Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1]

From: Trevor Johnson (trevor@jpj.net)
Date: 08/01/02


Date: Thu, 1 Aug 2002 08:27:58 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Dag-Erling Smorgrav <des@ofug.org>

Dag-Erling Smorgrav wrote:

> Trevor Johnson <trevor@jpj.net> writes:
> > Removing a weakness in security is not an arbitrary change. It is the
> > type of change that is suitable for FreeBSD -STABLE in spite of
> > inconvenience to users, and making one-line changes to two files is only a
> > mild inconvenience.
>
> So make that change on your own systems.

This is the section of http://www.openbsd.org/security.html#default which
I had hoped you would read:

        To ensure that novice users of OpenBSD do not need to become
        security experts overnight (a viewpoint which other vendors seem
        to have), we ship the operating system in a Secure by Default
        mode. All non-essential services are disabled. As the
        user/administrator becomes more familiar with the system, he will
        discover that he has to enable daemons and other parts of the
        system. During the process of learning how to enable a new
        service, the novice is more likely to learn of security
        considerations.

        This is in stark contrast to the increasing number of systems that
        ship with NFS, mountd, web servers, and various other services
        enabled by default, creating instantaneous security problems for
        their users within minutes after their first install.

In enabling protocol version 1 by default, you have created a security
problem for new users of FreeBSD. If they become aware of the problem,
they can reconfigure their systems as you advise me to do. It is better
for users to choose to diminish their security when they need a service.

-- 
Trevor Johnson
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • RE: PAWS security vulnerability
    ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
    (freebsd-questions)
  • Re: Idea to make package vulnerabilities not matter, along with third party software
    ... but they seem arrogant about security, ... FreeBSD contains such mechanisms, but as memory access ... The server doesn't run a GUI. ... installation won't continue. ...
    (freebsd-questions)
  • Changes to FreeBSD security support policy
    ... for tracking security fixes to FreeBSD 4.3-RELEASE: ... This eliminates support for the class of vulnerabilities exploitable ...
    (FreeBSD-Security)
  • [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:08.heimdal
    ... For general information regarding FreeBSD Errata Notices and Security ... Kerberos 5 permits the use of different encryption types for encryption ... produce a pseudo-random bitstring of a fixed length. ...
    (freebsd-announce)
  • RE: FreeBSD Security Survey
    ... Your also ignoring the fact that many security holes are a lot ... queries to this server to the NAS only. ... server with a new version of FreeBSD. ... Your survey responses lack any responses that indicate that leaving ...
    (freebsd-questions)