Mailinglist Archive: opensuse (2525 mails)
| < Previous | Next > |
Re: [opensuse] Re: 11.2 - what was the reasoning behind disabling sshd by default?
- From: "Brian K. White" <brian@xxxxxxxxx>
- Date: Mon, 23 Nov 2009 11:34:36 -0500
- Message-id: <4B0AB99C.8070705@xxxxxxxxx>
Carlos E. R. wrote:
The point being that installing remotely IS a thing guys people who admin servers do a lot. (Or, whether they actually do very much or not, they do need to be able to and an OS that wants to serve them should default to making it most possible for them, and most likely to succeed.
Yes, it's true that at least the smart ones try to make sure they have specifically set that setting during install so that when it reboots they are not screwed.
In my case I simply do not attempt to do remote installs without remote serial console or ip-kvm. This is because it's stupid to actually depend on actively doing something correctly every time. Since the default is for ssh to be disabled, It doesn't matter if I use autoyast .xml files or just always remember to manually flip that option. It doesn't matter if I've never even had an actual accident where I got locked out. It's still an unsound system and would be dumb to rely on it.
I would not like to be responsible for machines that are remote, have no remote serial console or ip-kvm, and run opensuse. Because with the installer defaulting ssh off, every install is a nailbiting experience, or rather, you just have to avoid reinstalls even more than usual since it's irresponsible to take the risk of the box going unavailable.
You normally avoid reinstalls anyways of course, but at the same time, part of providing good support is being ready and able to do a full fresh install any time if thats what's needed.
So, I'm still ok using opensuse for servers, but it's in part because I do not rely on always remembering that ssh setting during manual installs. The serial console is my safety net. Well, how nice for me that I was able to install console servers at all my sites, and I was able to ensure that every single server and appliance at every site even HAS a serial console for me to access. I would not say it's reasonable to just require this of everyone. Sometimes you are responsible for a lot of single machines where it's an unreasonable burden/overhead to install a remote console server just for one remote server.
For desktop users, this is not an issue. By that I mean, it's an issue such a small percentage of the time, and is outside the scope of the usual definition of desktop user, that it's ok to say "we don't support that in the desktop-targeted configuration".
For servers, it is an issue.
The minimal text-only install choice should be considered by definition to be a server-targeted configuration. Yes you could be installing text-only so that you could then add your own LXDE desktop or something, but it is unreasonable to assume that a possibility like that is the most likeley and most common reason for choosing the minimal text-only install. Even if nowhere else, ssh should be enabled by default in that case. Also if the install was itself done by ssh (ssh=1 in the linuxrc boot parameters) regardless what kind of installation was chosen. For that matter, choosing any of the "server" package group patterns should automatically toggle ssh on also, if the setting had not been manually touched yet.
--
bkw
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/21/2009 04:45 PM, Heinz Diehl wrote:
F*ck me, what a monsterthread on such a trivial issue :-)
If the sshd isn't activated by default, one can easily configure it
afterwards and get it started automatically next time.
What's the problem?
If you installed remotely, you are very much out of luck.
The point being that installing remotely IS a thing guys people who admin servers do a lot. (Or, whether they actually do very much or not, they do need to be able to and an OS that wants to serve them should default to making it most possible for them, and most likely to succeed.
Yes, it's true that at least the smart ones try to make sure they have specifically set that setting during install so that when it reboots they are not screwed.
In my case I simply do not attempt to do remote installs without remote serial console or ip-kvm. This is because it's stupid to actually depend on actively doing something correctly every time. Since the default is for ssh to be disabled, It doesn't matter if I use autoyast .xml files or just always remember to manually flip that option. It doesn't matter if I've never even had an actual accident where I got locked out. It's still an unsound system and would be dumb to rely on it.
I would not like to be responsible for machines that are remote, have no remote serial console or ip-kvm, and run opensuse. Because with the installer defaulting ssh off, every install is a nailbiting experience, or rather, you just have to avoid reinstalls even more than usual since it's irresponsible to take the risk of the box going unavailable.
You normally avoid reinstalls anyways of course, but at the same time, part of providing good support is being ready and able to do a full fresh install any time if thats what's needed.
So, I'm still ok using opensuse for servers, but it's in part because I do not rely on always remembering that ssh setting during manual installs. The serial console is my safety net. Well, how nice for me that I was able to install console servers at all my sites, and I was able to ensure that every single server and appliance at every site even HAS a serial console for me to access. I would not say it's reasonable to just require this of everyone. Sometimes you are responsible for a lot of single machines where it's an unreasonable burden/overhead to install a remote console server just for one remote server.
For desktop users, this is not an issue. By that I mean, it's an issue such a small percentage of the time, and is outside the scope of the usual definition of desktop user, that it's ok to say "we don't support that in the desktop-targeted configuration".
For servers, it is an issue.
The minimal text-only install choice should be considered by definition to be a server-targeted configuration. Yes you could be installing text-only so that you could then add your own LXDE desktop or something, but it is unreasonable to assume that a possibility like that is the most likeley and most common reason for choosing the minimal text-only install. Even if nowhere else, ssh should be enabled by default in that case. Also if the install was itself done by ssh (ssh=1 in the linuxrc boot parameters) regardless what kind of installation was chosen. For that matter, choosing any of the "server" package group patterns should automatically toggle ssh on also, if the setting had not been manually touched yet.
--
bkw
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |