LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-19-2014, 12:07 PM   #16
pchristy
Member
 
Registered: Oct 2012
Location: UK
Distribution: Slackware
Posts: 67

Rep: Reputation: Disabled

Mancha: Thanks for clearing that up! For someone who isn't expert in these matters, that line is very misleading. Mine is being amended forthwith!



--
Pete
 
Old 04-19-2014, 12:14 PM   #17
bartgymnast
Member
 
Registered: Feb 2003
Location: Lelystad, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 258

Rep: Reputation: 87
the standard is to allow root login at install.

This is for the big amount of remote users that actually need ssh to connect to their remote server after it is installed.
After that you should make modification to your system to reject root logins over ssh, etc.
 
1 members found this post helpful.
Old 04-19-2014, 12:46 PM   #18
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,176

Rep: Reputation: Disabled
The main problem here is that the OP never uses SSH for anything, but left it installed and running. Maybe allowing root login should not be the default, but then people who actually do use SSH every day would complain.
 
Old 04-19-2014, 01:49 PM   #19
mancha
Member
 
Registered: Aug 2012
Posts: 290

Rep: Reputation: Disabled
Quote:
Originally Posted by bartgymnast View Post
the standard is to allow root login at install.

This is for the big amount of remote users that actually need ssh to connect to their remote server after it is installed.
After that you should make modification to your system to reject root logins over ssh, etc.
Debian recently switched to a default of "PermitRootLogin without-password" which allows only key-based root logins.
The change will likely trickle down to Debian derivatives soon.

--mancha
 
2 members found this post helpful.
Old 04-19-2014, 04:20 PM   #20
mancha
Member
 
Registered: Aug 2012
Posts: 290

Rep: Reputation: Disabled
Small thread from 10/2013 discussing the topic of what PermitRootLogin setting to ship in sshd_config:
http://marc.info/?t=138102353700001&r=1&w=3.

It didn't get much upstream play possibly because they might feel this is a decision best suited for the
vendor level (a sentiment I would agree with).

--mancha

Last edited by mancha; 04-19-2014 at 06:00 PM.
 
Old 04-19-2014, 05:59 PM   #21
michaelslack
Member
 
Registered: Feb 2013
Location: Sydney
Distribution: slackware
Posts: 83

Rep: Reputation: 33
Quote:
Originally Posted by metaschima View Post
The main problem here is that the OP never uses SSH for anything, but left it installed and running. Maybe allowing root login should not be the default, but then people who actually do use SSH every day would complain.
If I remember correctly, when installing slackware the ssh service is checked by default. So for a newer user it is quite forgiveable to have the service running but not realise it. I think that given this is the case, a change to default sshd configuration to (say) not permit root logins using passwords, but only public/private keys as seems to have happened in Debian, would be very wise.

Last edited by michaelslack; 04-19-2014 at 06:01 PM.
 
Old 04-20-2014, 06:28 AM   #22
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,840

Rep: Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846
Quote:
Originally Posted by mancha View Post
That's unfortunately an incorrect analysis.

@pchristy: I agree with you the line, as written, suggests the default is to not allow root logins. However, the default does
allow them. Sound practice (unless you have special needs and know what you're doing) is to set "PermitRootLogin no" in
/etc/ssh/sshd_config. Maybe Slackware should ship that as default.
Right, thanks for pointing that out. I have fixed that then.
 
Old 04-20-2014, 07:13 AM   #23
Reasa
Member
 
Registered: Aug 2008
Distribution: Slackware
Posts: 53

Rep: Reputation: 16
Yesterday I noticed sshd service starting at startup. I was WTF because I remember I disabled it at installation. rc,sshd was executable, so I chmod u-x it. Some dates on files pointed to 31st march, which is way closer than I installed slackware, I know I did not touch them myself.

I went to http://mirrors.slackware.com/slackwa...ches/packages/ and checked maybe some package touched sshd configuration.

I downloaded openssh-6.6p1-i486-2_slack14.1.txz and dived into directory structure with mc. It seems this package ships with an executable attribute of rc.sshd, so my old file got overwritten with this one and executed at start.
 
1 members found this post helpful.
Old 04-20-2014, 07:51 AM   #24
55020
Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 366
Blog Entries: 4

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Quote:
Originally Posted by Reasa View Post
I downloaded openssh-6.6p1-i486-2_slack14.1.txz and dived into directory structure with mc. It seems this package ships with an executable attribute of rc.sshd, so my old file got overwritten with this one and executed at start.
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
 
Old 04-20-2014, 09:23 AM   #25
Reasa
Member
 
Registered: Aug 2008
Distribution: Slackware
Posts: 53

Rep: Reputation: 16
Quote:
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
You know what, I went and did installpkg openssh-6.6p1-i486-2_slack14.1.txz to see if rc.sshd will become an executable again, and it did not. So I am still confused how it became an executable initially, or I forgot to unselect it at slackware installation. I dont know.
 
Old 04-20-2014, 09:48 AM   #26
thirteen_engines
Member
 
Registered: Sep 2009
Location: Saskatoon, Saskatchewan
Distribution: Slackware 13.37
Posts: 75

Rep: Reputation: 19
Quote:
Originally Posted by enorbet View Post
Is there even a reason to have Sendmail service on a Desktop box?
Yes. If you want an email server.
 
Old 04-20-2014, 09:57 AM   #27
pataphysician
Member
 
Registered: Oct 2012
Posts: 46

Rep: Reputation: Disabled
Quote:
Originally Posted by 55020 View Post
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
It seems this is only missing from the 14.1 openssh patch, the 14.0 patch done on the same date has the correct preserve_perms, as does current. The missing preserve-perms happened probably at 14.1 release as the same problem occurs in the original script for 14.1, but there is no problem in current. I guess I'm glad I always make updates do .new files and then manually go through them.
 
1 members found this post helpful.
Old 04-20-2014, 10:51 AM   #28
bormant
Member
 
Registered: Jan 2008
Posts: 100

Rep: Reputation: 47
mancha,
new default will break remote installation of Slackware, because now setup doesn't create regular user and if we skip chroot to /mnt and do not create regular user manually at setup phase, this installation will be unaccessable for first remote login.
As for me, mention this potential security problem in documentation is still enough.

Last edited by bormant; 04-20-2014 at 10:55 AM.
 
Old 04-20-2014, 11:59 AM   #29
Didier Spaier
Senior Member
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slackware{,64}-{14.1,current} on a Lenovo Thinkpad T61 6457-4XG
Posts: 4,244

Rep: Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043
Well, I assume that most desktop users create a regular user just after installation, and doing that in setup doesn't look like a daunting task. Maybe we could offer that possibility in Slint, as Salix does? More or less, that'd be just running adduser.

Last edited by Didier Spaier; 04-20-2014 at 12:08 PM. Reason: adduser is not run during installation at present as I first wrote, only SeTpasswd
 
Old 04-20-2014, 12:17 PM   #30
Drakeo
Senior Member
 
Registered: Jan 2008
Location: Urbana IL
Distribution: Slackware, Slacko,
Posts: 2,557
Blog Entries: 3

Rep: Reputation: 215Reputation: 215Reputation: 215
main problem I see is this was posted on the 14th and the OP has not come back to respond to his own thread. So I usually take it with a grain of salt .

after this long. Or he figured out his fix hit the forum and left.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GIMP leaves 'brush droppings' on canvas. William (Dthdealer) Linux - Software 2 10-17-2009 06:13 AM
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
Krita and duplicate brush The slayer Linux - Software 0 07-09-2006 03:10 AM


All times are GMT -5. The time now is 07:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration