This was sent to me separately privately as well. I might have answered differently on the list, but I am not writing a second reply to the same post, so here is a copy-and-paste of my reply.
On Tuesday 12 July 2016 17:45:58 mwnx wrote: > On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote: > > I *was* asked last time I installed open-ssh*, at installation time, but > > did not understand the question so went with the default. If you do not > > allow password log-in, what DO you allow? For ssh to be useful, one has > > to use it. Note that it is not installed by default, one has to actively > > choose to have it. > > Before writing the original post, I checked on an Ubuntu 16.04 live > CD and was not asked any questions during installation of > openssh-server. My reaction to that is "well, if you will use Ubuntu, what do you expect? Ubuntu is hopelessly insecure." > I also tried right now on a debian jessie system, > and again, was not asked anything. What version of debian are you > running? Jessie and Wheezy. > > My idea was that to be able to use ssh, you should configure it > first, in some way or another. A very basic configuration > (specifically, whether to allow password auth or not) could be done > through a prompt during installation. It was, last time I installed it. (ssh-server) > > Where you are administering systems where you can expect users on your > > system to have weak passwords, change the defaults to suit. On my > > network there are no weak passwords. At least, I have chosen all > > passwords on the system and I go out of my way to try and make them > > reasonably secure. It is also (I hope) fairly difficult for anyone else > > to break in in the first place. I don't want *my* life made any harder!! > > You're looking at this from a sysadmin point of view, but many > debian users (I'm including Ubuntu users here) have no or little > knowledge of system administration. a) I am not. I have a small home network. And b) then they shouldn't be using ssh. Especially Ubuntu users. Ubuntu is hopelessly insecure in so many ways it is one of the main reasons why I don't like it. Weak passwords are a no-no in my opinion. If you use weak passwords and it causes problems, that is your problem. Don't foist a self-created problem on the rest of us. If your network is insecurely open to the world, that is also your problem. If you are administering a large network, then you are a sys-admin and can configure ssh to suit yourself. Lisi
