On Fri, Nov 20, 2009 at 05:05:50PM +0100, Per Jessen wrote:
Lars Müller wrote:
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC)
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
A system not running sshd by default must be primarily intended for an environment where no remote access is required, typically a single-user/-PC environment. I would have opted to close port 22 for external access instead.
And the benefit is? Per is able to use ssh -l root? It requires 1 click to enable ssh. Per: I'm doing 1067 installs a week. Lars: Use autoyast with an anabled ssh setup. Per: I also need local X11 forwarding from root to the user I'm working with. Lars: This even works with the simple and old su cmd. There is no good reason why Joe Doe needs the service ssh enabled. And those needing it know how to turn it on. And as someone said: It is even documented in the release notes.
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
No, that's not what I was suggesting - it's just weird to compare features such as these:
1) turning off sshd by default is likely to annoy Peter Admin and be ignored by Joe User.
It is to establish a simple secure default setup. KISS you ever heared? Keep It Simple Stupid. No sshd running by default is one risk item less.
2) adding nice RAID or LVM improvements might please Peter, but will be ignored by Joe.
AFAICT, the change to disable sshd has not really achieved an awful lot, except annoy Peter Admin. If you ask me for a suggestion, I would say let's not p... off Peter Admin when trying to please Joe User.
That is your point of view. Ask networking people with a very open network policy. These guys are happy about every service not started. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany