1 |
On 04/01/2014 15:57, Gevisz wrote: |
2 |
> On Sat, 04 Jan 2014 12:49:42 +0200 |
3 |
> Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
4 |
> |
5 |
>> On 04/01/2014 12:24, Gevisz wrote: |
6 |
>>> |
7 |
>>> After today's update of the world, emerge printed the following |
8 |
>>> message: |
9 |
>>> |
10 |
>>> * Messages for package net-misc/openssh-6.4_p1-r1: |
11 |
>>> * dev-libs/openssl was built with 'bindist' - disabling ecdsa |
12 |
>>> support |
13 |
>>> * Remember to merge your config files in /etc/ssh/ and then |
14 |
>>> * reload sshd: '/etc/init.d/sshd reload'. |
15 |
>>> |
16 |
>>> That was quite a surprise for me, as I never installed (open)ssh |
17 |
>>> and it is not in my world. |
18 |
>>> |
19 |
>>> After the following query: |
20 |
>>> |
21 |
>>> # equery depends --indirect openssh |
22 |
>>> |
23 |
>>> I have got the following: |
24 |
>>> |
25 |
>>> * These packages depend on openssh: |
26 |
>>> gnome-base/gvfs-1.16.4 (net-misc/openssh) |
27 |
>>> app-cdr/brasero-3.8.0 (gnome-base/gvfs) |
28 |
>>> media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2) |
29 |
>>> app-editors/gedit-3.8.3 (gnome-base/gvfs) |
30 |
>>> gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk]) |
31 |
>>> app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90) |
32 |
>>> app-text/evince-3.8.3 (nautilus ? |
33 |
>>> >=gnome-base/nautilus-2.91.4[introspection?]) |
34 |
>>> gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection]) |
35 |
>>> gnome-base/nautilus-3.8.2 (previewer ? >=gnome-extra/sushi-0.1.9) |
36 |
>>> gnome-extra/sushi-3.8.1 (>=gnome-base/nautilus-3.1.90) |
37 |
>>> media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs) |
38 |
>>> app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4) |
39 |
>>> media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp) media-gfx/gthumb-3.2.4 |
40 |
>>> (!raw ? media-gfx/dcraw) xfce-base/thunar-1.6.2 (dbus ? |
41 |
>>> >=gnome-base/gvfs-1.10.1) (udev ? |
42 |
>>> >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ? |
43 |
>>> >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ? |
44 |
>>> >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ? |
45 |
>>> >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10 |
46 |
>>> (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ? |
47 |
>>> net-misc/openssh) (!minimal ? net-misc/openssh) |
48 |
>>> |
49 |
>>> Inspecting my /etc/conf.d and /etc/init.d directories, |
50 |
>>> I have found sshd files in both of them. |
51 |
>>> |
52 |
>>> So, my main question is as follows: |
53 |
>>> |
54 |
>>> Do I really need (open)sshd and, if no, how can I properly disable |
55 |
>>> (open)sshd in my Gentoo box? |
56 |
>> |
57 |
>> If you have gvfs, you will have openssh, presumably so you can access |
58 |
>> remote files over ssh. |
59 |
>> |
60 |
>> Why do you want to disable the daemon? Just don't run it. |
61 |
> |
62 |
> As, I have just found out by running "rc-update show", sshd does not |
63 |
> run. |
64 |
> So, in this respect everything is ok, thank you. :) |
65 |
> |
66 |
>> openssh is extremely useful for many reasons, you really don't want to |
67 |
>> not have it. The package has the client and daemons, just don;t run |
68 |
>> the sshd daemon |
69 |
>> |
70 |
>>> |
71 |
>>> I guess that one of the ways to disable (open)sshd is to make |
72 |
>>> /etc/init.d/sshd file unexacutable, but is it a clean way to do so? |
73 |
>> |
74 |
>> No, that's dumb. It gets reset every time openssh is updated. |
75 |
>> |
76 |
>> Just don't run it. It doesn't magically start by itself. If it's |
77 |
>> security you are worried about, there are 100s of packages much more |
78 |
>> troublesome, openssh is not something you should be worried about wrt |
79 |
>> security. Just don't run the daemon. |
80 |
> |
81 |
> Yes, I was worried because of the security reasons. |
82 |
> |
83 |
>>> May be, it is relevant to this question that, in the future, |
84 |
>>> I am going to employ the distributed compiling feature for |
85 |
>>> this and another Gentoo box on the same local network. |
86 |
>> |
87 |
>> Not relevant. distcc has it's own listening daemon and doesn't |
88 |
>> use ssh for file transfer |
89 |
> |
90 |
> Ok, thank you. |
91 |
> |
92 |
>>> The additional my question is as follows: |
93 |
>>> |
94 |
>>> What I am supposed to do in response to the "merge your config files |
95 |
>>> in /etc/ssh/" message above? |
96 |
>> |
97 |
>> etc-update or conf-update or similar |
98 |
> |
99 |
> I was afraid to run etc-update as man says it will replace everything |
100 |
> automatically. However, I run dispatch-conf and it does not see any |
101 |
> problems at /etc/ssh, which have only the following three files: |
102 |
> moduli, ssh_config, sshd_config (though I have added /etc/ssh to |
103 |
> CONFIG_PROTECT_MASK). |
104 |
> |
105 |
> Actually, I also do not see any problems with this and do not understand |
106 |
> how I can "merge" them. |
107 |
> |
108 |
> Why, on Earth, I have got that "merge your config files in /etc/ssh/" |
109 |
> message from net-misc/openssh-6.4_p1-r1, then? |
110 |
> |
111 |
>> The ebuild has a dumbass elog() statement in it which you don't really |
112 |
>> need to be there, as you should be running conf-update anyway after |
113 |
>> every emerge right? |
114 |
> |
115 |
> Till now, I have always updated my configs manually using gvimdiff and |
116 |
> did know nothing about conf-update, etc-update or dispatch-conf tools. |
117 |
> The conf-update even have not been installed on my system. Do you think |
118 |
> I should try it? |
119 |
|
120 |
|
121 |
All the questions you are asking are basic Gentoo questions, answered in |
122 |
the docs. Gentoo provides these tools such as etc-update and rc-update |
123 |
to make your life easier. You should familiarize yourself with them: |
124 |
|
125 |
http://www.gentoo.org/doc/en/handbook/ |
126 |
https://wiki.gentoo.org/wiki/Project:Documentation/Overview |
127 |
|
128 |
|
129 |
|
130 |
As for that elog message at the end of the merge, like I already said |
131 |
it's a stupid dumbass message that could be much more useful but isn't. |
132 |
From the ebuild: |
133 |
|
134 |
pkg_postinst() { |
135 |
... |
136 |
ewarn "Remember to merge your config files in /etc/ssh/ and then" |
137 |
ewarn "reload sshd: '/etc/init.d/sshd reload'." |
138 |
... |
139 |
} |
140 |
|
141 |
So it always gets printed blindly, there's no check to see if it's |
142 |
actually needed or not, and it's very badly worded. |
143 |
|
144 |
You should use one of the update tools in portage, they make life so |
145 |
much easier. There's no sensible reason to fiddle with configs in vim |
146 |
when an automated tool is there and can do all the heavy lifting for you |
147 |
|
148 |
-- |
149 |
Alan McKinnon |
150 |
alan.mckinnon@×××××.com |