also sprach Bob Vickers (on Thu, 04 Jan 2001 12:36:27PM +0000):

(1) split the ssh packages into client and server parts

RedHat does this already. i agree, it makes sense. at least with SSH 1 -- if being used -- there are security problems... look at kurt's previous posts and his articles on securityportal.com. however, installing an SSH server on a machine and never using it doesn't bring security problems -- at least none are known now.

(2) have an ssh client installed as default

sure, but i think there are (or used to be) licensing problems with SSH and exporting them... maybe now this is history, i am not too well informed, but that is, i believe, the reason why distro's can't or could not ship/preinstall SSH with the linux systems...

It is absurd that someone who installs an ssh client should find themselves running an ssh server. I would like to see most desktops in the world running an ssh client, but only a tiny minority should be running ssh servers.

well, that depends on how you look at it, how you use networked computers, and how worried you are about security. i even have ssh running on my laptop since i actually leave that thing in my office at times just to SSH into it from somewhere else to check my mail. SSH 2 by now... we operate a cluster of 26 machines as well as two labs of 30-or-so computers and SSH is running as a server on each of these. makes administration very easy and we haven't found any security problems yet...

The current situation could lead to people who have installed ssh so that they can access remote servers securely finding their home computers have been compromised because they unknowingly run an ssh service.

i don't think SSH can be compromised as long as you don't use it. martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- "no problem is so formidable that you can't just walk away from it." -- c. schulz