LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

SSH?

SSH?

Posted Aug 12, 2004 5:15 UTC (Thu) by Duncan (guest, #6647)
Parent article: Sarge is coming

Why should SSH be installed by default? How many users are there out
there that have an internet connection, but no desire to connect to their
home computer from another location, or to some other location from home
in "shell" mode? I'd venture there's a lot. If that functionality is
unneeded, why include SSH by default, since every unnecessary inclusion is
one more possible security vuln, and it's JUST this type of person that's
least likely to keep their system updated in terms of security fixes and
the like.

How many folks on the Gentoo lists ask how to connect to their home system
via SSH, saying it "just worked" on <whatever>? We tell them that Gentoo
(which does come with SSH in the system install, tho I don't agree with
that), doesn't turn on such things by default, and they must configure it
to allow X via TCP and remote forwarding. That's a Good Thing (r)! How I
did battle to try and turn off those ports on Mandrake, that /shouldn't/
have been listening AT ALL, as I didn't need nor want remote access
functionality!

Sure, have it /available/ by default, but not /installed/ by default,
unless someone chooses a "remote desktop functionality" package or some
such. Again, it's /just/ the folks who don't need it that are most likely
to fail to update their systems regularly and properly, and therefore the
most likely to get cracked in part due to something they never needed or
asked that it be installed! All it does is waste disk space, increase
complexity, and provide yet another unneeded bit of functionality that
must be kept up to date to keep the system secure.

Duncan

(Log in to post comments)

SSH?

Posted Aug 12, 2004 5:45 UTC (Thu) by sjlyall (subscriber, #4151) [Link]

I think what was requested was that ssh be installed, not that the ssh daemon be run by default.

I would suspect that a large number of debian users would want to connect to a remote ssh server from their newly installed machine.

SSH?

Posted Aug 12, 2004 12:56 UTC (Thu) by zonker (subscriber, #7867) [Link]

I think what was requested was that ssh be installed, not that the ssh daemon be run by default.

Yes, that's correct -- though I run sshd on most of my machines, I do not want sshd turned on by default, but I do want it available and I certainly want ssh available at any machine that I'm going to be working at. I probably should have made it a bit clearer in the original article.

SSH -- we love it

Posted Aug 12, 2004 15:17 UTC (Thu) by stuart (subscriber, #623) [Link]

fear not, Gentoo has copied Debian traditions again.

In Debian (well let's say in Woody/Debian 3.0 for clarity):
SSH client is installed...which makes sense
The dameon (as mentioned already) is installed but not started by default.

<troll> Mind you I'd worry more about a Gentoo SSHd -- with all those users who insist on shonky pointless recompilation for some nefarious goal of speed -- who's to say important crypto code will not get miscompiled? </troll>

Stu.

SSH -- we love it

Posted Aug 13, 2004 2:48 UTC (Fri) by dberkholz (subscriber, #23346) [Link]

You say "copied" as if it's a bad thing. You should be proud that Debian's ideas are being used -- it means people think they're good.

SSH -- we love it

Posted Aug 13, 2004 19:38 UTC (Fri) by set (subscriber, #4788) [Link]

First, the speculation about miscompiled crypto code is almost pure fud;
we arent baking soufles here-- compilation should be deterministic, modulo
flakey hardware or compiler bugs. If you have the former, you arent any
safer running someone elses binary, and if you have the latter, so could
your distributer.
Second, its not about the speed, its about control, customisation, and
integration. Ones goal may be 'speed', in optimizing for a specific
arch, or it may something else, like 'size'. The point is that compiling
from source allows you to make those decisions. (and compiler flags are
just the tip of the iceberg in what you can configure.) Gentoo isnt for
everyone, but if you had to mischaracterize them, it might be more as
control freaks rather than speed freaks;)

SSH?

Posted Aug 12, 2004 23:00 UTC (Thu) by Ross (subscriber, #4065) [Link]

Then why bundle telnet by default? I don't see these as "remote desktop
functionality" but simple network clients. I could see an argument about
security but it would be simple and transparent for most users if ssh were
not suid by default -- I don't know if that's how Debian ships it. (The
suid part is only needed to emulate rsh... my opinion is that it should just
execute rsh in that case).

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.