[opensuse] 11.2 - what was the reasoning behind disabling sshd by default?
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm. /Per -- Per Jessen, Zürich (8.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 10:28, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm. Maybe to be secure by default and let the user open up what they want. However, not being a oS insider, I can't say for sure.
ne... -- Registered Linux User # 125653 (http://counter.li.org) Now accepting personal mail for GMail invites. Stephen Leacock - "I detest life-insurance agents: they always argue that I shall some day die, which is not so." - http://www.brainyquote.com/quotes/authors/s/stephen_leacock.html -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 12:28 PM, Per Jessen <per@opensuse.org> wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
/Per
-- Per Jessen, Zürich (8.1°C)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Most likely because your average desktop user doesn't need it. And people who need it can easily enable it. Minimize surface attack area and all that. On a related note, is postfix still enabled by default in 11.2? I haven't done any clean installs yet, only upgrades. Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sorin Peste wrote:
On Fri, Nov 20, 2009 at 12:28 PM, Per Jessen <per@opensuse.org> wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
/Per
Most likely because your average desktop user doesn't need it. And people who need it can easily enable it. Minimize surface attack area and all that.
My opinion - not a very good reasoning.
On a related note, is postfix still enabled by default in 11.2?
Yes, it is. /Per -- Per Jessen, Zürich (8.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 20/11/09 11:28, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
Yes, got caught with this yesterday, set up what would be a headless box, set it running removed the screen left the site, tried to connect via ssh. This is a bit like the no root login that some distros tried a few years ago, good idea in theory but really totally annoying, especially when it changes something that has always been available. DC
Per Jessen wrote:
why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
makes the default install more secure if ftpd, sshd and all others are not running...maybe? on the other hand, i'm happy they did since i always had to disable sshd.. so, the default install can't possibly make everyone happy...(like, i still have to install mc, atop and other stuff every time...WHY? because i like it my, and you like it your way..) DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
DenverD wrote:
Per Jessen wrote:
why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
makes the default install more secure if ftpd, sshd and all others are not running...maybe?
on the other hand, i'm happy they did since i always had to disable sshd..
I guess you're a one-PC kind of guy :-)
so, the default install can't possibly make everyone happy...
Yes, that's very true. What I'd like know is still why sshd was disabled when security has not become more of an issue than it was in the previous umpteen releases since 7-something. /Per -- Per Jessen, Zürich (8.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/20/2009 at 12:06, Per Jessen <per@opensuse.org> wrote: DenverD wrote:
Per Jessen wrote:
why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
makes the default install more secure if ftpd, sshd and all others are not running...maybe?
on the other hand, i'm happy they did since i always had to disable sshd..
I guess you're a one-PC kind of guy :-)
so, the default install can't possibly make everyone happy...
Yes, that's very true. What I'd like know is still why sshd was disabled when security has not become more of an issue than it was in the previous umpteen releases since 7-something.
Interestngly enough, before the sshd deamon might have been started, but the firewall port 22 was not opened. From previous mails of yours I understand that you always switch off the firewall and as such might just not have realized it. But starting the sshd daemon with the port blocked is useless and the users requiring access either had to disable the FW or reconfigure it. Now, the user has to enable ssh if he needs it (which, IIRC, also opens the port 22 now). Per, you're a very active user. But do you consider yourself part of the largest group openSUSE is targeting? Not all settings are right for you, not all are right for me. Nevertheless, apparently my sister did not have any troubles with them (she would not even know what she can do with this s-s-h whatever thingy...). Additionally, people are always pushing to faster boot times. Disabling the not obvious needed services to achieve it is certainly not wrong. (Think about desktop computers, not servers; even there, you will probably get a higher ratio of desktop:server) Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 13:26:58 Dominique Leuenberger wrote:
But starting the sshd daemon with the port blocked is useless and the users requiring access either had to disable the FW or reconfigure it.
Well, it could be useful when using Virtual Machines on the same host :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dominique Leuenberger wrote: [big snip]
Not all settings are right for you, not all are right for me.
I completely accept that - I just dislike changes that gives me more work, in particular when they bring no noticeable improvement for the group of users they were intended for.
Nevertheless, apparently my sister did not have any troubles with them (she would not even know what she can do with this s-s-h whatever thingy...).
And had s-s-h-whatever been started like it has been in every release since 6.x, she would not have had any trouble either. Hence a change that has brought zero improvement for your sister, but a new annoyance for me.
Additionally, people are always pushing to faster boot times. Disabling the not obvious needed services to achieve it is certainly not wrong. (Think about desktop computers, not servers; even there, you will probably get a higher ratio of desktop:server)
Surely sshd isn't part of the critical path in getting the GUI login screen up and running. For me boot time is not a concern, but I do appreciate that it is for others. Given the steady trend towards multiple core CPUs, I would suggest increased parallelization instead of reduced functionality. /Per -- Per Jessen, Zürich (8.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/20/2009 at 17:51, Per Jessen <per@opensuse.org> wrote: Nevertheless, apparently my sister did not have any troubles with them (she would not even know what she can do with this s-s-h whatever thingy...).
And had s-s-h-whatever been started like it has been in every release since 6.x, she would not have had any trouble either. Hence a change that has brought zero improvement for your sister, but a new annoyance for me.
That's where I beg to differ. Any service accessible from external across her cable modem gives surface to attackers... why should she risk this? She's certainly not the user updating the patches daily... and she's certainly not the one that is ever going to change the ssh config (you and me know that there is more possible than password auth... ). Having it switched off reduces such risks for her, while she does not have to take care of it. the system comes up faster (less services to start). The memory consumption can be mentioned, but is certainly not a critical point with sshd (it has a rather small footprint). so for her: no disadvantages, only advantages. For you: chkconfig sshd on (or any autoyast config you would like). but sure, this can go on forever... and ever... not every aspect of the distro is set the way I need it. Whenever I install it I have to uncheck 'use this password for system administration' (or however it's called)... so what? Let's give a normal user a machine that works, but let's keep all the options available for the not-so-regular users. Everything is there, one click away (or one command away, if you don't like the GUI). Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dominique Leuenberger wrote:
but sure, this can go on forever... and ever... not every aspect of the distro is set the way I need it.
Which is really the crux of this - as a community (I use this word because everyoneelse is, but I'm not sure which community it is) the idea that we decide what openSUSE is supposed to be - e.g. the default settings for a vanilla install. Wrt this sshd change, it appears that _someone_ made a decision, _apparently_ on behalf of the "community". I think this particular change is moving openSUSE away from a sensible default, I think the reasoning for it is wrong and full of holes, and that is my opinion as a community/project member.
Let's give a normal user a machine that works, but let's keep all the options available for the not-so-regular users.
_Exactly_ what I have been saying. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
What I'd like know is still why sshd was disabled when security has not become more of an issue than it was in the previous umpteen releases since 7-something.
now, THAT is a different question, and the only answer i could dream up (not that it is right or will satisify, even if _true_) is that we do have a LOT more Redmond Ship Jumpers joining and until they have the time to think about security *after* they get their background set just right on their spinning cubes, and their WINE installed and etc etc etc, *someone* needs to do something to *try* to keep them from turning their machine over the to rooted-botnets they are running from.. but, do not get me wrong: i am not responding just to make an argument--because i understand your point.. what i have resorted to is to make of list of stuff i have to install, turn on, uninstall, turn off, the aliases/crons i have to make, etc etc etc...and, it is a *lot* longer list today than it was when i moved from 9.x to 10.x i'll not try to get them in the default install and the ONLY thing that makes me happy about that long list is to know: i can have it *my* way! so can you, DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 Nov 2009 11:53:57 DenverD wrote:
Per Jessen wrote:
What I'd like know is still why sshd was disabled when security has not become more of an issue than it was in the previous umpteen releases since 7-something.
now, THAT is a different question, and the only answer i could dream up (not that it is right or will satisify, even if _true_) is that we do have a LOT more Redmond Ship Jumpers joining and until they have the time to think about security *after* they get their background set just right on their spinning cubes, and their WINE installed and etc etc etc, *someone* needs to do something to *try* to keep them from turning their machine over the to rooted-botnets they are running from..
Maybe we need another default install then as well the Redmond Ship Jumpers install (no software just all the gimmicks and flash bang stuff) Pete . -- Powered by openSUSE 11.2 Milestone 2 (x86_64) Kernel: 2.6.30-rc6-git3-4- default KDE: 4.2.86 (KDE 4.2.86 (KDE 4.3 >= 20090514)) "release 1" 12:01 up 12 days 21:27, 4 users, load average: 0.15, 0.08, 0.04
DenverD wrote:
what i have resorted to is to make of list of stuff i have to install, turn on, uninstall, turn off, the aliases/crons i have to make, etc etc etc...and, it is a *lot* longer list today than it was when i moved from 9.x to 10.x
Yeah, that is _exactly_ what I have noticed too. Which can only mean one of two things: - openSUSE is moving away from my user profile, or - my user profile is moving away from openSUSE There's no doubt that my user profile has changed some over the last 4-5 years, but the "list of stuff" seems to be steadily growing. /Per -- Per Jessen, Zürich (10.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open. For them sshd running is useless and just costs startup time and resources. Also, if normal user disable the firewall and have too easy passwords, they are affectable by these days SSH worms. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus Meissner wrote:
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open.
For them sshd running is useless and just costs startup time and resources.
Reasoning yes, but not very good, IMHO. I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC) when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia? /Per -- Per Jessen, Zürich (9.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 12:17:46PM +0100, Per Jessen wrote:
Marcus Meissner wrote:
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open.
For them sshd running is useless and just costs startup time and resources.
Reasoning yes, but not very good, IMHO.
This is a very, very good reasoning. Marcus with his 95% was conservative. And: a) for those of us upgrading from older SUSE products _nothing_, NULL, zero changes. An upgrade doesn't touch the state of a service. b) this change was documented and is easy to reverts. service sshd start chkconfig -a sshd Or simply use YaST. One time and you're done and are happy again. While the majority of the SUSE users might be happy without to know about. :) http://en.opensuse.org/Ssh (There is currently no text in this page) @Per please make my day and document it. ;)
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC)
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture? Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Friday 20 Nov 2009 11:50:49 Lars Müller wrote:
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
Lars
Well that actually is not a bad idea at all LVM just clutters things up on a desktop its a flaming pain to have the partitioner trrry to insist on using LVM even raid now is becoming less useful and in the home even for home servers sata drives are so darn huge now that raid is almost irrelevent people keep on about faster boot times so you go banging space and time wasters like LVM and raid in the standard install . Pete . -- Powered by openSUSE 11.2 Milestone 2 (x86_64) Kernel: 2.6.30-rc6-git3-4- default KDE: 4.2.86 (KDE 4.2.86 (KDE 4.3 >= 20090514)) "release 1" 12:06 up 12 days 21:32, 4 users, load average: 0.20, 0.12, 0.07
On Fri, 2009-11-20 at 12:11 +0000, Peter Nikolic wrote:
On Friday 20 Nov 2009 11:50:49 Lars Müller wrote:
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia? A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture? Well that actually is not a bad idea at all LVM just clutters things up on a desktop its a flaming pain to have the partitioner trrry to insist on using LVM even raid now is becoming less useful and in the home even for home servers sata drives are so darn huge now that raid is almost irrelevent
RAID has nothing to do with size. Or the other way around, the more data you have the more important RAID becomes, because restoring takes longer. -- OpenGroupware developer: awilliam@whitemice.org <http://whitemiceconsulting.blogspot.com/> OpenGroupare & Cyrus IMAPd documenation @ <http://docs.opengroupware.org/Members/whitemice/wmogag/file_view> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri November 20 2009 7:11:24 am Peter Nikolic wrote:
On Friday 20 Nov 2009 11:50:49 Lars M�ller wrote:
<snip>
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
Well that actually is not a bad idea at all LVM just clutters things up on a desktop its a flaming pain to have the partitioner trrry to insist on using LVM even raid now is becoming less useful and in the home even for home servers sata drives are so darn huge now that raid is almost irrelevent
Actually, RAID is MORE important due to the large, cheap drives now available. Backups are nearly impossible using conventional means. So, simple copy to alternate drives, copy to internet backup services, etc, of multi TByte drive(s) is just not possible/practical. Thus, backups need to be to fault tolerant RAID arrays....if possible, on a second machine, but if not, then a 2nd RAID array on the same machine backing up a fault tolerant 1st RAID array. Backups are still very important for all the conventional reasons, but the larger the drives, the more likely backups will be difficult/impossible in a timely manner so fault tolerance buys time to allow the backup to complete successfully. I have (on all my machines), at least 2 RAID arrays, the primary array contains the OS and the 2nd contains the data. These arrays range from a few hundred Gig to multi Terrabyte in size, Raid1 and Raid5. The data is backed up to a 2nd machine via a high speed LAN Gigabit connection with also 2 raid arrays, one for its OS and one for the network backups, also RAID 5/6. The use of multiple computers each using RAID gives me fault tolerance AND backup with the backup being controlled via a product called CrashPlan, but could be effected via rsync/cron scripts. Today, with multimedia files and other multi-gigabyte datasets, Terrabyte sized drives are increasingly becoming the norm, even in home systems and with those large drives, data loss is inevitable without some form of fault tolerance such as that provided by RAID. I think it is very short-sighted to NOT include provisions for setting up support for RAID in oS or any distro of Linux for that matter. That RAID is used, or may be by Novell Enterprise products is not an argument for leaving it out of oS because increasingly, HOME users can benefit given the large, cheap drives and large datasets that are increasingly encountered by home users.
people keep on about faster boot times so you go banging space and time wasters like LVM and raid in the standard install .
The increase in boot time to start mdadm is negligable in my experience on my large system(s). Besides, if you're smart, you *never* shut your system down so you never have to reboot unless you are installing a new kernel or have a power failure and the UPS runs down.... I believe most computer hardware fails when power is reapplied, not during operation. That has been my experience at least. I have several machines that have NEVER been turned off except for hurricanes where I had to evacuate. One was on continuously for over 4.5 years until Hurricane Charlie forced me to evaculate and turn it off. Then we had one year where 3 hurricanes in the same year came across and we lost power. The 3rd time, one of the machines wouldn't come back up ... Years in the USAF as a RADAR repair technician convinced me of the above and personal experience hasn't changed my mind. I spend less time and money by leaving the equipment on, electricity is cheap compared to new hardware that fails and time and hardware repair/replacement costs considered, boot time is totally insignificant.
Pete . --
Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/21/2009 9:34 AM, Richard Creighton wrote:
The use of multiple computers each using RAID gives me fault tolerance AND backup with the backup being controlled via a product called CrashPlan, but could be effected via rsync/cron scripts.
I never consider mere copies as backup. While I applaud you setup for its fault tolerance, a single backup copy is a scenario that has burned me in the past such that I never rely on it any more other than as a disaster cache. Too often the bone-headed deletion or disastrous program change is faithfully replicated across the synced mirrors before anyone can detect it. Like yours, my servers and critical workstations are all raid machines. My synced copies are on similar machines (using Unison ) located is in a different city. Unison is also used by several laptops that need working caches of some sub-trees (principally for software development). But my backup consists of multiple BRU backups each stepping back in time. The nice thing about BRU (or similar) is that you can stack multiple backup copies on the same size media as the running copy due to the compression. Yeah, BRU is oldschool. Hell, I'm oldschool! We used to use tapes. They sucked. We now do our BRU backups to inexpensive disk enclosures (usb/firewire) which can be taken off line and moved off site if desired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat November 21 2009 1:49:20 pm John Andersen wrote:
On 11/21/2009 9:34 AM, Richard Creighton wrote:
The use of multiple computers each using RAID gives me fault tolerance AND backup with the backup being controlled via a product called CrashPlan, but could be effected via rsync/cron scripts.
I never consider mere copies as backup.
While I applaud you setup for its fault tolerance, a single backup copy is a scenario that has burned me in the past such that I never rely on it any more other than as a disaster cache.
Too often the bone-headed deletion or disastrous program change is faithfully replicated across the synced mirrors before anyone can detect it.
Like yours, my servers and critical workstations are all raid machines.
My synced copies are on similar machines (using Unison ) located is in a different city. Unison is also used by several laptops that need working caches of some sub-trees (principally for software development). <snip>
One advantage I have found to CrashPlan is that it compresses, maintains copies of historical versions <n deep>, copies of erased versions as desired, and copies on multiple machines both locally and remotely which can be restored on demand. The paid version can back up real-time, the free version will back up once every day or upon demand. If your destination is a RAID array which is fault tolerant device, you have pretty good hardware tolerance. Another good feature is that CP periodically checks the stored image(s) to ensure they will reconstruct properly and will notify you if it finds any fault that would prevent it. So no surprises when it is needed down the road. It also notifies you if it is unable to complete a backup for any reason. All in all, the combination of RAID for fault tolerance of large media of my primary system AND my RAID tolerant backups has saved my keester on more than one occasion and fortunately, having more than one backup has so far proven unnecessary redundancy, but IMO, just as soon as I decide to eliminate that redundancy, I will find I needed it, so I don't. Disks are cheap enough now to invest in that as backup. For those that can't afford it, there are services like CrashPlan that offer thousands of Terrabytes of network storage over the internet at reasonable annual rates. I agree with you about tapes. PITA, but better than nothing. -- Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lars Müller wrote:
On Fri, Nov 20, 2009 at 12:17:46PM +0100, Per Jessen wrote:
Marcus Meissner wrote:
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open.
For them sshd running is useless and just costs startup time and resources.
Reasoning yes, but not very good, IMHO.
This is a very, very good reasoning. Marcus with his 95% was conservative.
And:
a) for those of us upgrading from older SUSE products _nothing_, NULL, zero changes. An upgrade doesn't touch the state of a service.
b) this change was documented and is easy to reverts.
service sshd start chkconfig -a sshd
Or simply use YaST. One time and you're done and are happy again.
While the majority of the SUSE users might be happy without to know about. :)
(There is currently no text in this page)
@Per please make my day and document it. ;)
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC)
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
Lars
it was in the release notes ! -- Hans Krueger hanskrueger007@roadrunner.com registered Linux user 289023 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lars Müller wrote:
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC)
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
A system not running sshd by default must be primarily intended for an environment where no remote access is required, typically a single-user/-PC environment. I would have opted to close port 22 for external access instead.
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
No, that's not what I was suggesting - it's just weird to compare features such as these: 1) turning off sshd by default is likely to annoy Peter Admin and be ignored by Joe User. 2) adding nice RAID or LVM improvements might please Peter, but will be ignored by Joe. AFAICT, the change to disable sshd has not really achieved an awful lot, except annoy Peter Admin. If you ask me for a suggestion, I would say let's not p... off Peter Admin when trying to please Joe User. /Per -- Per Jessen, Zürich (9.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 05:05:50PM +0100, Per Jessen wrote:
Lars Müller wrote:
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC)
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
A system not running sshd by default must be primarily intended for an environment where no remote access is required, typically a single-user/-PC environment. I would have opted to close port 22 for external access instead.
And the benefit is? Per is able to use ssh -l root? It requires 1 click to enable ssh. Per: I'm doing 1067 installs a week. Lars: Use autoyast with an anabled ssh setup. Per: I also need local X11 forwarding from root to the user I'm working with. Lars: This even works with the simple and old su cmd. There is no good reason why Joe Doe needs the service ssh enabled. And those needing it know how to turn it on. And as someone said: It is even documented in the release notes.
when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end. Is openSUSE slowly developing a severe schizophrenia?
A lot of the features are developed for the SUSE Linux Enterprise products. Should we keep them out of openSUSE to paint a nicer picture?
No, that's not what I was suggesting - it's just weird to compare features such as these:
1) turning off sshd by default is likely to annoy Peter Admin and be ignored by Joe User.
It is to establish a simple secure default setup. KISS you ever heared? Keep It Simple Stupid. No sshd running by default is one risk item less.
2) adding nice RAID or LVM improvements might please Peter, but will be ignored by Joe.
AFAICT, the change to disable sshd has not really achieved an awful lot, except annoy Peter Admin. If you ask me for a suggestion, I would say let's not p... off Peter Admin when trying to please Joe User.
That is your point of view. Ask networking people with a very open network policy. These guys are happy about every service not started. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
It requires 1 click to enable ssh.
A few more than that - I have to scroll down too. Much more importantly, I have to _remember_ to do so.
Per: I'm doing 1067 installs a week. Lars: Use autoyast with an anabled ssh setup.
Lars, _if_ I was doing 1067 installs per week, I would not have an issue with this at all. It's exactly because I am _not_ doing 1067 installs per week that this becomes annoying. /Per -- Per Jessen, Zürich (8.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 06:03:39PM +0100, Per Jessen wrote:
Lars Müller wrote:
It requires 1 click to enable ssh.
A few more than that - I have to scroll down too. Much more importantly, I have to _remember_ to do so.
As someone else said: write it down. In particular if you need it only once or twice a year.
Per: I'm doing 1067 installs a week. Lars: Use autoyast with an anabled ssh setup.
Lars, _if_ I was doing 1067 installs per week, I would not have an issue with this at all. It's exactly because I am _not_ doing 1067 installs per week that this becomes annoying.
If you're not performing many manual installs I don't get your complain. How many _new_ installes are you performning a year? Ten or 20? Please keep in mind: Once enabled (chkconfig, inserv, YaST) the service stays enabled. Even after the next system upgrade. This is a simple and secure design decission (KISS). And this change was well documented. BTW There is still no http://en.openSUSE.org/Ssh page. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
If you're not performing many manual installs I don't get your complain.
Clearly. Let me spell it for you: because I only perform a few local/manual installs, I forget that I now also have to scroll down and enable ssh. A good/useful default setup is there exactly for people like me who can't remember every little change I need to make.
How many _new_ installes are you performning a year? Ten or 20?
Not counting pure test installations, less than 10.
This is a simple and secure design decission (KISS). And this change was well documented.
Doesn't change a thing. Where was it documented by the way? I don't remember there being much community discussion about it. /Per -- Per Jessen, Zürich (7.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 8:12 PM, Per Jessen <per@opensuse.org> wrote:
Lars Müller wrote:
If you're not performing many manual installs I don't get your complain.
Clearly. Let me spell it for you: because I only perform a few local/manual installs, I forget that I now also have to scroll down and enable ssh. A good/useful default setup is there exactly for people like me who can't remember every little change I need to make.
How many _new_ installes are you performning a year? Ten or 20?
Not counting pure test installations, less than 10.
I'm sorry, I'm kinda losing track of your arguments here, are you claiming that a) as an user who needs ssh on a desktop installation and performs <10 installs each year, you feel that you are representative / part of a majority of openSUSE users and therefore the default should be geared towards your type of user, or that b) Joe User IS the majority but there are no solid arguments against having sshd enabled on his box, and therefore should be left on for the people that are in the minority ? Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sorin Peste wrote:
On Fri, Nov 20, 2009 at 8:12 PM, Per Jessen <per@opensuse.org> wrote:
Lars Müller wrote:
If you're not performing many manual installs I don't get your complain.
Clearly. Let me spell it for you: because I only perform a few local/manual installs, I forget that I now also have to scroll down and enable ssh. A good/useful default setup is there exactly for people like me who can't remember every little change I need to make.
How many _new_ installes are you performning a year? Ten or 20?
Not counting pure test installations, less than 10.
I'm sorry, I'm kinda losing track of your arguments here,
As Lars has just reminded us, I made exactly the same arguments more than 18 months ago. I could refer you to those, but:
are you claiming that a) as an user who needs ssh on a desktop installation and performs <10 installs each year, you feel that you are representative / part of a majority of openSUSE users and therefore the default should be geared towards your type of user,
No. (I really don't see that I have said/written anything that could be remotely construed in that way.)
or that b) Joe User IS the majority but there are no solid arguments against having sshd enabled on his box, and therefore should be left on.
That is what I am arguing, yes. It has been so far, why change it when it brings no benefits? Sorin, apologies for snipping the bit about minority users, but it was utterly irrelevant. -- Per Jessen, Zürich (7.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 9:13 PM, Per Jessen <per@opensuse.org> wrote:
are you claiming that a) as an user who needs ssh on a desktop installation and performs <10 installs each year, you feel that you are representative / part of a majority of openSUSE users and therefore the default should be geared towards your type of user,
No. (I really don't see that I have said/written anything that could be remotely construed in that way.)
the "openSUSE is moving away from my user profile" bit made me believe that.
or that b) Joe User IS the majority but there are no solid arguments against having sshd enabled on his box, and therefore should be left on.
That is what I am arguing, yes. It has been so far, why change it when it brings no benefits?
Sorin, apologies for snipping the bit about minority users, but it was utterly irrelevant.
It's not irrelevant, as you are advocating keeping it in to be used by a minority of users - who have to remember to open the port anyway, so why not enable it right then? Anyway, it's standard security doctrine to not run things by default that are not needed in a majority of cases, firewalls can be and are disabled sometimes by people, for example to test stuff when they forget to switch it back on (I've been guilty of this one myself). It's likely that the type of user who needs sshd WAS "the majority" back in the day, and enabling it made sense - but I strongly suspect that is no longer the case (Marcus estimates 95% Joe Users, disagree?). Maybe there IS other stuff that is enabled by default (not just installed, but actually running) but shouldn't be in this day and age. I'd bet money that if MS had shipped Win7 with Remote Desktop running by default (even firewalled) there'd be an uproar. Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sorin Peste wrote:
On Fri, Nov 20, 2009 at 9:13 PM, Per Jessen <per@opensuse.org> wrote:
are you claiming that a) as an user who needs ssh on a desktop installation and performs <10 installs each year, you feel that you are representative / part of a majority of openSUSE users and therefore the default should be geared towards your type of user,
No. (I really don't see that I have said/written anything that could be remotely construed in that way.)
the "openSUSE is moving away from my user profile" bit made me believe that.
Okay, that's a good point - yes, with needless changes such as the one we are discussing, I do detect a move _away_ from what I need. However, elsewhere I see a move _towards_ functionality that I need. Hence my suggestion that openSUSE might be suffering from a slowly growing schizophrenia. I am just a family member calling it by its name.
or that b) Joe User IS the majority but there are no solid arguments against having sshd enabled on his box, and therefore should be left on.
That is what I am arguing, yes. It has been so far, why change it when it brings no benefits?
Sorin, apologies for snipping the bit about minority users, but it was utterly irrelevant.
It's not irrelevant, as you are advocating keeping it in to be used by a minority of users
I am not advocating sshd for any minority users, other people are bringing that up. I am merely advocating no change when it brings no benefit, like I did 18 months ago. If it ain't broke ...
Anyway, it's standard security doctrine to not run things by default that are not needed in a majority of cases, firewalls can be and are disabled sometimes by people, for example to test stuff when they forget to switch it back on (I've been guilty of this one myself). It's likely that the type of user who needs sshd WAS "the majority" back in the day,
Actually, I don't think that anyone has argued that the _user_ needs sshd. I am arguing that _I_ as an admin need sshd - the _user_ couldn't care less, regardless of who his admin is. Which is why we should just leave it running. /Per -- Per Jessen, Zürich (8.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 10:12 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote: Actually, I don't think that anyone has argued that the _user_ needs sshd. I am arguing that _I_ as an admin need sshd - the _user_ couldn't care less, regardless of who his admin is. Which is why we should just leave it running.
If 95% of the installed base are Joe Users, how many of these are home users who are their own "admin"? Remember we're not talking about power users here. For business / education environments, don't you think it's the admin's job to properly configure the workstations? If you've got enough machines that a task is time consuming, then automate it. openSUSE provides the tools to do that. The previous statement applies to any platform. I don't see any Windows domain admins claiming that Microsoft should enable Remote Desktop by default in Windows. Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sorin Peste wrote:
On Fri, Nov 20, 2009 at 10:12 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote: Actually, I don't think that anyone has argued that the _user_ needs sshd. I am arguing that _I_ as an admin need sshd - the _user_ couldn't care less, regardless of who his admin is. Which is why we should just leave it running.
If 95% of the installed base are Joe Users, how many of these are home users who are their own "admin"?
A large percentage, no doubt.
Remember we're not talking about power users here.
Actually, I don't remember those being discarded from the target audience.
For business / education environments, don't you think it's the admin's job to properly configure the workstations?
Certainly, but why should we hinder him in doing that? Sorin, like others you appear to be arguing for _keeping_ the silly change, whilst you are neglecting to explain _why_ it was done. (I understand why you can't, coz' none of the arguments will hold water).
If you've got enough machines that a task is time consuming, then automate it. openSUSE provides the tools to do that. The previous statement applies to any platform. I don't see any Windows domain admins claiming that Microsoft should enable Remote Desktop by default in Windows.
Sorin, we are here because we are _not_ Windows, not because we want to _be_ Windows. Well, I am any way, I obviously can't speak for anybody else. /Per -- Per Jessen, Zürich (7.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 11:27 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote:
Remember we're not talking about power users here.
Actually, I don't remember those being discarded from the target audience.
Because power users who might need sshd can easily make it happen on their own system. Whereas average users don't know any better.
For business / education environments, don't you think it's the admin's job to properly configure the workstations?
Certainly, but why should we hinder him in doing that? Sorin, like others you appear to be arguing for _keeping_ the silly change, whilst you are neglecting to explain _why_ it was done. (I understand why you can't, coz' none of the arguments will hold water).
the "standard security doctrine" part was my main argument, with a side of "you have to open the port anyway, so just enable it then", and some "if you've got many machines, automate it, just like you would do with any admin task" sprinkled on top. Again, the more sensible option to me seems to be the one geared towards the majority of users who don't know any better. I have no other arguments to make. Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sorin Peste wrote:
On Fri, Nov 20, 2009 at 11:27 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote:
Remember we're not talking about power users here.
Actually, I don't remember those being discarded from the target audience.
Because power users who might need sshd can easily make it happen on their own system. Whereas average users don't know any better.
Sorry, that is not an answer to my question. Let me turn it around: "Because non-power users who wont need sshd can easily ignore it on their own system."
For business / education environments, don't you think it's the admin's job to properly configure the workstations?
Certainly, but why should we hinder him in doing that? Sorin, like others you appear to be arguing for _keeping_ the silly change, whilst you are neglecting to explain _why_ it was done. (I understand why you can't, coz' none of the arguments will hold water).
the "standard security doctrine" part was my main argument, with a side of "you have to open the port anyway, so just enable it then", and some "if you've got many machines, automate it, just like you would do with any admin task" sprinkled on top.
Shall we take a poll on how many AutoYast users we have here, Sorin?
Again, the more sensible option to me seems to be the one geared towards the majority of users who don't know any better. I have no other arguments to make.
I know. -- Per Jessen, Zürich (7.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 11:59 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote: "Because non-power users who wont need sshd can easily ignore it on their own system."
... until one day they turn off their firewall, because they read on some forum that's a likely cause for their programs not connecting. At which point they're not even aware they have some potentially vulnerable network services running. Or do they deserve whatever they get for disabling the firewall?
Shall we take a poll on how many AutoYast users we have here, Sorin?
I'll take a poll on sysadmins with 10+ workstations who DON'T automate in some way, at least workstation (re)install and config, backup, and patch distribution. I promise not to send the results to their bosses ;) Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 02:22:15 pm Sorin Peste wrote:
On Fri, Nov 20, 2009 at 11:59 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote: "Because non-power users who wont need sshd can easily ignore it on their own system."
... until one day they turn off their firewall, because they read on some forum that's a likely cause for their programs not connecting. At which point they're not even aware they have some potentially vulnerable network services running. Or do they deserve whatever they get for disabling the firewall?
Really? You choose the _least exploitable_ service to raise that red herring? I never asked for postfix on this laptop, yet there it is listening on port 25 on ALL interfaces? What happens when I take down the firewall? Why is it listening on ALL interfaces when its only (stated) reason for being here is to service cron jobs? -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Nov 21, 2009 at 12:43 AM, John Andersen <jsamyth@gmail.com> wrote:
... until one day they turn off their firewall, because they read on some forum that's a likely cause for their programs not connecting. At which point they're not even aware they have some potentially vulnerable network services running. Or do they deserve whatever they get for disabling the firewall?
Really? You choose the _least exploitable_ service to raise that red herring?
1st, "least exploitable" is and will always be worse than "not f**king there to exploit at all". Also, it would be nice if Joe User kept his system up to date, but that's not always the case. It all boils down to the attack surface argument in the end. I think whether or not to replace Samba with SFTP/Fish is a different discussion altogether. 2nd, not a red herring, unless you believe that a) Joe User is anything but clueless, or b) clueless Joe User has no business using openSUSE on his home computer.
I never asked for postfix on this laptop, yet there it is listening on port 25 on ALL interfaces? What happens when I take down the firewall? Why is it listening on ALL interfaces when its only (stated) reason for being here is to service cron jobs?
I agree, i had my own OMGWTF moment when I discovered that on 10.x (can't really remember which one). This is why I was asking about it in the third post of this thread. Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/21/2009 12:06 AM, Sorin Peste wrote:
I never asked for postfix on this laptop, yet there it is listening on port 25 on ALL interfaces? What happens when I take down the firewall? Why is it listening on ALL interfaces when its only (stated) reason for being here is to service cron jobs?
I agree, i had my own OMGWTF moment when I discovered that on 10.x (can't really remember which one). This is why I was asking about it in the third post of this thread.
I don't see why. Previous to postfix by default, it was sendmail by default. As far as I remember⁽¹⁾, there has been a mail service daemon in SuSE linux since ever, not only since 10.x. It is a standard requirement of a linux system (and it doesn't mean that it will accept mail from outside by default). Some one might design some other method of doing things, but meanwhile, postfix will stay :-P - -+-+-- (1) That will be SuSE 5.2. - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksIVkMACgkQU92UU+smfQVOkACfYSCfJaL5+1MTyQ+X3b3DtGYg i2gAn3M2rREAXcpUwdkQKPjeHNdMheNU =n0SE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 Nov 2009 22:22:15 Sorin Peste wrote:
On Fri, Nov 20, 2009 at 11:59 PM, Per Jessen <per@opensuse.org> wrote:
Sorin Peste wrote: "Because non-power users who wont need sshd can easily ignore it on their own system."
... until one day they turn off their firewall, because they read on some forum that's a likely cause for their programs not connecting. At which point they're not even aware they have some potentially vulnerable network services running. Or do they deserve whatever they get for disabling the firewall?
Shall we take a poll on how many AutoYast users we have here, Sorin?
I'll take a poll on sysadmins with 10+ workstations who DON'T automate in some way, at least workstation (re)install and config, backup, and patch distribution. I promise not to send the results to their bosses ;)
Sorin
It has to be said this is an excellent job of spreading FUD and scaremongering . Who's paying you M$ Corp or maybe even Apple never know they are both suffering Pete . -- Powered by openSUSE 11.2 Milestone 2 (x86_64) Kernel: 2.6.30-rc6-git3-4- default KDE: 4.2.86 (KDE 4.2.86 (KDE 4.3 >= 20090514)) "release 1" 23:23 up 13 days 8:49, 3 users, load average: 1.32, 1.28, 1.04
Per Jessen wrote:
I obviously can't speak for anybody else.
yet you wish to set the default for everyone else.. dd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2009-11-20 at 22:51 +0200, Sorin Peste wrote:
Sorin Peste wrote: Actually, I don't think that anyone has argued that the _user_ needs sshd. I am arguing that _I_ as an admin need sshd - the _user_ couldn't care less, regardless of who his admin is. Which is why we should just leave it running. If 95% of the installed base are Joe Users, how many of these are home users who are their own "admin"? Remember we're not talking about
On Fri, Nov 20, 2009 at 10:12 PM, Per Jessen <per@opensuse.org> wrote: power users here. For business / education environments, don't you think it's the admin's job to properly configure the workstations?
+1
If you've got enough machines that a task is time consuming, then automate it. openSUSE provides the tools to do that.
+1 Sys-admins aren't the ones who need defaults, they know to check.
The previous statement applies to any platform. I don't see any Windows domain admins claiming that Microsoft should enable Remote Desktop by default in Windows.
Solid point. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 07:12:50PM +0100, Per Jessen wrote:
Lars Müller wrote: [ 8< ]
This is a simple and secure design decission (KISS). And this change was well documented.
Doesn't change a thing. Where was it documented by the way? I don't remember there being much community discussion about it.
http://download.openSUSE.org/pub/opensuse/distribution/11.2/repo/oss/docu/RE... http://lists.opensuse.org/opensuse-factory/2008-03/msg00495.html Funny to see who commented on the initial suggestion made by the security team and which suggestions people made. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
On Fri, Nov 20, 2009 at 07:12:50PM +0100, Per Jessen wrote:
Lars Müller wrote: [ 8< ]
This is a simple and secure design decission (KISS). And this change was well documented.
Doesn't change a thing. Where was it documented by the way? I don't remember there being much community discussion about it.
http://download.openSUSE.org/pub/opensuse/distribution/11.2/repo/oss/docu/RE...
http://lists.opensuse.org/opensuse-factory/2008-03/msg00495.html
Ah yes, I do vaguely remember that - even if it was more than 18 months ago.
Funny to see who commented on the initial suggestion made by the security team and which suggestions people made.
Funny? Here are some the things I said back then - "... but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out." "Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install." I also asked: "What exactly is "better" about not starting sshd by default? " No useful answer. I even pointed out that "Nobody has described any _actual_ improvements. Running sshd behind the default firewall does not make the system any less secure, and it does not waste any memory when it isn't used." Nothing funny about me repeating myself, IMHO. /Per -- Per Jessen, Zürich (7.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 Nov 2009 19:06:09 Per Jessen wrote:
Lars Müller wrote:
On Fri, Nov 20, 2009 at 07:12:50PM +0100, Per Jessen wrote:
Lars Müller wrote:
[ 8< ]
This is a simple and secure design decission (KISS). And this change was well documented.
Doesn't change a thing. Where was it documented by the way? I don't remember there being much community discussion about it.
http://download.openSUSE.org/pub/opensuse/distribution/11.2/repo/oss/docu/R ELEASE-NOTES.en.html
http://lists.opensuse.org/opensuse-factory/2008-03/msg00495.html
Ah yes, I do vaguely remember that - even if it was more than 18 months ago.
Funny to see who commented on the initial suggestion made by the security team and which suggestions people made.
Funny? Here are some the things I said back then -
"... but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out."
"Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install."
I also asked:
"What exactly is "better" about not starting sshd by default? " No useful answer.
I even pointed out that "Nobody has described any _actual_ improvements. Running sshd behind the default firewall does not make the system any less secure, and it does not waste any memory when it isn't used."
Nothing funny about me repeating myself, IMHO.
/Per Thing is this is supposed to be Open Open to ideas suggestions assistance improvements , But the only way it is open now is open to the ruling mafia with no care or attention to the users at all Very rapidly becoming the M$ Corp of the Linux world this is how it is like it or lump it .
Pete . -- Powered by openSUSE 11.2 Milestone 2 (x86_64) Kernel: 2.6.30-rc6-git3-4- default KDE: 4.2.86 (KDE 4.2.86 (KDE 4.3 >= 20090514)) "release 1" 19:19 up 13 days 4:45, 4 users, load average: 0.78, 0.61, 0.46
Peter Nikolic wrote:
On Friday 20 Nov 2009 19:06:09 Per Jessen wrote:
Lars Müller wrote:
On Fri, Nov 20, 2009 at 07:12:50PM +0100, Per Jessen wrote:
Lars Müller wrote: [ 8< ]
This is a simple and secure design decission (KISS). And this change was well documented. Doesn't change a thing. Where was it documented by the way? I don't remember there being much community discussion about it. http://download.openSUSE.org/pub/opensuse/distribution/11.2/repo/oss/docu/R ELEASE-NOTES.en.html
http://lists.opensuse.org/opensuse-factory/2008-03/msg00495.html Ah yes, I do vaguely remember that - even if it was more than 18 months ago.
Funny to see who commented on the initial suggestion made by the security team and which suggestions people made. Funny? Here are some the things I said back then -
"... but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out."
"Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install."
I also asked:
"What exactly is "better" about not starting sshd by default? " No useful answer.
I even pointed out that "Nobody has described any _actual_ improvements. Running sshd behind the default firewall does not make the system any less secure, and it does not waste any memory when it isn't used."
Nothing funny about me repeating myself, IMHO.
/Per Thing is this is supposed to be Open Open to ideas suggestions assistance improvements , But the only way it is open now is open to the ruling mafia with no care or attention to the users at all Very rapidly becoming the M$ Corp of the Linux world this is how it is like it or lump it .
Pete .
Not running a service is always more secure than running one. Not running a service is always more efficient than running one. These are immutable inarguable facts of laws of physics. Any argument based only on degree is false. If you are going for optimization and a default state that is as clean and minimal as possible (I know, *LAUGH* but humor me :) , let's say they are) then saying this or that service's unnecessary negative impact is "only minimal" is an invalid argument. The simple rule is that if you are actually going to use it, you run it, and everything else, you don't run. The fact that ssh is really common or is typically enabled on every linux server or that all linux boxes are descended from an OS that was originally designed to be a server so we're just plain used to seeing it always there, doesn't really have any bearing on whether it should be enabled by default on a desktop system. You could say that about every kind of service that was ever written, and if you started 50 unused lightweight services it would have a noticeable effect, and even if it's a small one, it's a pointless one so it's correct to remove it. To decide something should be installed and running by default, you have to instead have some certain reason it's needed in the course of doing the job the default state is designed to do. Actually that one last argument about "we're all just used to expecting it to be there always" is somewhat valid. The principle of least surprise is a valid one. I have an ubuntu desk at work. It had sshd enabled out of the box and I never ssh in to it. I could, even remotely, by first getting in to one of the internet-facing boxes, and hunting down the ip from the dhcp server. I just never apparently had a need to in 3 or 4 years that desk has been there. It's a desk. I don't keep much of importance there that I need remote access to and it performs no network service that I might have to go in and admin. Similarly I have linux partitions on every laptop and netbook I've ever owned and I've almost never had a reason to ssh in to any of them. That's probably 20 or more installs just in the last few years. _if_ opensuse is focusing on desktops and no longer attempting to be a first choice for server OS, then it's a good default for both security and performance reasons. Regardless how minimal the impact in either or both areas. For any OS that even casually wants to claim to be a server platform, it makes no sense to default without sshd enabled. Because of the principle of least surprise if nothing else. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Brian K. White wrote:
The fact that ssh is really common or is typically enabled on every linux server or that all linux boxes are descended from an OS that was originally designed to be a server so we're just plain used to seeing it always there, doesn't really have any bearing on whether it should be enabled by default on a desktop system. You could say that about every kind of service that was ever written, and if you started 50 unused lightweight services it would have a noticeable effect, and even if it's a small one, it's a pointless one so it's correct to remove it. To decide something should be installed and running by default, you have to instead have some certain reason it's needed in the course of doing the job the default state is designed to do. Actually that one last argument about "we're all just used to expecting it to be there always" is somewhat valid. The principle of least surprise is a valid one.
+1.
_if_ opensuse is focusing on desktops and no longer attempting to be a first choice for server OS, then it's a good default for both security and performance reasons. Regardless how minimal the impact in either or both areas.
Yes, _if_ openSUSE is changing tack and will be completely focusing on being a desktop system, I agree.
For any OS that even casually wants to claim to be a server platform, it makes no sense to default without sshd enabled. Because of the principle of least surprise if nothing else.
Thanks for agreeing with me. /Per -- Per Jessen, Zürich (7.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Jessen wrote:
_if_ opensuse is focusing on desktops and no longer attempting to be a first choice for server OS, then it's a good default for both security and performance reasons. Regardless how minimal the impact in either or both areas.
Yes, _if_ openSUSE is changing tack and will be completely focusing on being a desktop system, I agree.
For any OS that even casually wants to claim to be a server platform, it makes no sense to default without sshd enabled. Because of the principle of least surprise if nothing else.
Thanks for agreeing with me.
This are the first observations on the direction openSuSE seems to be taking that echoes a concern of mine. Although it vigorously denied there is increasing emphasis on the home user desktop and a benign neglect of other areas elsewhere, the end product seems to undermine that denial. I am personally not really interested in much of the multi-media and desktop 'bells and whistles', but more in having a developmental and research environment (with a bit of personal admin stuff). The tendency to force the user away from the 'gubbins' which makes things work in newer desktops is often more a hindrance than a help in this context. (Having to work out which process you need to temporarily kneecap to get the results one wants is a PITA). I can see the both sides of the ssh/sshd argument. I think what we really need is probably a restore to the concept of a professional configuration for the technically literate and a basic user configuration for the M$ refugees and not so literate. Installing 11.1 from scratch when one you knew what you wanted was possible but unnecessarily time consuming (at this moment 11.2 looks like something I will skip). There are at least two different basic user groupings involved and they have different base line requirements.
/Per
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksH2O0ACgkQasN0sSnLmgJhiACg9KiV3WndLjIPOk31odjueAXy BG8An1+zLV5QNZaKiasF4C/rwSCJDv+h =Oa7P -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Nov 21, 2009 at 12:11:25PM +0000, G T Smith wrote: [ 8< ]
This are the first observations on the direction openSuSE seems to be taking that echoes a concern of mine. Although it vigorously denied there is increasing emphasis on the home user desktop and a benign neglect of other areas elsewhere, the end product seems to undermine that denial.
The change not to enable the openssh daemon with any new install doesn't say anything about the directions of the openSUSE project. It is a simple security design approach. As said many times before: the intention is to keep it simple stupid. And such design approaches are a moving target. They got modified over the years. No more telnet, no more plain passwords with the majority of services. For those of us using Linux for a long time this doesn't cause much of extra work. We're able to enable the service via YaST or might even use chkconfig -a ssh on the command line. From the networking setup summary it is one click at installation time. And please keep in mind: If you upgrade from openSUSE 11.1 to 11.2 the state of the service (enabled/disabled) is not changed. Therefore to me all this noise about ssh is much about nothing compared to the real issues, bugs and missing features we have. And while all had been able to complain and to offend none had been able to write something at http://en.opensuse.org/Ssh
I am personally not really interested in much of the multi-media and desktop 'bells and whistles', but more in having a developmental and research environment (with a bit of personal admin stuff). The tendency to force the user away from the 'gubbins' which makes things work in newer desktops is often more a hindrance than a help in this context. (Having to work out which process you need to temporarily kneecap to get the results one wants is a PITA).
Nobody is forced to anything. But as openSUSE, Fedora and Debian are Open Source projects they move on. This move includes the adoption of new concepts. The majority of the new stuff makes it much, much easier for new users. For example HAL/ConsoleKit/PolicyKit automatically grants permission to the user by adding appropriate ACL entries to a bunch of files (like /dev/snd/* and other device files) for local logins via console, gdm, kdm. But this is a conceptional change compared to how this had been done in the past. For the sound stuff we had been used to be in the audio group. New concepts aren't introduced cause they're new or provide companies a reason to sell a new product. These new approaches are used cause they're more flexible and allow a better, finer grained control what's allowed to which user or group for example.
I can see the both sides of the ssh/sshd argument. I think what we really need is probably a restore to the concept of a professional configuration for the technically literate and a basic user configuration for the M$ refugees and not so literate. Installing 11.1 from scratch when one you knew what you wanted was possible but unnecessarily time consuming
Which part of the installtion in 11.1 or 11.2 consumed more time than it was the case with 11.0? It was the intention to make the YaST installation workflow easier and less time consuming by providing as much as possible reasonable defaults while allowing the user to still modify configuration details on request.
(at this moment 11.2 looks like something I will skip). There are at least two different basic user groupings involved and they have different base line requirements.
There is no good reason to skip openSUSE 11.2. In particular all the noise about how the ssh service for a _new_ install is handled isn't a reason not to use openSUSE 11.2. I'm running it on five systems now and am very happy with all the features we've recently read about at this list. On the other hand openSUSE 11.1 is still fed with security fixes and the openSUSE Build Service provides a huge amount of prebuild packages in addition. It's your decision which route to follow. As it was dicussed and decided by the openSUSE community to disable the ssh service by default with a fresh install of openSUSE as quoted in an earlier mail. Additional action to get the ssh daemon started with openSUSE 11.2 is only required if you perform a fresh install. And this action is required _one_ time. One time spending ten seconds to enable this additional network service (while install or later from inside the system). Nothing compared to the time spent on this thread. ;) But I'm sure we'll see additional 50 replies on this topic. :) Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Saturday 21 November 2009 09:05:31 Lars Müller wrote: ...
And while all had been able to complain and to offend none had been able to write something at http://en.opensuse.org/Ssh
As usually, hours wasted without actually doing anything, and from SSH topic deflecting in usability of Linux and openSUSE in general, and nobody tried to move to offtopic list :) Let me measure time to setup a page. ...
Additional action to get the ssh daemon started with openSUSE 11.2 is only required if you perform a fresh install. And this action is required _one_ time. One time spending ten seconds to enable this additional network service (while install or later from inside the system). Nothing compared to the time spent on this thread. ;)
+1
But I'm sure we'll see additional 50 replies on this topic. :)
Added one, 49 to go :)
Lars
-- Regards, Rajko openSUSE Wiki Team: http://en.opensuse.org/Wiki_Team People of openSUSE: http://en.opensuse.org/People_of_openSUSE/About -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/21/2009 04:05 PM, Lars Müller wrote:
On Sat, Nov 21, 2009 at 12:11:25PM +0000, G T Smith wrote:
It's your decision which route to follow. As it was dicussed and decided by the openSUSE community to disable the ssh service by default with a fresh install of openSUSE as quoted in an earlier mail.
Decided by the community? Was there a vote? I don't remember. I remember being decided to disable it, but not by us.
Additional action to get the ssh daemon started with openSUSE 11.2 is only required if you perform a fresh install. And this action is required _one_ time. One time spending ten seconds to enable this additional network service (while install or later from inside the system). Nothing compared to the time spent on this thread. ;)
But I'm sure we'll see additional 50 replies on this topic. :)
Well, although I knew about this, I missed the place during installation to enable sshd. Anyway, I still think that instead of having a default for everybody, you should have two or three predefined defaults, and ask the user to choose one at the installation start. - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksIXBoACgkQU92UU+smfQWXUwCfc8r/GvxaRQPVhIGB8C3cTh3X tSYAnA0tJRSMecHHN6bh3n9V/nU1NHM/ =uv0d -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anyway, I still think that instead of having a default for everybody, you should have two or three predefined defaults, and ask the user to choose one at the installation start.
Can't anyone create an installation profile with AutoYAST? And have machines automatically installed with any option(s) you want. Or there is KIWI <http://en.opensuse.org/Build_Service/KIWI> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lars Müller wrote:
On Sat, Nov 21, 2009 at 12:11:25PM +0000, G T Smith wrote: [ 8< ]
This are the first observations on the direction openSuSE seems to be taking that echoes a concern of mine. Although it vigorously denied there is increasing emphasis on the home user desktop and a benign neglect of other areas elsewhere, the end product seems to undermine that denial.
The change not to enable the openssh daemon with any new install doesn't say anything about the directions of the openSUSE project.
Well, I think we are a few community and project members that disagree with that, Lars.
For those of us using Linux for a long time this doesn't cause much of extra work. We're able to enable the service via YaST or might even use chkconfig -a ssh on the command line. From the networking setup summary it is one click at installation time.
Many of us who have been using Linux for a long time can put together a system from scratch with one hand tied on our backs - doesn't mean we want to.
And while all had been able to complain and to offend none had been able to write something at http://en.opensuse.org/Ssh
http://de.opensuse.org/SSH-Server (funny, it seems to need one or two updates).
Nobody is forced to anything. But as openSUSE, Fedora and Debian are Open Source projects they move on. This move includes the adoption of new concepts. The majority of the new stuff makes it much, much easier for new users.
Except this change, which does absolutely nothing for a new user, as we have found out.
It's your decision which route to follow. As it was dicussed and decided by the openSUSE community to disable the ssh service by default with a fresh install of openSUSE as quoted in an earlier mail.
Who decided it and how was it decided, Lars? I am a community member, and as you know I protested this change quite vocally more than 18 months ago. I don't remember many others advocating the change - I could certainly be wrong, but I really do not remember more than one or two responding positively to Marcus' proposal. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-11-23 at 17:58 +0100, Per Jessen wrote:
Lars Müller wrote:
On Sat, Nov 21, 2009 at 12:11:25PM +0000, G T Smith wrote: [ 8< ]
This are the first observations on the direction openSuSE seems to be taking that echoes a concern of mine. Although it vigorously denied there is increasing emphasis on the home user desktop and a benign neglect of other areas elsewhere, the end product seems to undermine that denial. The change not to enable the openssh daemon with any new install doesn't say anything about the directions of the openSUSE project. Well, I think we are a few community and project members that disagree with that, Lars.
I agree with Lars. This is a trivial, and rather obvious, change. It doesn't indicate any kind of grand conspiracy.
For those of us using Linux for a long time this doesn't cause much of extra work. We're able to enable the service via YaST or might even use chkconfig -a ssh on the command line. From the networking setup summary it is one click at installation time. Many of us who have been using Linux for a long time can put together a system from scratch with one hand tied on our backs - doesn't mean we want to.
So. Equating enabling a service with assembling a distro? That's absurd. "sudo /sbin/chkconfig sshd on"
And while all had been able to complain and to offend none had been able to write something at http://en.opensuse.org/Ssh http://de.opensuse.org/SSH-Server (funny, it seems to need one or two updates).
So... update it! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
This are the first observations on the direction openSuSE seems to be taking that echoes a concern of mine. Although it vigorously denied there is increasing emphasis on the home user desktop and a benign neglect of other areas elsewhere,
I'm an IT professional, just upgraded to openSUSE 11.2, and I do not feel neglected at all. 11.2 is a solid update over 11.1
I am personally not really interested in much of the multi-media and desktop 'bells and whistles', but more in having a developmental and research environment (with a bit of personal admin stuff). The tendency to force the user away from the 'gubbins' which makes things work in newer desktops is often more a hindrance than a help in this context.
If you enjoy floundering about in the nitty gritty of how things work then maybe Gentoo is more your speed.
I can see the both sides of the ssh/sshd argument. I think what we really need is probably a restore to the concept of a professional configuration for the technically literate and a basic user configuration for the M$ refugees and not so literate. Installing 11.1 from scratch when one you knew what you wanted was possible but unnecessarily time consuming (at this moment 11.2 looks like something I will skip).
11.2 when in like warm butter and everything just worked the way one would expect things on a desktop to work. Sweet! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 12:13:16 pm Brian K. White wrote:
I have an ubuntu desk at work. It had sshd enabled out of the box and I never ssh in to it. I could, even remotely,
No ubuntu doesn't have it enabled out of the box. It doesn't even install it out of the box. I can safely say I have NEVER had a linux machine which I did not have SSH running on. SSH is used for a lot more than just logging in remotely. It is used by the fish protocol, the sftp protocol for starters, and these are integrated right into Kong and Dolphin, and work amazingly well. Yee on one computer may not think you need this. You install Samba and and smbfs/CIFS and then worry about the security risks of ssh. Unbelievable!!! -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 10:49 PM, John Andersen <jsamyth@gmail.com> wrote:
On Friday 20 November 2009 12:13:16 pm Brian K. White wrote: I can safely say I have NEVER had a linux machine which I did not have SSH running on.
That's because you are part of the 5% of users who even know what SSH is and what it does.
SSH is used for a lot more than just logging in remotely. It is used by the fish protocol, the sftp protocol for starters, and these are integrated right into Kong and Dolphin, and work amazingly well.
Which is why openssh is installed. But do you need the ssh daemon running for that? Sorin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 12:56:41 pm Sorin Peste wrote:
On Fri, Nov 20, 2009 at 10:49 PM, John Andersen <jsamyth@gmail.com> wrote:
On Friday 20 November 2009 12:13:16 pm Brian K. White wrote: I can safely say I have NEVER had a linux machine which I did not have SSH running on.
That's because you are part of the 5% of users who even know what SSH is and what it does.
SSH is used for a lot more than just logging in remotely. It is used by the fish protocol, the sftp protocol for starters, and these are integrated right into Kong and Dolphin, and work amazingly well.
Which is why openssh is installed. But do you need the ssh daemon running for that?
You certainly do on the target! The target is is just as likely to be the computer at home or in the Den in the next room, or your wife's computer or the office. Its far better to get Joe User off of Samba (and don't even suggest nfs) than it is to close the ssh port. I call into question this 95% statistic bandied about here. [citation needed]. Opensuse users are far more likely to use ssh than ubuntu users, simply because of the clientele opensuse attracts. -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Friday 20 November 2009 12:13:16 pm Brian K. White wrote:
I have an ubuntu desk at work. It had sshd enabled out of the box and I never ssh in to it. I could, even remotely,
No ubuntu doesn't have it enabled out of the box. It doesn't even install it out of the box.
I can safely say I have NEVER had a linux machine which I did not have SSH running on.
SSH is used for a lot more than just logging in remotely. It is used by the fish protocol, the sftp protocol for starters, and these are integrated right into Kong and Dolphin, and work amazingly well.
Yee on one computer may not think you need this. You install Samba and and smbfs/CIFS and then worry about the security risks of ssh. Unbelievable!!!
John, thanks for joining in here - I was beginning to feel a tiny bit abandoned. /Per -- Per Jessen, Zürich (7.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/20/2009 07:12 PM, Per Jessen wrote:
Doesn't change a thing. Where was it documented by the way?
Release notes. http://www.suse.de/relnotes/i386/openSUSE/11.2/RELEASE-NOTES.en.html#08 But it is in the update section, not the new install section :-? I thought that sshd is not modified for an upgrade :-?
I don't remember there being much community discussion about it.
I do. - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksHAi4ACgkQU92UU+smfQWAUACgh0vsSO2tNfQ8aEJPe2KpQi6p MBAAn37JIV8lR5ivU/6BMqbKnzhB8/m6 =RXgq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 09:55:10PM +0100, Carlos E. R. wrote:
On 11/20/2009 07:12 PM, Per Jessen wrote:
Doesn't change a thing. Where was it documented by the way?
Release notes.
http://www.suse.de/relnotes/i386/openSUSE/11.2/RELEASE-NOTES.en.html#08
But it is in the update section, not the new install section :-? I thought that sshd is not modified for an upgrade :-?
https://bugzilla.novell.com/show_bug.cgi?id=557412 Thx Carlos for pointing at this. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, Nov 20, 2009 at 09:19:28AM -0800, John Andersen wrote:
On 11/20/2009 8:31 AM, Lars � wrote:
There is no good reason why Joe Doe needs the service ssh enabled.
I thought that was a particularly arrogant statement.
Arrogant? A user new to Linux doesn't need ssh access to a local box. Cause the majority of users don't even know what ssh is. And it is very likely that they even don't want to know it. ;) The Joe Doe I have in mind is a person new to Linux, needing a text processing system and a web browser. Firefox and OpenOffice is all they need. A leasson I recently learned: The majority of users these days don't even use a mail user agent. All they use is a web UI. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Friday 20 November 2009 10:03:10 am Lars Müller wrote:
On Fri, Nov 20, 2009 at 09:19:28AM -0800, John Andersen wrote:
On 11/20/2009 8:31 AM, Lars � wrote:
There is no good reason why Joe Doe needs the service ssh enabled.
I thought that was a particularly arrogant statement.
Arrogant? A user new to Linux doesn't need ssh access to a local box. Cause the majority of users don't even know what ssh is. And it is very likely that they even don't want to know it. ;)
The Joe Doe I have in mind is a person new to Linux, needing a text processing system and a web browser. Firefox and OpenOffice is all they need.
Sorry Lars, but the sad truth is those Joe and Jane Doe's are running Ubuntu/Kubuntu. Their sound and multi-media and web-cam work out of the box. And if they call their geek-friend for help the first thing geeks says to them is apg-get install openssh. We come here to opensuse have a more complete and secure OS from the start.
A leasson I recently learned: The majority of users these days don't even use a mail user agent. All they use is a web UI.
And yet Opensuse installs postfix by default? -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 10:27:38AM -0800, John Andersen wrote:
On Friday 20 November 2009 10:03:10 am Lars Müller wrote:
On Fri, Nov 20, 2009 at 09:19:28AM -0800, John Andersen wrote:
On 11/20/2009 8:31 AM, Lars � wrote:
There is no good reason why Joe Doe needs the service ssh enabled.
I thought that was a particularly arrogant statement.
Arrogant? A user new to Linux doesn't need ssh access to a local box. Cause the majority of users don't even know what ssh is. And it is very likely that they even don't want to know it. ;)
The Joe Doe I have in mind is a person new to Linux, needing a text processing system and a web browser. Firefox and OpenOffice is all they need.
Sorry Lars, but the sad truth is those Joe and Jane Doe's are running Ubuntu/Kubuntu.
Hehe, I'll ask my Jane.
Their sound and multi-media and web-cam work out of the box. And if they call their geek-friend for help the first thing geeks says to them is apg-get install openssh.
We come here to opensuse have a more complete and secure OS from the start.
Nice to know.
A leasson I recently learned: The majority of users these days don't even use a mail user agent. All they use is a web UI.
And yet Opensuse installs postfix by default?
_Installs_, cause some other binaries or packages require the sendmail interface. This is provided by the 'smtp_daemon' provides of sendmail, postfix, or exim. Maybe there are more packages providing it these days like ssmtp and other small or simple smtp implemntations. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
And yet Opensuse installs postfix by default?
_Installs_, cause some other binaries or packages require the sendmail interface.
That requirement is far more easily taken care of, Lars: ln -s /bin/true /usr/sbin/sendmail Shall I make it a feature request? It saves space, it saves installation time and it saves startup time. Win-win-win. /Per Apologies for having succumbed to such ridicule, it's really not my normal style. -- Per Jessen, Zürich (7.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 20/11/09 15:27, John Andersen wrote:
We come here to opensuse have a more complete and secure OS from the start.
Enabling SSH daemon by default actually increses security risk...
And yet Opensuse installs postfix by default?
Cron requires smtp_daemon capability. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lars Müller wrote:
On Fri, Nov 20, 2009 at 09:19:28AM -0800, John Andersen wrote:
On 11/20/2009 8:31 AM, Lars � wrote:
There is no good reason why Joe Doe needs the service ssh enabled.
I thought that was a particularly arrogant statement.
Arrogant? A user new to Linux doesn't need ssh access to a local box.
Correct, but somebody else might. His mum, the local admin for instance.
Cause the majority of users don't even know what ssh is. And it is very likely that they even don't want to know it. ;)
The Joe Doe I have in mind is a person new to Linux, needing a text processing system and a web browser. Firefox and OpenOffice is all they need.
Lars, those arguments just don't work. Using that, we might as well also disable apparmor, avahi, the virtual consoles and postfix. Are you (or someoneelse) planning that for 11.3? Why was e.g. avahi and apparmor even added when they are of no visible benefit to John Doe, the new user? Guys, I can hear lots of defensive footwork going on here, but no-one has really been able to answer my questions in a satisfactory, convincing manner - just as they couldn't in March last year. Arguments I have heard so far: 1) sshd is a risk. What risk? - port 22 is protected by the firewall. 2) sshd is not needed by J. Doe, the new Linux user. Well, why have we been running sshd by default since 6.x then? If this is the _real_ argument, I expect openSUSE to become increasingly disabled - surely John Doe doesn't need cron nor syslog? 3) not starting sshd speeds up the boot-up. Dominique, that was you grasping at straws, I think. /Per -- Per Jessen, Zürich (7.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
>>> On 11/20/2009 at 20:17, Per Jessen <per@opensuse.org> wrote: > 1) sshd is a risk. > > What risk? - port 22 is protected by the firewall. CORRECT: sshd is NOT reachable for you either way if you don't configure it. So instead of now configuring the firewall, you start the sshd service. Put it on your install instructions you follow for every machine you install and be happy with it . What use is a service that is running that you can't reach? ssh localhost is certainly none (and yes: smtp on localhost can be of use... see cron). Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dominique Leuenberger wrote: >>>> On 11/20/2009 at 20:17, Per Jessen <per@opensuse.org> wrote: >> 1) sshd is a risk. >> >> What risk? - port 22 is protected by the firewall. > > CORRECT: sshd is NOT reachable for you either way if you don't > configure it. So instead of now configuring the firewall, you start > the sshd service. Put it on your install instructions you follow for > every machine you install and be happy with it . I can solve the problem, I am asking why I have to. > What use is a service that is running that you can't reach? ssh > localhost is certainly none (and yes: smtp on localhost can be of > use... see cron). cron uses /usr/sbin/sendmail to drop mails straight into the queue, there is no smtp involved. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/20/2009 07:03 PM, Lars Müller wrote:
On Fri, Nov 20, 2009 at 09:19:28AM -0800, John Andersen wrote:
On 11/20/2009 8:31 AM, Lars � wrote:
There is no good reason why Joe Doe needs the service ssh enabled.
I thought that was a particularly arrogant statement.
Arrogant? A user new to Linux doesn't need ssh access to a local box. Cause the majority of users don't even know what ssh is. And it is very likely that they even don't want to know it. ;)
Joe User may be stuck, phones for support, and support is then stuck having to give instructions to novice for enabling ssh first over the phone >:-P Have you tried to phone instructions to a novice to use the command line, and him reading back the results to you? Specially complex if the result is in English and the user/support people are Spanish. It makes for an interesting time. Better have an antiacid ready, or a relaxing tissane nearby >:-) - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksHBvYACgkQU92UU+smfQWj/QCdFZyRlFA9zDHruuZU9Cm/32E4 WkIAn24gkKe+xbcB5nMCgetoICe+pLKI =IB+1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
No, that's not what I was suggesting - it's just weird to compare features such as these: 1) turning off sshd by default is likely to annoy Peter Admin and be ignored by Joe User. 2) adding nice RAID or LVM improvements might please Peter, but will be ignored by Joe. AFAICT, the change to disable sshd has not really achieved an awful lot, except annoy Peter Admin. If you ask me for a suggestion, I would say let's not p... off Peter Admin when trying to please Joe User.
If Peter Admin actually has a strong emotional reaction [pissed] to ssh being disabled by default then Peter Admin needs to spend more time away from this computer and consider talking to a Priest/Shaman/Shrink about his overall life. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/20/2009 12:50 PM, Lars Müller wrote:
On Fri, Nov 20, 2009 at 12:17:46PM +0100, Per Jessen wrote:
b) this change was documented and is easy to reverts.
service sshd start chkconfig -a sshd
* open the port in the firewall. Provided the machine is not headless or worse, remote.
This is not about "single-user". This is about a reasonable default for the current time. Five years ago we've not seen such distributed brute force ssh attacks.
But you can not make a reasonable default for every body, you need several. You have to ask at the start of every install what is the intended usage of the installation, and then, take appropiate defaults for each one. - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksHAHMACgkQU92UU+smfQXIcACfazGw3QAOJIGe8++1HaFGFLpA vi8An1gdyZJlQcvw/r4i93OdxALVZQIv =v8v8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 12:47:47 pm Carlos E. R. wrote:
But you can not make a reasonable default for every body, you need several. You have to ask at the start of every install what is the intended usage of the installation, and then, take appropiate defaults for each one.
And that use to happen. However, your assertion is still wrong, because reasonable defaults have been the norm since we all stopped compiling our own kernels. -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/20/2009 10:13 PM, John Andersen wrote:
On Friday 20 November 2009 12:47:47 pm Carlos E. R. wrote:
But you can not make a reasonable default for every body, you need several. You have to ask at the start of every install what is the intended usage of the installation, and then, take appropiate defaults for each one.
And that use to happen.
Sorry? I don't understand that sentence.
However, your assertion is still wrong, because reasonable defaults have been the norm since we all stopped compiling our own kernels.
Ok, then, change the "you can not" with "you should not". - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksHCEMACgkQU92UU+smfQXRyQCfVQ6tGGe/Jy3gGmt9VWlq1iLN aK0An3UhpDapNdQ11JImDyvM/kKX9VcL =2rSw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
But you can not make a reasonable default for every body, you need several. You have to ask at the start of every install what is the intended usage of the installation, and then, take appropiate defaults for each one.
Hi Carlos, I don't want to disagree with the above, except that in this very particular case it is actually _perfectly_ possible to make a reasonable default for everybody. Just start sshd by default - as has been the case since SuSE Linux switched from rsh to ssh. /Per -- Per Jessen, Zürich (7.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I don't want to disagree with the above, except that in this very particular case it is actually _perfectly_ possible to make a reasonable default for everybody. Just start sshd by default
not reasonable for me, because i always have to turn it off and uninstall it.. dd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
DenverD wrote:
I don't want to disagree with the above, except that in this very particular case it is actually _perfectly_ possible to make a reasonable default for everybody. Just start sshd by default
not reasonable for me, because i always have to turn it off and uninstall it..
dd
I would _really_, _really_ like to know why, dd. Nobody else has been able to argue that point. /Per -- Per Jessen, Zürich (7.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 20 November 2009 01:50:53 pm DenverD wrote:
I don't want to disagree with the above, except that in this very particular case it is actually _perfectly_ possible to make a reasonable default for everybody. Just start sshd by default
not reasonable for me, because i always have to turn it off and uninstall it..
dd
HAD To? Turn off AND Uninstall? You are either working off of the smallest disks imaginable, and need every scrap of space or you simply don't understand that turning it off would suffice. You are sitting behind a router, yet you still feel so insecure that you both turn it off AND uninstall it? -- If stupidity got us into this mess, then why can't it get us out? - Will Rogers -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/20/09 22:37, Per Jessen wrote:
Carlos E. R. wrote:
But you can not make a reasonable default for every body, you need several. You have to ask at the start of every install what is the intended usage of the installation, and then, take appropiate defaults for each one. Hi Carlos,
I don't want to disagree with the above, except that in this very particular case it is actually _perfectly_ possible to make a reasonable default for everybody. Just start sshd by default - as has been the case since SuSE Linux switched from rsh to ssh.
/Per
First, I too don't like SSH disabled by default, but even before I had to turn off firewall to be able to use it, so it is not a big difference. I have my own firewall script just for machines that need firewall, and no firewall on the others. IMHO, there is one very easy way to have "reasonable default" for everybody: if I select any of the "server" software selections, make SSH enabled AND open firewall for it by default, otherwise don't. But in any case let the user have final word. Would this be too hard to do, let's say in 11.3? Btw, even NFS is ENABLED by default (if installed), although without configuration files it won't do anything, and that is one more that I would like to see disabled by default, together with avahi-daemon, bluez-coldplug, nscd, rpcbind, splash* and *preload to name just a few that I disable the first time I log into a server. Best regards, Siniša -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm. On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open. For them sshd running is useless and just costs startup time and resources. Reasoning yes, but not very good, IMHO.
It seems entirely legitimate to me. If you know what SSH is, then turn it on.
I think it's quite interesting (read: silly) to do such "optimizations" on one end of the spectrum (single-user PC) when we do e.g. LVM and RAID improvements (something the single-user most probably has little or no need for) on the other end.
I think LVM offers huge advantages to the desktop user. -- OpenGroupware developer: awilliam@whitemice.org <http://whitemiceconsulting.blogspot.com/> OpenGroupare & Cyrus IMAPd documenation @ <http://docs.opengroupware.org/Members/whitemice/wmogag/file_view> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/20/2009 6:13 AM, Adam Tauno Williams wrote:
I think LVM offers huge advantages to the desktop user.
Name one. The average desktop user will never expand his storage over the life of the machine, will never dual boot, has precisely one disk drive, and that drive is either 75% empty for 75% filled with porn and other crap he has forgotten about and has no intention of revisiting. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/20/2009 2:54 AM, Marcus Meissner wrote:
On Fri, Nov 20, 2009 at 11:28:14AM +0100, Per Jessen wrote:
It does seem pretty odd - why do I have to explicitly enable ssh during installation? In previous releases, sshd was always active. To anyone with more than one box, sshd is a must - to anyone with only one box, it doesn't do any harm.
On most users machines (I estimate 95%+), the firewall is enabled and the ssh port not open.
Ciao, Marcus
Which indicates another wrong headed tendency. Rather than securing services and restricting them from operating on some adapters, we throw a firewall in front of them and to hell with in-application security. A properly configured linux machine does not need a firewall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
F*ck me, what a monsterthread on such a trivial issue :-) If the sshd isn't activated by default, one can easily configure it afterwards and get it started automatically next time. What's the problem? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/21/2009 04:45 PM, Heinz Diehl wrote:
F*ck me, what a monsterthread on such a trivial issue :-)
If the sshd isn't activated by default, one can easily configure it afterwards and get it started automatically next time.
What's the problem?
If you installed remotely, you are very much out of luck. - -- Cheers / Saludos, Carlos E. R. (from 11.2-ex-factory "Emerald" GM) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksIis8ACgkQU92UU+smfQUgZQCdFe/trazDYhfnaCMrQfwYGt0R 774Ani1f1CvdrszNZZA0cripqXImsrIb =0mX7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/21/2009 04:45 PM, Heinz Diehl wrote:
F*ck me, what a monsterthread on such a trivial issue :-)
If the sshd isn't activated by default, one can easily configure it afterwards and get it started automatically next time.
What's the problem?
If you installed remotely, you are very much out of luck.
The point being that installing remotely IS a thing guys people who admin servers do a lot. (Or, whether they actually do very much or not, they do need to be able to and an OS that wants to serve them should default to making it most possible for them, and most likely to succeed. Yes, it's true that at least the smart ones try to make sure they have specifically set that setting during install so that when it reboots they are not screwed. In my case I simply do not attempt to do remote installs without remote serial console or ip-kvm. This is because it's stupid to actually depend on actively doing something correctly every time. Since the default is for ssh to be disabled, It doesn't matter if I use autoyast .xml files or just always remember to manually flip that option. It doesn't matter if I've never even had an actual accident where I got locked out. It's still an unsound system and would be dumb to rely on it. I would not like to be responsible for machines that are remote, have no remote serial console or ip-kvm, and run opensuse. Because with the installer defaulting ssh off, every install is a nailbiting experience, or rather, you just have to avoid reinstalls even more than usual since it's irresponsible to take the risk of the box going unavailable. You normally avoid reinstalls anyways of course, but at the same time, part of providing good support is being ready and able to do a full fresh install any time if thats what's needed. So, I'm still ok using opensuse for servers, but it's in part because I do not rely on always remembering that ssh setting during manual installs. The serial console is my safety net. Well, how nice for me that I was able to install console servers at all my sites, and I was able to ensure that every single server and appliance at every site even HAS a serial console for me to access. I would not say it's reasonable to just require this of everyone. Sometimes you are responsible for a lot of single machines where it's an unreasonable burden/overhead to install a remote console server just for one remote server. For desktop users, this is not an issue. By that I mean, it's an issue such a small percentage of the time, and is outside the scope of the usual definition of desktop user, that it's ok to say "we don't support that in the desktop-targeted configuration". For servers, it is an issue. The minimal text-only install choice should be considered by definition to be a server-targeted configuration. Yes you could be installing text-only so that you could then add your own LXDE desktop or something, but it is unreasonable to assume that a possibility like that is the most likeley and most common reason for choosing the minimal text-only install. Even if nowhere else, ssh should be enabled by default in that case. Also if the install was itself done by ssh (ssh=1 in the linuxrc boot parameters) regardless what kind of installation was chosen. For that matter, choosing any of the "server" package group patterns should automatically toggle ssh on also, if the setting had not been manually touched yet. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (22)
-
Adam Tauno Williams -
Bogdan Cristea -
Brian K. White -
Carlos E. R. -
Carlos E. R. -
Cristian Rodríguez -
Dave Cotton -
DenverD -
Dominique Leuenberger -
G T Smith -
Hans Krueger -
Heinz Diehl -
John Andersen -
Lars Müller -
Marcus Meissner -
ne... -
Per Jessen -
Peter Nikolic -
Rajko M. -
Richard Creighton -
Sinisa -
Sorin Peste