Date: Thu, 1 Aug 2002 08:27:58 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <security@FreeBSD.ORG> Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020801081645.T19455-100000@blues.jpj.net> In-Reply-To: <xzpit2u22vx.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav wrote: > Trevor Johnson <trevor@jpj.net> writes: > > Removing a weakness in security is not an arbitrary change. It is the > > type of change that is suitable for FreeBSD -STABLE in spite of > > inconvenience to users, and making one-line changes to two files is only a > > mild inconvenience. > > So make that change on your own systems. This is the section of http://www.openbsd.org/security.html#default which I had hoped you would read: To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations. This is in stark contrast to the increasing number of systems that ship with NFS, mountd, web servers, and various other services enabled by default, creating instantaneous security problems for their users within minutes after their first install. In enabling protocol version 1 by default, you have created a security problem for new users of FreeBSD. If they become aware of the problem, they can reconfigure their systems as you advise me to do. It is better for users to choose to diminish their security when they need a service. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020801081645.T19455-100000>