Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] suggestion for ssh packaging
  • From: Bob Vickers <bobv@xxxxxxxxxxxxxxx>
  • Date: Thu, 4 Jan 2001 17:28:38 +0000 (GMT)
  • Message-id: <Pine.OSF.4.30.0101041711180.1639-100000@xxxxxxxxxxxxxxxxxxxxx>
Erwin,

Any service is potentially insecure, and sshd is intrinsically insecure
because it is *designed* to let people login to a machine and start a
shell.

I don't think you are putting yourself in the place of a typical user. We
want Linux to be available to everybody, right? We want it to take over
from Windows as the operating system of choice for a home user, don't we?
I'm afraid we don't stand a chance if we demand that people be
'interested' in their system and wade through fat manuals.

A typical user wants to run applications, play games, surf the net, that
sort of thing. They are probably not used to the idea of setting a
password so will set it to be the same as their name. After all, they
trust everyone else in their family. It will never occur to them that by
connecting to the internet they enable anyone in the world to login to the
computer in their bedroom and start doing damage.

You are right that it is easy to look through rc.config and change things.
But most users would never think of doing it.

In contrast the sort of person who needs to run an ssh server will
probably be well-used to that kind of system admin and will be very happy
to edit rc.config .

Regards,
Bob

On Thu, 4 Jan 2001, Erwin Zierler - Stubainet wrote:

> Hi Bob...
>
> 1) I do not think ssh is such an insecure service to be worried about
> the fact that it's installed by default.
>
> 2) anyone who is a little bit interested in his/her system will/should
> at least once check the settings in /etc/rc.config. The various
> START_* variables are really quite easy to understand (even for a
> novice) so all you have to do is set the value to "no" for all services
> that you dont know/need. A little reading in your handbook will give
> you enough info to make the right decision. The real problem nowadays
> is that most people dont want to be bothered reading anything anymore :-)
>
> At 12:36 04.01.01 +0000, you wrote:
> >Hello,
> >
> >I have 2 suggestions that I believe will increase both security and
> >usability:
> >
> >(1) split the ssh packages into client and server parts
>
> Uh I think I wouldn't like that. If SuSE starts doing that with all
> client/server stuff I will switch distro :-)
>
> >(2) have an ssh client installed as default
> >
> >It is absurd that someone who installs an ssh client should find
> >themselves running an ssh server. I would like to see most desktops in the
> >world running an ssh client, but only a tiny minority should be running
> >ssh servers.
> >
> >The current situation could lead to people who have installed ssh so that
> >they can access remote servers securely finding their home computers have
> >been compromised because they unknowingly run an ssh service.
>
> Ssh is not _that_ easy to compromise (if I compare it to telnet for instance)
> so if we are talking security I'd rather have a few services disabled in
> /etc/inetd.conf
>
> >The second suggestion is just to make my life easier...part of my job is
> >to explain to people how to install ssh clients on their home machine, and
> >the less they have to do the better.
>
> rpm -ql ssh will tell you what files are installed, /etc/ssh* will be
> sufficient to configure the package for your needs and /etc/rc.config
> needs START_SSHD=no. Thats pretty much it as far as manual intervention
> goes and with that everyone can use ssh clients and no server is running.
>
> >Happy new year,
> >Bob
>
> Happy new year to you as well!
>
> Erwin
>
> Erwin Zierler | Web-/Hostmaster - Stubainet
> | Email: Erwin.Zierler@xxxxxxxxxxxx / webmaster@xxxxxxxxxxxx
> | Tel.: 05225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>

==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691


< Previous Next >