(I apologize in advance for my harsh tone, I truly mean no offense. I'm just, for whatever reason, pretty hell-bent as Rob says, about this. ;) )
David Burgess wrote: >> No offense, but this is what learning how openssh-server works is all >> about. >> > > I'm not sure what you mean by that. Certainly not everyone enjoys > seeing how every config file works. Some admins and I'd say the vast > majority of users just want things to work. To repeat an analogy I > heard recently, some people train horses and some people ride them. > Maybe you do both, but not everybody does, and not everybody wants to. > IMHO, if you're competent enough to understand your own reasoning with wanting this specific configuration, you'll be competent enough to read a manpage and make some simple alterations to a config file. And, if you're not up to that, maybe you shouldn't be in the saddle in the first place. > Sure, but this setup doesn't prevent h4xorz in the far east from > breaking into my server on 13-year-old Kevin's account using his weak > password. I really couldn't care less if my clients access the server > on port 22 and my admins access it remotely on port 22, so long as my > clients' access is limited to the local interface. Show me how to > disable password authentication on the WAN interface, or how to apply > the AllowUsers option to only the WAN interface and I'll drop my case. > **Like I said, run 2 instances of sshd, the second being with a -f /path/to/secondary/config. Done. Problem solved. This is simple *nix sysadmin stuff here. > The fact remains, and I don't see you acknowledging this fact yet, > that many ltsp admins need ssh for two very different things: thin > client access and remote admin access. At present, the only way to > provide for these two needs simultaneously and securely is to run 2 > instances of ssh on 2 different ports using 2 different config files. > This can be done, but frankly it's just not simple enough. > Not simple enough? You're installing and maintaining a Linux thin-client environment, using ssh for administration and you're complaining about editing a configuration file not being simple enough? > As I've pointed out, ltsp is an alternate use of ssh, and as Rob > pointed out, ltsp requires that ssh be configured in a way that is > simply unacceptable for traditional use, i.e., remote (open) access. > And I disagree with your argument that no sane maintainer would > maintain an alternate configuration. Taken to its logical extreme, > your argument says that no sane maintainer would work on Ubuntu when > there is already Debian, or Debian when there is Red Hat, or Red Hat > when there is Windows, or Windows when there is a typewriter and > calculator. > I'm not even sure how to respond to that. Seriously, I've sat here about 3 minutes trying to formulate a response, but...wow. > I appreciate what package maintainers do. Every time I install or > upgrade Ubuntu at home I have to go to Brother's web site, download > the (multiple) .deb drivers for my printer, install them with a bunch > of command-line overrides, then run a bunch of other ubuntu-specific > fixups to make said drivers work with my system. It's a pain in the > arse, but I don't complain to Brother, because how many printer > manufacturers provide GPL drivers? But thank heaven for Saïvann > Carignan who created an ubuntu package called > brother-cups-wrapper-extra. Thanks to his work and others, getting my > printer to work on a fresh install now takes 30 seconds instead of 30 > minutes. He didn't give my printer drivers any functionality that they > didn't already have, he just gave me and every other Ubuntu-Brother > owner an alternate configuration, a really handy time and > sanity-saving tool for making them work. > So why bug LTSP developers about something you want in openssh-server ? I'm sure there are *plenty* of cases NOT involving LTSP that warrants people wanting multiple sshd configurations simultaneously. You're kinda barking up the wrong tree here. Why change the spark plugs when the carbs are clogged? > I'm not criticising the ltsp team. I love what they provide. And I'm > not asking anybody--I hope--to change the way your ssh server or ltsp > server operates. I simply think it would be a boon to the project to > remove some of the pain in creating what I suspect would be a fairly > popular scenario among ltsp admins and facilitate the ability to > access the server remotely without compromising the very good security > provided by the OpenSSH server. > LTSP doesn't compromise the security of openssh-server by simply utilizing its facilities for a specific purpose. You're compromising the security of openssh-server by: 1) Using weak passwords 2) Opening a remote login service to the Internet as a whole and not, at the very least, limiting access on a per-IP basis 3) Using an overly complex solution to a simple problem See ** for your solution. LTSP doesn't need a patch for this. - Jordan ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
