| 1 |
On Sat, 04 Jan 2014 12:49:42 +0200 |
| 2 |
Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 3 |
|
| 4 |
> On 04/01/2014 12:24, Gevisz wrote: |
| 5 |
> > |
| 6 |
> > After today's update of the world, emerge printed the following |
| 7 |
> > message: |
| 8 |
> > |
| 9 |
> > * Messages for package net-misc/openssh-6.4_p1-r1: |
| 10 |
> > * dev-libs/openssl was built with 'bindist' - disabling ecdsa |
| 11 |
> > support |
| 12 |
> > * Remember to merge your config files in /etc/ssh/ and then |
| 13 |
> > * reload sshd: '/etc/init.d/sshd reload'. |
| 14 |
> > |
| 15 |
> > That was quite a surprise for me, as I never installed (open)ssh |
| 16 |
> > and it is not in my world. |
| 17 |
> > |
| 18 |
> > After the following query: |
| 19 |
> > |
| 20 |
> > # equery depends --indirect openssh |
| 21 |
> > |
| 22 |
> > I have got the following: |
| 23 |
> > |
| 24 |
> > * These packages depend on openssh: |
| 25 |
> > gnome-base/gvfs-1.16.4 (net-misc/openssh) |
| 26 |
> > app-cdr/brasero-3.8.0 (gnome-base/gvfs) |
| 27 |
> > media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2) |
| 28 |
> > app-editors/gedit-3.8.3 (gnome-base/gvfs) |
| 29 |
> > gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk]) |
| 30 |
> > app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90) |
| 31 |
> > app-text/evince-3.8.3 (nautilus ? |
| 32 |
> > >=gnome-base/nautilus-2.91.4[introspection?]) |
| 33 |
> > gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection]) |
| 34 |
> > gnome-base/nautilus-3.8.2 (previewer ? >=gnome-extra/sushi-0.1.9) |
| 35 |
> > gnome-extra/sushi-3.8.1 (>=gnome-base/nautilus-3.1.90) |
| 36 |
> > media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs) |
| 37 |
> > app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4) |
| 38 |
> > media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp) media-gfx/gthumb-3.2.4 |
| 39 |
> > (!raw ? media-gfx/dcraw) xfce-base/thunar-1.6.2 (dbus ? |
| 40 |
> > >=gnome-base/gvfs-1.10.1) (udev ? |
| 41 |
> > >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ? |
| 42 |
> > >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ? |
| 43 |
> > >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ? |
| 44 |
> > >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10 |
| 45 |
> > (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ? |
| 46 |
> > net-misc/openssh) (!minimal ? net-misc/openssh) |
| 47 |
> > |
| 48 |
> > Inspecting my /etc/conf.d and /etc/init.d directories, |
| 49 |
> > I have found sshd files in both of them. |
| 50 |
> > |
| 51 |
> > So, my main question is as follows: |
| 52 |
> > |
| 53 |
> > Do I really need (open)sshd and, if no, how can I properly disable |
| 54 |
> > (open)sshd in my Gentoo box? |
| 55 |
> |
| 56 |
> If you have gvfs, you will have openssh, presumably so you can access |
| 57 |
> remote files over ssh. |
| 58 |
> |
| 59 |
> Why do you want to disable the daemon? Just don't run it. |
| 60 |
|
| 61 |
As, I have just found out by running "rc-update show", sshd does not |
| 62 |
run. |
| 63 |
So, in this respect everything is ok, thank you. :) |
| 64 |
|
| 65 |
> openssh is extremely useful for many reasons, you really don't want to |
| 66 |
> not have it. The package has the client and daemons, just don;t run |
| 67 |
> the sshd daemon |
| 68 |
> |
| 69 |
> > |
| 70 |
> > I guess that one of the ways to disable (open)sshd is to make |
| 71 |
> > /etc/init.d/sshd file unexacutable, but is it a clean way to do so? |
| 72 |
> |
| 73 |
> No, that's dumb. It gets reset every time openssh is updated. |
| 74 |
> |
| 75 |
> Just don't run it. It doesn't magically start by itself. If it's |
| 76 |
> security you are worried about, there are 100s of packages much more |
| 77 |
> troublesome, openssh is not something you should be worried about wrt |
| 78 |
> security. Just don't run the daemon. |
| 79 |
|
| 80 |
Yes, I was worried because of the security reasons. |
| 81 |
|
| 82 |
> > May be, it is relevant to this question that, in the future, |
| 83 |
> > I am going to employ the distributed compiling feature for |
| 84 |
> > this and another Gentoo box on the same local network. |
| 85 |
> |
| 86 |
> Not relevant. distcc has it's own listening daemon and doesn't |
| 87 |
> use ssh for file transfer |
| 88 |
|
| 89 |
Ok, thank you. |
| 90 |
|
| 91 |
> > The additional my question is as follows: |
| 92 |
> > |
| 93 |
> > What I am supposed to do in response to the "merge your config files |
| 94 |
> > in /etc/ssh/" message above? |
| 95 |
> |
| 96 |
> etc-update or conf-update or similar |
| 97 |
|
| 98 |
I was afraid to run etc-update as man says it will replace everything |
| 99 |
automatically. However, I run dispatch-conf and it does not see any |
| 100 |
problems at /etc/ssh, which have only the following three files: |
| 101 |
moduli, ssh_config, sshd_config (though I have added /etc/ssh to |
| 102 |
CONFIG_PROTECT_MASK). |
| 103 |
|
| 104 |
Actually, I also do not see any problems with this and do not understand |
| 105 |
how I can "merge" them. |
| 106 |
|
| 107 |
Why, on Earth, I have got that "merge your config files in /etc/ssh/" |
| 108 |
message from net-misc/openssh-6.4_p1-r1, then? |
| 109 |
|
| 110 |
> The ebuild has a dumbass elog() statement in it which you don't really |
| 111 |
> need to be there, as you should be running conf-update anyway after |
| 112 |
> every emerge right? |
| 113 |
|
| 114 |
Till now, I have always updated my configs manually using gvimdiff and |
| 115 |
did know nothing about conf-update, etc-update or dispatch-conf tools. |
| 116 |
The conf-update even have not been installed on my system. Do you think |
| 117 |
I should try it? |
Archives