On Mon 2016-08-15 18:42:01 -0700, Matt Taggart wrote: > There is an old upstream issue #20 > http://cmrg.fifthhorseman.net/ticket/20 > to have a way to enable the network and ssh by default. > > I would still like this and in addition to the good ideas mentioned there I > think it would be nice if the ssh host key fingerprints were added to > /etc/motd (or something similar). > > Also, even if network and ssh aren't enabled by default in the example > shipped profiles, what do you think about adding ssh to the package list? > (and then at least you could start them by hand)
This seems like several different questions:
(a) do we want to have the network enabled by default on the rescue
image?
(b) do we want to install openssh-client?
(c) do we want to install openssh-server?
Here's my thinking on those:
(a) i don't think we should enable the network by default in the rescue
image. It should be something that can be safely used for
forensics, and opening the device to the network seems like it's
asking for trouble.
(b) i don't have any objection to adding openssh-client to the default
rescue installation. It provides useful utilities for dealing with
keys in discovered/rescued filesystems, as well as for extracting
and exporting recovered data.
(c) I'm more reluctant about shipping openssh-server enabled by
default, for the same sort of forensics concerns i have in (a). So
perhaps we could ship it, but have the service disabled by default,
so the local admin would need to do:
systemctl start ssh
explicitly before it ran? I'm unsure what the right way to do that
is. do we touch /etc/ssh/sshd_not_to_be_run ? do we run
"systemctl disable ssh" from a debirf module? something else?
Suggestions welcome,
--dkg
signature.asc
Description: PGP signature
