[Bug 537980] New: Opening SSH port in firewall should start SSH
http://bugzilla.novell.com/show_bug.cgi?id=537980 Summary: Opening SSH port in firewall should start SSH Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Installation AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: binner@kde.org QAContact: jsrain@novell.com Found By: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) SUSE When opting to open the SSH port in the firewall during installation there should be a dialog asking whether one wants to have sshd started or at least a warning that it's not started by default anymore. Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User meissner@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c1
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c2
Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c3
--- Comment #3 from Katarina Machalkova
can we do that in yast?
Yes. In either of these two ways: * Make it user's choice, akin to opening/closing ssh port with clickable links, like this: Firewall will be enabled (disable) SSH port will be open (close) SSH service will be enabled (disable) <-- not sure what is the correct wording (we'd need to update documentation then, and Coolo should know as well, although only few lines of code, it is a "little" feature request) * Do not ask user anything and assume that opening SSH port would mean also insserv-ing SSH service (easy and no docu update needed) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User meissner@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c4
--- Comment #4 from Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=537980
User max@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c5
--- Comment #5 from Reinhard Max
http://bugzilla.novell.com/show_bug.cgi?id=537980
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c6
Ludwig Nussel
If there is only one item "disabled and closed" vs. "enabled and open", there is no need to confuse people by mentioning the firewall at all.
I tend to agree. I'd suggest to implement a "remote access/login" proposal instead of a firewall proposal, at least in the install mode without interactive second stage. ie something like * remote access is disabled I'd not offer quick switch buttons. Instead clicking the line should always open a full configuration dialog.
But I still fail to see a point in closing the port of a not running service,
The port isn't explicitly 'closed'. Instead the Firewall just drops all packets you don't explicitly allow.
and of starting sshd, but not opening the port as well.
When configuring a router you'd have interfaces in the external and in the internal zone. ssh would automatically be accessible from the internal zones in that case. Opening the port here would mean allowing ssh access from the internet. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User max@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c7
--- Comment #7 from Reinhard Max
I'd suggest to implement a "remote access/login" proposal instead of a firewall proposal, at least in the install mode without interactive second stage. ie something like
* remote access is disabled
I think similar wording is already being used for the VNC kind of remote access, so either SSH should be mentioned here or the link should lead to a single dialog that controls all kinds of remote access that we support. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User binner@kde.org added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c8
Stephan Binner
http://bugzilla.novell.com/show_bug.cgi?id=537980
User pmladek@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c9
Petr Mladek
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c10
Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c11
Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
User max@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c12
Reinhard Max
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c13
--- Comment #13 from Katarina Machalkova
There doesn't seem to be a way to enable ssh during installation without enabling the firewall as well. The ssh option disappears or gets greyed outn (depending on context) when the firewall gets disabled. Is that intentional?
Hmm, it is consistent with 2nd stage fw proposal and yast2-firewall in general - if fw is disabled, it does not make sense for any services to open ports in it
Maybe the wording of the ssh option could change from "open and enable" to just "enable" when the firewall gets deselected,
The wording here is based on _Marcus_'s proposal in comment #4, to "avoid bloat". -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c14
--- Comment #14 from Katarina Machalkova
BTW, why is there a separate "Firewall and SSH Configuration" dialog if it doesn't contain options or choices that aren't alrady available via the direct links in the installation overview window?
If it is the dialog that opens after clicking on Firewall and SSH headline in the main proposal screen (or selecting corresponding menu entry), it is because of principle of least surprise. Some dialog should be open after clicking on any headline in installation proposal (see bug #203817, or bug #539289). Otherwise all proposals are just reloaded and nothing changes. I know it's crappy, and it would be better to e.g. make the link unclickable if there is nothing more to configure in extra dialog, but changing that requires rather intrusive modifications to how proposals and links are handled now. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
User kmachalkova@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c15
--- Comment #15 from Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
User max@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=537980#c16
--- Comment #16 from Reinhard Max
Hmm, it is consistent with 2nd stage fw proposal and yast2-firewall in general - if fw is disabled, it does not make sense for any services to open ports in it
I am not asking for being able to open ports in a disabled firewall, but for being able to enable the sshd service regardless of the firewall setting.
Maybe the wording of the ssh option could change from "open and enable" to just "enable" when the firewall gets deselected,
The wording here is based on _Marcus_'s proposal in comment #4, to "avoid bloat".
Yes, the wording is OK as long as the firewall is on. What I was trying to say is, that instead of greying out or removing the ssh option when the firewall is disabled, just remove the port part of the wording. So, initially the options would read: * Firewall is enabled (disable) * SSH service is disabled and closed in firewall (enable and open) And when the firewall gets disabled, they change to: * Firewall is disabled (enable) * SSH service is disabled (enable) Does that make things clearer? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c17
Dieter Jurzitza
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c
Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c
Katarina Machalkova
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c
Jiri Srain
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c18
Lukas Ocilka
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c19
Stephan Kulow
http://bugzilla.novell.com/show_bug.cgi?id=537980
http://bugzilla.novell.com/show_bug.cgi?id=537980#c20
--- Comment #20 from Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c21
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c22
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c23
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c24
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c25
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c26
--- Comment #26 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c27
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c28
--- Comment #28 from Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c29
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c31
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c33
--- Comment #33 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c34
--- Comment #34 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c35
Lukas Ocilka
From my POV, this is fixed :) (already in 11.4)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c36
Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c37
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c38
Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c39
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c40
--- Comment #40 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c41
--- Comment #41 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c42
--- Comment #42 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c43
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=537980
https://bugzilla.novell.com/show_bug.cgi?id=537980#c44
--- Comment #44 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com