would like to see most desktops in the world running an ssh client, but only a tiny minority should be running ssh servers.
The current situation could lead to people who have installed ssh so that they can access remote servers securely finding their home computers have been compromised because they unknowingly run an ssh service.
Ssh is not _that_ easy to compromise (if I compare it to telnet for instance) so if we are talking security I'd rather have a few services disabled in /etc/inetd.conf
The second suggestion is just to make my life easier...part of my job is to explain to people how to install ssh clients on their home machine, and the less they have to do the better.
rpm -ql ssh will tell you what files are installed, /etc/ssh* will be sufficient to configure the package for your needs and /etc/rc.config needs START_SSHD=no. Thats pretty much it as far as manual intervention goes and with that everyone can use ssh clients and no server is running.
Happy new year, Bob
Happy new year to you as well!
Erwin
Erwin Zierler | Web-/Hostmaster - Stubainet | Email: Erwin.Zierler@stubainet.at / webmaster@stubainet.at | Tel.: 05225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
============================================================== Bob Vickers R.Vickers@dcs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
On Thu, Jan 04, 2001 at 17:28 +0000, Bob Vickers wrote:
I don't think you are putting yourself in the place of a typical user. We want Linux to be available to everybody, right?
Maybe the "average Joe User" wants to do it this way. This doesn't necessarily mean that I would like to support him doing so.
We want it to take over from Windows as the operating system of choice for a home user, don't we?
No, we don't! At least I wouldn't want to. There's no point in ramming Linux or UNIX down every kids throat because "it's cool". If they aren't used to think just a little and aren't willing to do it in future (they had to learn it again), then they shouldn't use such complex systems. For their own sake. And for the sake of the UNIX world. This is not about sounding some kind of elite but to keep *both* sides happy.
I'm afraid we don't stand a chance if we demand that people be 'interested' in their system and wade through fat manuals.
Fine! So there's still some hope ... :) Excuse me, but telling people "just install this software and everything is fine" is exactly what I *don't* ever want to get. Especially when talking about a UNIX with a very different user crowd (hopefully) than Windows dummies. To make it clear: I don't state that Windows users are fools by definition, but definitely those without expectations of their own and those who are easily blinded by shiny surfaces are easier satisfied with this environment than those who have seen what computing could be like. Leave them where they're happy. Don't drag them somewhere they were unhappy themselves and would cause PITAs to those who don't want them near (since it will be work and hassle only with no or too little gain) ... No, I definitely don't want another Windows based on a UNIX system! It would suck as much as the original -- and even more since it can only be a sad imitation of it and cannot even reach the full advantage the original might have in some respects (quick and easy success in the beginning, no matter how hard it is to circumvent the mostly unnecessary obstacles which arise later when you're getting serious) while bringing with it its own downsides (increased complexity right from the start, to extend more naturally and less painful when you grow up).
A typical user wants to run applications, play games, surf the net, that sort of thing. They are probably not used to the idea of setting a password so will set it to be the same as their name. After all, they trust everyone else in their family. It will never occur to them that by connecting to the internet they enable anyone in the world to login to the computer in their bedroom and start doing damage.
Fine, then give them their Gameboy and a Wintel PC. Don't tell them that the UNIX advantage comes from _installing_ such a system. It only comes from _using_ it in the appropriate way. In combination with a brain and some degree of seriousness. Yes, it causes effort. And yes, it pays back multiple times. But one definitely has to invest in getting over the initial stages. Those who don't want to do this investment will only do harm to "the project" of "spreading the word". They won't understand the spirit, thus they won't have success of their own (you cannot fight against UNIX without losing, you can only win going _with_ it -- as you might know yourself very well). That's when you had to "push" those new (probably not voluntary) users or "carry" them through their way in the UNIX world. (sorry, I lack better words, but the idea is that you - as a member of the UNIX community - will have some additional baggage with no way of having it "walk on its own feet" at some point in the future -- it's a loss what you call a win, to take over the world of desktop machines and bug the uninterested minds with something they actually don't want to have) BTW is it what I learnt in the DOS environment by heart: that you *never* run a software you installed _without_ checking _every_ setting it made in the setup process. Defective defaults are more common today than useful or demanded (by common sense) ones. The baseline seems to be "don't bother people with information, don't ask them to think themselves, just make them happy and have them buy my stuff". B.G.'s "If you can't make it good, make it look good" comes to mind. To not only moan in all the message and to speak to the original content: Your suggestion of splitting the ssh package into its server and its client side (this will make at least three parts, there's some "generic" stuff you cannot assign to one or the other and you don't want to include in both, and there will be some additional stuff - read: addons like frontends -- see RH, MDK, and the like who already split ssh) might be a idea worth consideration. But not for the reasons you suggest. More for saving disk space (does anyone still care these days about saving 100k and installing 50MB office software or 15MB all singing and dancing browsers in the next second?) or maybe easier upgrading of single aspects of such a package. But it's twofolded: splitting might as well increase complexity as well as make happy SuSE users turn their back and leave ... :) BTW do I see a perfectly valid reason for running sshd on "normal" workstations: It's not a one way street to ssh into a shell server or remote machine to administer, you might as well scp(1) some stuff around or trigger some action by accessing a limited set of remote commands you can issue. Just state your restrictions in the sshd's configuration: Don't let any external machine in, don't accept dangerous methods of authentication, maybe don't let in some users, maybe restrict valid commands to be invoked from remote, etc. It's all at your hands. And you can always combine it with additional layers of access control (tcpd, packet filters - yes, they're useful on desktop machines, too - and the like). And don't tell me "but those who don't want to know won't have an advantage", it's something they just _cannot_ get without doing their own part. You always get what you pay for ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Any service is potentially insecure, and sshd is intrinsically insecure because it is *designed* to let people login to a machine and start a shell.
By that definition, mingetty is an insecure service...so should I turn it off? Should SuSE not include it, either?
I don't think you are putting yourself in the place of a typical user. We want Linux to be available to everybody, right?
It is already available to anyone who wants to use it.
We want it to take over from Windows as the operating system of choice for a home user, don't we?
No...who said that?
I'm afraid we don't stand a chance if we demand that people be 'interested' in their system and wade through fat manuals.
If people don't care about their system, they should be prepared to accept the consequences of their descision. Sure, Windows may be a little less stable, a little more sluggish sometimes, and less configurable. But some people are prepared to accept those problems. Let them have it.
A typical user wants to run applications, play games, surf the net, that sort of thing. They are probably not used to the idea of setting a password so will set it to be the same as their name.
There are systems designed for just these sort of people...they're called Macs and Windows systems.
You are right that it is easy to look through rc.config and change things. But most users would never think of doing it.
That's why most users happily use Windows. I don't understand this weird uber-advocacy stance that says we have to convert every single Windows user to Linux and make Linux the one and only operating system on earth. It's completely irrational and goes against the very idea of having a choice of computer operating systems. If people aren't interested in learning the complexities of Linux systems, they are free to use Windows or Macs. If someone wants to sugar-coat Linux for them, that's fine, too. There are already distributions that try to do this (Mandrake, Storm). Just because they are doing it, doesn't mean SuSE needs to. SuSE has a nice balance where it is. -- Jeremy Buchmann
(1) split the ssh packages into client and server parts
Uh I think I wouldn't like that. If SuSE starts doing that with all client/server stuff I will switch distro :-) Actually I think that instead of splitting them, the easiest thing would be to set START_SSHD=no by default when the ssh package is installed and it could be set such that one gets a note like: "If you would like to enable the ssh server please change START_SSHD=yes in /etc/rc.config"
participants (5)
-
Bob Vickers -
Erwin Zierler - Stubainet -
Gerhard Sittig -
Jeremy Buchmann -
semat