Bug 119810

Summary: sshd shouldn't be started by default
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Daniel Naber <sonstiges>
Component: InstallationAssignee: Lukas Ocilka <locilka>
Status: RESOLVED FIXED QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: kukuk, locilka, security-team
Version: RC 1   
Target Milestone: ---   
Hardware: PC   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Daniel Naber 2005-10-01 18:42:09 UTC 
I did a standard installation of openSuse and noticed that sshd is running
automatically. I think it should no do that for the following reason: people use
opensuse on their desktop computers and on their notebooks which are often
protected by means of a BIOS password and/or a hard-disk password. Thus people
will tend to use a less secure password for their Linux user account.

Many people will not be aware that this is a problem, as they are not aware that
you can remotely log in by default. Also, for everbody who needs sshd it would
only take 30 seconds to activate it. And it takes time to start, plus it uses
memory. That's why it should not start by default (it should of course be
installed by default -- but not started).
Comment 1 Petr Ostadal 2005-10-10 15:17:16 UTC 
Andreas, what do you think about it?
It can be made by yast option in similiar way as firewall have it. But I don't
like disable sshd daemon by default, because IMHO a lot of people expect this
behaviour.
Comment 2 Daniel Naber 2005-10-10 18:04:44 UTC 
Actually I now installed the final version and now there'a a real bug: the
summary installation screen contains an item like "sshd is deactivated"
(translated back from German). I clicked on the "deactivated" to see what
happens, so it changed to "activated". I clicked again so it should be
deactivated (and it showed "deactivated"). However, sshd was running anyway when
the installation was finished.

Besides that, I don't see why it matters that some people expect sshd to run by
default. Those who do NOT expect it have a good chance to have a security
problem. This is more important than saving the few seconds of work for those
who want sshd to be installed.
Comment 3 Marcus Meissner 2005-10-11 14:23:54 UTC 
sshd is the one service we consider necessary and useful to run. 
 
The problem you are refering to is a bit problematic missdescribed entry 
in the Firewall heading on the Network Workflow page. 
 
You are right that people perhaps use too easy passwords. Those people will 
however likely not change this default firewall setting either. 
 
We can discuss this for 10.1, but all experienced users will kill us for it if 
we do that.
Comment 4 Andreas Jaeger 2005-11-24 10:08:38 UTC 
YaST team, let's change the text from "sshd is deactivated" to "sshd port is blocked".

Let's still have ssh running by default...
Comment 5 Petr Ostadal 2005-12-06 21:31:18 UTC 
reassign to yast2 maintainers
Comment 6 Lukas Ocilka 2005-12-07 08:15:54 UTC 
OK, I'll change the text for 10.1
Comment 7 Lukas Ocilka 2005-12-07 09:07:24 UTC 
Texts were fixed in SVN, it should be available in the next Alpha/Beta.
Comment 8 Lukas Ocilka 2005-12-15 14:07:14 UTC 
*** Bug 139348 has been marked as a duplicate of this bug. ***