Re: [gentoo-user] Do I really need a sshd? - gentoo-user

From:	Gevisz <gevisz@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Do I really need a sshd?
Date:	Sat, 04 Jan 2014 15:33:34
Message-Id:	`52c829c5.03670e0a.5172.210b@mx.google.com`
In Reply to:	Re: [gentoo-user] Do I really need a sshd? by Alan McKinnon

1

On Sat, 04 Jan 2014 17:15:22 +0200

2

Alan McKinnon <alan.mckinnon@×××××.com> wrote:

3

4

> On 04/01/2014 15:57, Gevisz wrote:

5

> > On Sat, 04 Jan 2014 12:49:42 +0200

6

> > Alan McKinnon <alan.mckinnon@×××××.com> wrote:

7

> >

8

> >> On 04/01/2014 12:24, Gevisz wrote:

9

> >>>

10

> >>> After today's update of the world, emerge printed the following

11

> >>> message:

12

> >>>

13

> >>> * Messages for package net-misc/openssh-6.4_p1-r1:

14

> >>> * dev-libs/openssl was built with 'bindist' - disabling ecdsa

15

> >>> support

16

> >>> * Remember to merge your config files in /etc/ssh/ and then

17

> >>> * reload sshd: '/etc/init.d/sshd reload'.

18

> >>>

19

> >>> That was quite a surprise for me, as I never installed (open)ssh

20

> >>> and it is not in my world.

21

> >>>

22

> >>> After the following query:

23

> >>>

24

> >>> # equery depends --indirect openssh

25

> >>>

26

> >>> I have got the following:

27

> >>>

28

> >>>  * These packages depend on openssh:

29

> >>> gnome-base/gvfs-1.16.4 (net-misc/openssh)

30

> >>>  app-cdr/brasero-3.8.0 (gnome-base/gvfs)

31

> >>>   media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2)

32

> >>>  app-editors/gedit-3.8.3 (gnome-base/gvfs)

33

> >>>  gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk])

34

> >>>   app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90)

35

> >>>   app-text/evince-3.8.3 (nautilus ?

36

> >>>    >=gnome-base/nautilus-2.91.4[introspection?])

37

> >>>    gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection])

38

> >>>    gnome-base/nautilus-3.8.2 (previewer ?

39

> >>> >=gnome-extra/sushi-0.1.9) gnome-extra/sushi-3.8.1

40

> >>> >(>=gnome-base/nautilus-3.1.90)

41

> >>>    media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs)

42

> >>>    app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4)

43

> >>> media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp)

44

> >>> media-gfx/gthumb-3.2.4 (!raw ? media-gfx/dcraw)

45

> >>> xfce-base/thunar-1.6.2 (dbus ?

46

> >>>    >=gnome-base/gvfs-1.10.1) (udev ?

47

> >>>    >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ?

48

> >>>    >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ?

49

> >>>    >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ?

50

> >>>    >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10

51

> >>>    (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ?

52

> >>>    net-misc/openssh) (!minimal ? net-misc/openssh)

53

> >>>

54

> >>> Inspecting my /etc/conf.d and /etc/init.d directories,

55

> >>> I have found sshd files in both of them.

56

> >>>

57

> >>> So, my main question is as follows:

58

> >>>

59

> >>> Do I really need (open)sshd and, if no, how can I properly disable

60

> >>> (open)sshd in my Gentoo box?

61

> >>

62

> >> If you have gvfs, you will have openssh, presumably so you can

63

> >> access remote files over ssh.

64

> >>

65

> >> Why do you want to disable the daemon? Just don't run it.

66

> >

67

> > As, I have just found out by running "rc-update show", sshd does not

68

> > run.

69

> > So, in this respect everything is ok, thank you. :)

70

> >

71

> >> openssh is extremely useful for many reasons, you really don't

72

> >> want to not have it. The package has the client and daemons, just

73

> >> don;t run the sshd daemon

74

> >>

75

> >>>

76

> >>> I guess that one of the ways to disable (open)sshd is to make

77

> >>> /etc/init.d/sshd file unexacutable, but is it a clean way to do

78

> >>> so?

79

> >>

80

> >> No, that's dumb. It gets reset every time openssh is updated.

81

> >>

82

> >> Just don't run it. It doesn't magically start by itself. If it's

83

> >> security you are worried about, there are 100s of packages much

84

> >> more troublesome, openssh is not something you should be worried

85

> >> about wrt security. Just don't run the daemon.

86

> >

87

> > Yes, I was worried because of the security reasons.

88

> >

89

> >>> May be, it is relevant to this question that, in the future,

90

> >>> I am going to employ the distributed compiling feature for

91

> >>> this and another Gentoo box on the same local network.

92

> >>

93

> >> Not relevant. distcc has it's own listening daemon and doesn't

94

> >> use ssh for file transfer

95

> >

96

> > Ok, thank you.

97

> >

98

> >>> The additional my question is as follows:

99

> >>>

100

> >>> What I am supposed to do in response to the "merge your config

101

> >>> files in /etc/ssh/" message above?

102

> >>

103

> >> etc-update or conf-update or similar

104

> >

105

> > I was afraid to run etc-update as man says it will replace

106

> > everything automatically. However, I run dispatch-conf and it does

107

> > not see any problems at /etc/ssh, which have only the following

108

> > three files: moduli, ssh_config, sshd_config (though I have

109

> > added /etc/ssh to CONFIG_PROTECT_MASK).

110

> >

111

> > Actually, I also do not see any problems with this and do not

112

> > understand how I can "merge" them.

113

> >

114

> > Why, on Earth, I have got that "merge your config files

115

> > in /etc/ssh/" message from net-misc/openssh-6.4_p1-r1, then?

116

> >

117

> >> The ebuild has a dumbass elog() statement in it which you don't

118

> >> really need to be there, as you should be running conf-update

119

> >> anyway after every emerge right?

120

> >

121

> > Till now, I have always updated my configs manually using gvimdiff

122

> > and did know nothing about conf-update, etc-update or dispatch-conf

123

> > tools. The conf-update even have not been installed on my system.

124

> > Do you think I should try it?

125

>

126

>

127

> All the questions you are asking are basic Gentoo questions, answered

128

> in the docs. Gentoo provides these tools such as etc-update and

129

> rc-update to make your life easier. You should familiarize yourself

130

> with them:

131

>

132

> http://www.gentoo.org/doc/en/handbook/

133

> https://wiki.gentoo.org/wiki/Project:Documentation/Overview

134

>

135

>

136

>

137

> As for that elog message at the end of the merge, like I already said

138

> it's a stupid dumbass message that could be much more useful but

139

> isn't. From the ebuild:

140

>

141

> pkg_postinst() {

142

>    ...

143

>    ewarn "Remember to merge your config files in /etc/ssh/ and then"

144

>    ewarn "reload sshd: '/etc/init.d/sshd reload'."

145

>    ...

146

> }

147

>

148

> So it always gets printed blindly, there's no check to see if it's

149

> actually needed or not, and it's very badly worded.

150

151

Thank you, now it is clear.

152

153

> You should use one of the update tools in portage, they make life so

154

> much easier. There's no sensible reason to fiddle with configs in vim

155

> when an automated tool is there and can do all the heavy lifting for

156

> you

157

>

1	On Sat, 04 Jan 2014 17:15:22 +0200
2	Alan McKinnon <alan.mckinnon@×××××.com> wrote:
3
4	> On 04/01/2014 15:57, Gevisz wrote:
5	> > On Sat, 04 Jan 2014 12:49:42 +0200
6	> > Alan McKinnon <alan.mckinnon@×××××.com> wrote:
7	> >
8	> >> On 04/01/2014 12:24, Gevisz wrote:
9	> >>>
10	> >>> After today's update of the world, emerge printed the following
11	> >>> message:
12	> >>>
13	> >>> * Messages for package net-misc/openssh-6.4_p1-r1:
14	> >>> * dev-libs/openssl was built with 'bindist' - disabling ecdsa
15	> >>> support
16	> >>> * Remember to merge your config files in /etc/ssh/ and then
17	> >>> * reload sshd: '/etc/init.d/sshd reload'.
18	> >>>
19	> >>> That was quite a surprise for me, as I never installed (open)ssh
20	> >>> and it is not in my world.
21	> >>>
22	> >>> After the following query:
23	> >>>
24	> >>> # equery depends --indirect openssh
25	> >>>
26	> >>> I have got the following:
27	> >>>
28	> >>> * These packages depend on openssh:
29	> >>> gnome-base/gvfs-1.16.4 (net-misc/openssh)
30	> >>> app-cdr/brasero-3.8.0 (gnome-base/gvfs)
31	> >>> media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2)
32	> >>> app-editors/gedit-3.8.3 (gnome-base/gvfs)
33	> >>> gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk])
34	> >>> app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90)
35	> >>> app-text/evince-3.8.3 (nautilus ?
36	> >>> >=gnome-base/nautilus-2.91.4[introspection?])
37	> >>> gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection])
38	> >>> gnome-base/nautilus-3.8.2 (previewer ?
39	> >>> >=gnome-extra/sushi-0.1.9) gnome-extra/sushi-3.8.1
40	> >>> >(>=gnome-base/nautilus-3.1.90)
41	> >>> media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs)
42	> >>> app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4)
43	> >>> media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp)
44	> >>> media-gfx/gthumb-3.2.4 (!raw ? media-gfx/dcraw)
45	> >>> xfce-base/thunar-1.6.2 (dbus ?
46	> >>> >=gnome-base/gvfs-1.10.1) (udev ?
47	> >>> >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ?
48	> >>> >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ?
49	> >>> >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ?
50	> >>> >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10
51	> >>> (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ?
52	> >>> net-misc/openssh) (!minimal ? net-misc/openssh)
53	> >>>
54	> >>> Inspecting my /etc/conf.d and /etc/init.d directories,
55	> >>> I have found sshd files in both of them.
56	> >>>
57	> >>> So, my main question is as follows:
58	> >>>
59	> >>> Do I really need (open)sshd and, if no, how can I properly disable
60	> >>> (open)sshd in my Gentoo box?
61	> >>
62	> >> If you have gvfs, you will have openssh, presumably so you can
63	> >> access remote files over ssh.
64	> >>
65	> >> Why do you want to disable the daemon? Just don't run it.
66	> >
67	> > As, I have just found out by running "rc-update show", sshd does not
68	> > run.
69	> > So, in this respect everything is ok, thank you. :)
70	> >
71	> >> openssh is extremely useful for many reasons, you really don't
72	> >> want to not have it. The package has the client and daemons, just
73	> >> don;t run the sshd daemon
74	> >>
75	> >>>
76	> >>> I guess that one of the ways to disable (open)sshd is to make
77	> >>> /etc/init.d/sshd file unexacutable, but is it a clean way to do
78	> >>> so?
79	> >>
80	> >> No, that's dumb. It gets reset every time openssh is updated.
81	> >>
82	> >> Just don't run it. It doesn't magically start by itself. If it's
83	> >> security you are worried about, there are 100s of packages much
84	> >> more troublesome, openssh is not something you should be worried
85	> >> about wrt security. Just don't run the daemon.
86	> >
87	> > Yes, I was worried because of the security reasons.
88	> >
89	> >>> May be, it is relevant to this question that, in the future,
90	> >>> I am going to employ the distributed compiling feature for
91	> >>> this and another Gentoo box on the same local network.
92	> >>
93	> >> Not relevant. distcc has it's own listening daemon and doesn't
94	> >> use ssh for file transfer
95	> >
96	> > Ok, thank you.
97	> >
98	> >>> The additional my question is as follows:
99	> >>>
100	> >>> What I am supposed to do in response to the "merge your config
101	> >>> files in /etc/ssh/" message above?
102	> >>
103	> >> etc-update or conf-update or similar
104	> >
105	> > I was afraid to run etc-update as man says it will replace
106	> > everything automatically. However, I run dispatch-conf and it does
107	> > not see any problems at /etc/ssh, which have only the following
108	> > three files: moduli, ssh_config, sshd_config (though I have
109	> > added /etc/ssh to CONFIG_PROTECT_MASK).
110	> >
111	> > Actually, I also do not see any problems with this and do not
112	> > understand how I can "merge" them.
113	> >
114	> > Why, on Earth, I have got that "merge your config files
115	> > in /etc/ssh/" message from net-misc/openssh-6.4_p1-r1, then?
116	> >
117	> >> The ebuild has a dumbass elog() statement in it which you don't
118	> >> really need to be there, as you should be running conf-update
119	> >> anyway after every emerge right?
120	> >
121	> > Till now, I have always updated my configs manually using gvimdiff
122	> > and did know nothing about conf-update, etc-update or dispatch-conf
123	> > tools. The conf-update even have not been installed on my system.
124	> > Do you think I should try it?
125	>
126	>
127	> All the questions you are asking are basic Gentoo questions, answered
128	> in the docs. Gentoo provides these tools such as etc-update and
129	> rc-update to make your life easier. You should familiarize yourself
130	> with them:
131	>
132	> http://www.gentoo.org/doc/en/handbook/
133	> https://wiki.gentoo.org/wiki/Project:Documentation/Overview
134	>
135	>
136	>
137	> As for that elog message at the end of the merge, like I already said
138	> it's a stupid dumbass message that could be much more useful but
139	> isn't. From the ebuild:
140	>
141	> pkg_postinst() {
142	> ...
143	> ewarn "Remember to merge your config files in /etc/ssh/ and then"
144	> ewarn "reload sshd: '/etc/init.d/sshd reload'."
145	> ...
146	> }
147	>
148	> So it always gets printed blindly, there's no check to see if it's
149	> actually needed or not, and it's very badly worded.
150
151	Thank you, now it is clear.
152
153	> You should use one of the update tools in portage, they make life so
154	> much easier. There's no sensible reason to fiddle with configs in vim
155	> when an automated tool is there and can do all the heavy lifting for
156	> you
157	>

Gentoo Archives: gentoo-user