Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-19-2014, 12:07 PM
|
#16
|
Senior Member
Registered: Oct 2012
Location: South Devon, UK
Distribution: Slackware
Posts: 1,137
Rep:
|
Mancha: Thanks for clearing that up! For someone who isn't expert in these matters, that line is very misleading. Mine is being amended forthwith!
--
Pete
|
|
|
04-19-2014, 12:14 PM
|
#17
|
Member
Registered: Feb 2003
Location: Almere, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 368
Rep:
|
the standard is to allow root login at install.
This is for the big amount of remote users that actually need ssh to connect to their remote server after it is installed.
After that you should make modification to your system to reject root logins over ssh, etc.
|
|
1 members found this post helpful.
|
04-19-2014, 12:46 PM
|
#18
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
The main problem here is that the OP never uses SSH for anything, but left it installed and running. Maybe allowing root login should not be the default, but then people who actually do use SSH every day would complain.
|
|
|
04-19-2014, 01:49 PM
|
#19
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
Quote:
Originally Posted by bartgymnast
the standard is to allow root login at install.
This is for the big amount of remote users that actually need ssh to connect to their remote server after it is installed.
After that you should make modification to your system to reject root logins over ssh, etc.
|
Debian recently switched to a default of "PermitRootLogin without-password" which allows only key-based root logins.
The change will likely trickle down to Debian derivatives soon.
--mancha
|
|
2 members found this post helpful.
|
04-19-2014, 04:20 PM
|
#20
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
Small thread from 10/2013 discussing the topic of what PermitRootLogin setting to ship in sshd_config:
http://marc.info/?t=138102353700001&r=1&w=3.
It didn't get much upstream play possibly because they might feel this is a decision best suited for the
vendor level (a sentiment I would agree with).
--mancha
Last edited by mancha; 04-19-2014 at 06:00 PM.
|
|
|
04-19-2014, 05:59 PM
|
#21
|
Member
Registered: Feb 2013
Location: Sydney
Distribution: slackware
Posts: 110
Rep:
|
Quote:
Originally Posted by metaschima
The main problem here is that the OP never uses SSH for anything, but left it installed and running. Maybe allowing root login should not be the default, but then people who actually do use SSH every day would complain.
|
If I remember correctly, when installing slackware the ssh service is checked by default. So for a newer user it is quite forgiveable to have the service running but not realise it. I think that given this is the case, a change to default sshd configuration to (say) not permit root logins using passwords, but only public/private keys as seems to have happened in Debian, would be very wise.
Last edited by michaelslack; 04-19-2014 at 06:01 PM.
|
|
|
04-20-2014, 06:28 AM
|
#22
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557
|
Quote:
Originally Posted by mancha
That's unfortunately an incorrect analysis.
@pchristy: I agree with you the line, as written, suggests the default is to not allow root logins. However, the default does
allow them. Sound practice (unless you have special needs and know what you're doing) is to set "PermitRootLogin no" in
/etc/ssh/sshd_config. Maybe Slackware should ship that as default.
|
Right, thanks for pointing that out. I have fixed that then.
|
|
|
04-20-2014, 07:13 AM
|
#23
|
Member
Registered: Aug 2008
Distribution: Slackware
Posts: 53
Rep:
|
Yesterday I noticed sshd service starting at startup. I was WTF because I remember I disabled it at installation. rc,sshd was executable, so I chmod u-x it. Some dates on files pointed to 31st march, which is way closer than I installed slackware, I know I did not touch them myself.
I went to http://mirrors.slackware.com/slackwa...ches/packages/ and checked maybe some package touched sshd configuration.
I downloaded openssh-6.6p1-i486-2_slack14.1.txz and dived into directory structure with mc. It seems this package ships with an executable attribute of rc.sshd, so my old file got overwritten with this one and executed at start.
|
|
1 members found this post helpful.
|
04-20-2014, 07:51 AM
|
#24
|
Senior Member
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,307
Rep:
|
Quote:
Originally Posted by Reasa
I downloaded openssh-6.6p1-i486-2_slack14.1.txz and dived into directory structure with mc. It seems this package ships with an executable attribute of rc.sshd, so my old file got overwritten with this one and executed at start.
|
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
|
|
|
04-20-2014, 09:23 AM
|
#25
|
Member
Registered: Aug 2008
Distribution: Slackware
Posts: 53
Rep:
|
Quote:
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
|
You know what, I went and did installpkg openssh-6.6p1-i486-2_slack14.1.txz to see if rc.sshd will become an executable again, and it did not. So I am still confused how it became an executable initially, or I forgot to unselect it at slackware installation. I dont know.
|
|
|
04-20-2014, 09:48 AM
|
#26
|
Member
Registered: Sep 2009
Distribution: Slackware 14.1
Posts: 118
Rep:
|
Quote:
Originally Posted by enorbet
Is there even a reason to have Sendmail service on a Desktop box?
|
Yes. If you want an email server.
|
|
|
04-20-2014, 09:57 AM
|
#27
|
Member
Registered: Oct 2012
Posts: 77
Rep:
|
Quote:
Originally Posted by 55020
Many Slackware installation scripts (install/doinst.sh inside the package, saved to /var/log/scripts/<package> after installation) are careful to preserve the permissions on existing rc scripts. (Often there is a little function named 'preserve_perms'). But, in the case of openssh, the script does not appear to do this. So yes, you are right, the ssh daemon was re-enabled on your system when you applied the recent openssh patch, which is perhaps not ideal. You did the right thing when you changed the permissions again.
|
It seems this is only missing from the 14.1 openssh patch, the 14.0 patch done on the same date has the correct preserve_perms, as does current. The missing preserve-perms happened probably at 14.1 release as the same problem occurs in the original script for 14.1, but there is no problem in current. I guess I'm glad I always make updates do .new files and then manually go through them.
|
|
1 members found this post helpful.
|
04-20-2014, 10:51 AM
|
#28
|
Member
Registered: Jan 2008
Posts: 426
|
mancha,
new default will break remote installation of Slackware, because now setup doesn't create regular user and if we skip chroot to /mnt and do not create regular user manually at setup phase, this installation will be unaccessable for first remote login.
As for me, mention this potential security problem in documentation is still enough.
Last edited by bormant; 04-20-2014 at 10:55 AM.
|
|
|
04-20-2014, 11:59 AM
|
#29
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,184
Rep:
|
Well, I assume that most desktop users create a regular user just after installation, and doing that in setup doesn't look like a daunting task. Maybe we could offer that possibility in Slint, as Salix does? More or less, that'd be just running adduser.
Last edited by Didier Spaier; 04-20-2014 at 12:08 PM.
Reason: adduser is not run during installation at present as I first wrote, only SeTpasswd
|
|
|
04-20-2014, 12:17 PM
|
#30
|
Senior Member
Registered: Jan 2008
Location: Urbana IL
Distribution: Slackware, Slacko,
Posts: 3,716
|
main problem I see is this was posted on the 14th and the OP has not come back to respond to his own thread. So I usually take it with a grain of salt .
after this long. Or he figured out his fix hit the forum and left.
|
|
|
All times are GMT -5. The time now is 10:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|