Opened 11 years ago
Closed 6 years ago
#9459 closed enhancement (no change required)
sshd should not be enabled by default
| Reported by: | bbjimmy | Owned by: | darkwyrm |
|---|---|---|---|
| Priority: | low | Milestone: | R1 |
| Component: | Servers/services_daemon | Version: | R1/alpha4.1 |
| Keywords: | sshd | Cc: | |
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
The sshd daemon is launched on a default set-up of haiku. This is on the latest nightly, haiku-nightly-hrev45284-x86gcc2hybrid-raw.zip as well as r1a4.1
This service should not be enabled by default.
/boot/common/settings/network/services:
#service telnet {
# launch telnetd
#}
#service ftp {
# launch ftpd
#}
service ssh {
launch /boot/common/bin/sshd -D
stand_alone
}
should be:
#service telnet {
# launch telnetd
#}
#service ftp {
# launch ftpd
#}
#service ssh {
# launch /boot/common/bin/sshd -D
# stand_alone
#}
Change History (6)
comment:1 by , 11 years ago
follow-up: 3 comment:2 by , 11 years ago
HAIKU already has a reputation of lacking security. There is no need to add to this.
It is generally considered to be a security risk to have an unrequested network service open by default. Is there a valid reason to have an ssh daemon running on a desktop computer that has just one user?
A simple bash script could be added to enable/disable sshd after install, but at least give the user the option to enable or not.
comment:3 by , 11 years ago
Replying to bbjimmy:
It is generally considered to be a security risk to have an unrequested network service open by default. Is there a valid reason to have an ssh daemon running on a desktop computer that has just one user?
Have you already hacked freshly installed Haiku in this way? ;-) It is development platform and developers sometime need any available way to access systems with locked UI or dead graphics hardware to find the source of problem. Disabling sshd now dosen't help to improve security but make more problems in developing Haiku.
-1
comment:4 by , 11 years ago
| Priority: | normal → low |
|---|---|
| Type: | bug → enhancement |
Certainly not a bug...
I think it's fine to leave this open as an "R1" milestone item - perhaps it makes sense to turn it off during the beta cycles.
comment:5 by , 11 years ago
| Summary: | sshd enabled by default → sshd should not be enabled by default |
|---|
comment:6 by , 6 years ago
| Resolution: | → no change required |
|---|---|
| Status: | new → closed |
It is generally considered to be a security risk to have an unrequested network service open by default.
All Linuxes and BSDs ship with sshd running by default. And it is not a security risk really; it disables signing in as root by default, and does not allow signing in as users with no passwords (and so there is no way to "use" it unless you manually create a user or set a password, but this is the expected behavior.)
Do you have any actual reasons against it? It's very convenient to have one running, and we do not have any UI method to enable/disable them.