On Tuesday 12 July 2016 19:16:37 Brian wrote: > On Tue 12 Jul 2016 at 18:09:22 +0100, Lisi Reisz wrote: > > This was sent to me separately privately as well. I might have answered > > differently on the list, but I am not writing a second reply to the same > > post, so here is a copy-and-paste of my reply. > > > > On Tuesday 12 July 2016 17:45:58 mwnx wrote: > > > On Tue, Jul 12, 2016 at 02:18:58PM +0100, Lisi Reisz wrote: > > > > I *was* asked last time I installed open-ssh*, at installation time, > > > > but did not understand the question so went with the default. If you > > > > do not allow password log-in, what DO you allow? For ssh to be > > > > useful, one has to use it. Note that it is not installed by default, > > > > one has to actively choose to have it. > > > > > > Before writing the original post, I checked on an Ubuntu 16.04 live > > > CD and was not asked any questions during installation of > > > openssh-server. > > > > My reaction to that is "well, if you will use Ubuntu, what do you expect? > > Ubuntu is hopelessly insecure." > > Your reaction is unwarranted and unsubstantiated.
Yes, probably. It was my reaction, and has been my experience in general - but I did not test this. I was annoyed that mwnx had gone personal in that way. Mea culpa. > mwnx relates an > experience which can easily be tested. Not that anyone will; this > is -user! In fact. there is no need to install because a glance at > the templates file in the openssh-server package should be enough. > > Unconvinced? Do > > dpkg-reconfigure openssh-server > > Any output? Why not is left as an exercise to the user. > > > > I also tried right now on a debian jessie system, > > > and again, was not asked anything. What version of debian are you > > > running? > > > > Jessie and Wheezy. > > The question you say was presented (and hazily recollect) was presented > because you were upgrading from Wheezy to Jessie. No, that is neither what I said nor what I meant. I do not have ssh on any of my systems unless I need it. So the last twice I did # aptitude install openssh-client openssh-server I think once on Wheezy and once on Jessie, but am not absolutle certain that that was the order in which I did it, so it could have been the two Jessie computers that I did last. I have installed ssh recently on one Wheezy computer and two Jessie ones. I did not write the question down, but I was asked it. > > > > My idea was that to be able to use ssh, you should configure it > > > first, in some way or another. A very basic configuration > > > (specifically, whether to allow password auth or not) could be done > > > through a prompt during installation. > > > > It was, last time I installed it. (ssh-server) > > No question would be seen with a fresh install of openssh-server. The > question in essence is > > Disable SSH password authentication for root? No it was an a or b choice. > > Firstly, this has nothing to do with the original posting. Secondly, > disabling it is the default for a new install so there is no need to > ask any question. It wasn't I who wanted it. Though I want password access, so if the default is now no password access I am glad to have the information you give above. Lisi > > So nwnx is correct. Not that his substantial first post finds any > favour in these parts. > > > > > Where you are administering systems where you can expect users on > > > > your system to have weak passwords, change the defaults to suit. On > > > > my network there are no weak passwords. At least, I have chosen all > > > > passwords on the system and I go out of my way to try and make them > > > > reasonably secure. It is also (I hope) fairly difficult for anyone > > > > else to break in in the first place. I don't want *my* life made any > > > > harder!! > > > > > > You're looking at this from a sysadmin point of view, but many > > > debian users (I'm including Ubuntu users here) have no or little > > > knowledge of system administration. > > > > a) I am not. I have a small home network. And b) then they shouldn't be > > using ssh. Especially Ubuntu users. Ubuntu is hopelessly insecure in so > > many ways it is one of the main reasons why I don't like it. > > > > Weak passwords are a no-no in my opinion. If you use weak passwords and > > it causes problems, that is your problem. Don't foist a self-created > > problem on the rest of us. If your network is insecurely open to the > > world, that is also your problem. If you are administering a large > > network, then you are a sys-admin and can configure ssh to suit yourself. > > Precisely. The original post sets up an Aunt Sally.
