On Tue 12 Jul 2016 at 18:09:22 +0100, Lisi Reisz wrote: > This was sent to me separately privately as well. I might have answered > differently on the list, but I am not writing a second reply to the same > post, so here is a copy-and-paste of my reply. > > On Tuesday 12 July 2016 17:45:58 mwnx wrote: > > On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote: > > > I *was* asked last time I installed open-ssh*, at installation time, but > > > did not understand the question so went with the default. If you do not > > > allow password log-in, what DO you allow? For ssh to be useful, one has > > > to use it. Note that it is not installed by default, one has to actively > > > choose to have it. > > > > Before writing the original post, I checked on an Ubuntu 16.04 live > > CD and was not asked any questions during installation of > > openssh-server. > > My reaction to that is "well, if you will use Ubuntu, what do you expect? > Ubuntu is hopelessly insecure."
Your reaction is unwarranted and unsubstantiated. mwnx relates an experience which can easily be tested. Not that anyone will; this is -user! In fact. there is no need to install because a glance at the templates file in the openssh-server package should be enough. Unconvinced? Do dpkg-reconfigure openssh-server Any output? Why not is left as an exercise to the user. > > I also tried right now on a debian jessie system, > > and again, was not asked anything. What version of debian are you > > running? > > Jessie and Wheezy. The question you say was presented (and hazily recollect) was presented because you were upgrading from Wheezy to Jessie. > > My idea was that to be able to use ssh, you should configure it > > first, in some way or another. A very basic configuration > > (specifically, whether to allow password auth or not) could be done > > through a prompt during installation. > > It was, last time I installed it. (ssh-server) No question would be seen with a fresh install of openssh-server. The question in essence is Disable SSH password authentication for root? Firstly, this has nothing to do with the original posting. Secondly, disabling it is the default for a new install so there is no need to ask any question. So nwnx is correct. Not that his substantial first post finds any favour in these parts. > > > Where you are administering systems where you can expect users on your > > > system to have weak passwords, change the defaults to suit. On my > > > network there are no weak passwords. At least, I have chosen all > > > passwords on the system and I go out of my way to try and make them > > > reasonably secure. It is also (I hope) fairly difficult for anyone else > > > to break in in the first place. I don't want *my* life made any harder!! > > > > You're looking at this from a sysadmin point of view, but many > > debian users (I'm including Ubuntu users here) have no or little > > knowledge of system administration. > > a) I am not. I have a small home network. And b) then they shouldn't be > using ssh. Especially Ubuntu users. Ubuntu is hopelessly insecure in so > many ways it is one of the main reasons why I don't like it. > > Weak passwords are a no-no in my opinion. If you use weak passwords and it > causes problems, that is your problem. Don't foist a self-created problem on > the rest of us. If your network is insecurely open to the world, that is > also your problem. If you are administering a large network, then you are a > sys-admin and can configure ssh to suit yourself. Precisely. The original post sets up an Aunt Sally.
