Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1]

From: Trevor Johnson (trevor@jpj.net)
Date: 08/01/02


Date: Thu, 1 Aug 2002 08:27:58 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Dag-Erling Smorgrav <des@ofug.org>

Dag-Erling Smorgrav wrote:

> Trevor Johnson <trevor@jpj.net> writes:
> > Removing a weakness in security is not an arbitrary change. It is the
> > type of change that is suitable for FreeBSD -STABLE in spite of
> > inconvenience to users, and making one-line changes to two files is only a
> > mild inconvenience.
>
> So make that change on your own systems.

This is the section of http://www.openbsd.org/security.html#default which
I had hoped you would read:

        To ensure that novice users of OpenBSD do not need to become
        security experts overnight (a viewpoint which other vendors seem
        to have), we ship the operating system in a Secure by Default
        mode. All non-essential services are disabled. As the
        user/administrator becomes more familiar with the system, he will
        discover that he has to enable daemons and other parts of the
        system. During the process of learning how to enable a new
        service, the novice is more likely to learn of security
        considerations.

        This is in stark contrast to the increasing number of systems that
        ship with NFS, mountd, web servers, and various other services
        enabled by default, creating instantaneous security problems for
        their users within minutes after their first install.

In enabling protocol version 1 by default, you have created a security
problem for new users of FreeBSD. If they become aware of the problem,
they can reconfigure their systems as you advise me to do. It is better
for users to choose to diminish their security when they need a service.

-- 
Trevor Johnson
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages