Trying OpenSSH in Debian Etch ... plus thoughts on security, sudo and nano vs. vi
I did a Debian Etch install on one of my test machine drives recently, and today I added the openssh-server package so I could play around with PuTTY and Xming.
Once I installed openssh-server (I used Synaptic, in case you were wondering), using PuTTY to start the connection, I was asked whether or not I expected the encryption key to change (I was, since this is the Debian install, not OpenBSD, which I've been using until now).
One bonus of using this Debian Etch install: The OpenBSD drive is noisy, which probably means it's gonna go. The drive on which I installed Etch is much quieter. I probably need to get some newer, bigger drives ... or a whole new test box, but that's another story for another time.
Quirks in Debian Etch with openssh-server: I can run X apps, no problem. When I run:
$ nautilus &
... I get a huge window with the entire GNOME desktop, minus the toolbars. And I can't close that window -- Xming won't let me, I think. X-ing it out doesn't work. I had to kill the process in my PuTTY terminal. (Note: $ startx & does not work ...)
Speaking of security: OpenBSD is known for its security above all else. Here's how using openssl openssh (which was created by the OpenBSD team) differs -- at my lowly level, anyway -- between OpenBSD and Debian Etch:
In OpenBSD: The sshd server is included in the standard install. But it can't be used until rootly powers are used to implement it. Running X over ssh is not allowed until the appropriate configuration changes are made. But root logins are allowed over ssh by default; the administrator, however, can choose to block root login (which I did).
In Debian: Debian installs without the ssh server installed. So without the administrator specifically installing openssh-server, nobody can ssh into the box. But once that package is installed, Debian automatically allows ssh logins -- and X logins as well. As with OpenBSD in its default state, root logins are permitted over ssh until that feature is turned off in /etc/sshd_config.
I don't understand all the lines in sshd_config, but I probably should get better acquainted with each and every one of them.
Speed? It could be the fact that this Debian Etch box has the GNOME desktop, and I've been running OpenBSD either from the console or the default Fvwm window manager, but everything happens a lot faster with the OpenBSD install (hardware is the same for both). I could modify Debian to boot to a console instead of GDM, and that might speed it up a bit (memory is 256 MB), but whatever the reason, thus far OpenBSD is a bit smoother. (Later, things seemed to run a bit better when I didn't log in on the Debian box and hence didn't have GNOME running).
More on security: If this box wasn't just something for me to play with on the local network, the stakes would be a lot higher. I suppose not having sshd is pretty good security when compared to having sshd installed but not enabled. And I also suppose that installing sshd (openssh-server) means that you want to actually use it. But in the case of both OpenBSD and Debian, I wonder why root logins over SSH are enabled by default. If anything, I'd expect OpenBSD to disallow them until the administrator of the box decides to turn that feature on.
And since you can always use su or sudo (Ubuntu has conditioned me to like sudo, and I always add myself to the sudoers list with visudo, there's really no reason for a root login over ssh.
Side note: Debian doesn't automatically add the primary user to the sudoers list, something I always do because on many occasions I'd rather use sudo than su.
Ubuntu, by default, disables root logins entirely and only offers sudo. It makes setting root's crontab a pain in the ass. I use sudo -i crontab -e to get into root's crontab in Ubuntu.
Side note to a side note: While I can fake my way around vi, I like it when nano is the default editor and crontab -e brings up nano instead of vi. The one thing I don't like about nano is that when you wrap text, actually linefeeds are inserted. At least in vi you can have the text break in the middle of a word without turning word wrap on (although you are able to do so if you want wrapped text). The one thing I like in X editors is the ability for text to look wrapped without actually being wrapped.
6 Comments
Leave a comment
About this blog
Root logins are allowed by default on OpenBSD because there is no other account by default. This is a part of how things have always been, in order to keep the install simple and upgrades easy. man afterboot some time, OpenBSD tells you to on your first boot, it also tells you to use sudo and not su.
OpenBSD and OpenSSL are completely unrelated projects, OpenBSD does OpenSSH, but not OpenSSL. That is a widely held misconception, one that agrivates the hell out of OpenSSL developers.
$nano -w
Disables wordwrap for when you are editing config files or files with long lines.
I'm talking about OpenSSH, and more specifically the openssh-server package in Debian. And it is the OpenSSH that comes from OpenBSD.
What I want to do is enable word wrap, then disable it and make all the extra linefeeds go away.
nautilus --no-desktop.
That should run Nautilus but not manage the desktop.
Ubuntu style to use sudo is not secure, no matter if ubuntu guys try to sa. And that's not how sudo was meant to be used.
Ubuntu gives full root access to that default sudo-user. That line in Ubuntu /etc/sudoers does not set any restrictions on it what that sudo-user can do. It gives full root access. that user can execute any command which needs root rights, and that's not how sudo was meant to be used.
In Debian users do not have any sudo rights by default. Sudo was originally meant to be used so that root can give user right to use specific command(s) which need root rights. user could then use just those commands, and not any command which root can use. Sudo was not meant to be used as a full root replacement when user can execute any command as a root.