Re: [gentoo-user] Do I really need a sshd? - gentoo-user

From:	Alan McKinnon <alan.mckinnon@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Do I really need a sshd?
Date:	Sat, 04 Jan 2014 15:16:44
Message-Id:	`52C8258A.80302@gmail.com`
In Reply to:	Re: [gentoo-user] Do I really need a sshd? by Gevisz

1

On 04/01/2014 15:57, Gevisz wrote:

2

> On Sat, 04 Jan 2014 12:49:42 +0200

3

> Alan McKinnon <alan.mckinnon@×××××.com> wrote:

4

>

5

>> On 04/01/2014 12:24, Gevisz wrote:

6

>>>

7

>>> After today's update of the world, emerge printed the following

8

>>> message:

9

>>>

10

>>> * Messages for package net-misc/openssh-6.4_p1-r1:

11

>>> * dev-libs/openssl was built with 'bindist' - disabling ecdsa

12

>>> support

13

>>> * Remember to merge your config files in /etc/ssh/ and then

14

>>> * reload sshd: '/etc/init.d/sshd reload'.

15

>>>

16

>>> That was quite a surprise for me, as I never installed (open)ssh

17

>>> and it is not in my world.

18

>>>

19

>>> After the following query:

20

>>>

21

>>> # equery depends --indirect openssh

22

>>>

23

>>> I have got the following:

24

>>>

25

>>>  * These packages depend on openssh:

26

>>> gnome-base/gvfs-1.16.4 (net-misc/openssh)

27

>>>  app-cdr/brasero-3.8.0 (gnome-base/gvfs)

28

>>>   media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2)

29

>>>  app-editors/gedit-3.8.3 (gnome-base/gvfs)

30

>>>  gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk])

31

>>>   app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90)

32

>>>   app-text/evince-3.8.3 (nautilus ?

33

>>>    >=gnome-base/nautilus-2.91.4[introspection?])

34

>>>    gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection])

35

>>>    gnome-base/nautilus-3.8.2 (previewer ? >=gnome-extra/sushi-0.1.9)

36

>>>    gnome-extra/sushi-3.8.1 (>=gnome-base/nautilus-3.1.90)

37

>>>    media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs)

38

>>>    app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4)

39

>>> media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp) media-gfx/gthumb-3.2.4

40

>>> (!raw ? media-gfx/dcraw) xfce-base/thunar-1.6.2 (dbus ?

41

>>>    >=gnome-base/gvfs-1.10.1) (udev ?

42

>>>    >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ?

43

>>>    >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ?

44

>>>    >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ?

45

>>>    >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10

46

>>>    (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ?

47

>>>    net-misc/openssh) (!minimal ? net-misc/openssh)

48

>>>

49

>>> Inspecting my /etc/conf.d and /etc/init.d directories,

50

>>> I have found sshd files in both of them.

51

>>>

52

>>> So, my main question is as follows:

53

>>>

54

>>> Do I really need (open)sshd and, if no, how can I properly disable

55

>>> (open)sshd in my Gentoo box?

56

>>

57

>> If you have gvfs, you will have openssh, presumably so you can access

58

>> remote files over ssh.

59

>>

60

>> Why do you want to disable the daemon? Just don't run it.

61

>

62

> As, I have just found out by running "rc-update show", sshd does not

63

> run.

64

> So, in this respect everything is ok, thank you. :)

65

>

66

>> openssh is extremely useful for many reasons, you really don't want to

67

>> not have it. The package has the client and daemons, just don;t run

68

>> the sshd daemon

69

>>

70

>>>

71

>>> I guess that one of the ways to disable (open)sshd is to make

72

>>> /etc/init.d/sshd file unexacutable, but is it a clean way to do so?

73

>>

74

>> No, that's dumb. It gets reset every time openssh is updated.

75

>>

76

>> Just don't run it. It doesn't magically start by itself. If it's

77

>> security you are worried about, there are 100s of packages much more

78

>> troublesome, openssh is not something you should be worried about wrt

79

>> security. Just don't run the daemon.

80

>

81

> Yes, I was worried because of the security reasons.

82

>

83

>>> May be, it is relevant to this question that, in the future,

84

>>> I am going to employ the distributed compiling feature for

85

>>> this and another Gentoo box on the same local network.

86

>>

87

>> Not relevant. distcc has it's own listening daemon and doesn't

88

>> use ssh for file transfer

89

>

90

> Ok, thank you.

91

>

92

>>> The additional my question is as follows:

93

>>>

94

>>> What I am supposed to do in response to the "merge your config files

95

>>> in /etc/ssh/" message above?

96

>>

97

>> etc-update or conf-update or similar

98

>

99

> I was afraid to run etc-update as man says it will replace everything

100

> automatically. However, I run dispatch-conf and it does not see any

101

> problems at /etc/ssh, which have only the following three files:

102

> moduli, ssh_config, sshd_config (though I have added /etc/ssh to

103

> CONFIG_PROTECT_MASK).

104

>

105

> Actually, I also do not see any problems with this and do not understand

106

> how I can "merge" them.

107

>

108

> Why, on Earth, I have got that "merge your config files in /etc/ssh/"

109

> message from net-misc/openssh-6.4_p1-r1, then?

110

>

111

>> The ebuild has a dumbass elog() statement in it which you don't really

112

>> need to be there, as you should be running conf-update anyway after

113

>> every emerge right?

114

>

115

> Till now, I have always updated my configs manually using gvimdiff and

116

> did know nothing about conf-update, etc-update or dispatch-conf tools.

117

> The conf-update even have not been installed on my system. Do you think

118

> I should try it?

119

120

121

All the questions you are asking are basic Gentoo questions, answered in

122

the docs. Gentoo provides these tools such as etc-update and rc-update

123

to make your life easier. You should familiarize yourself with them:

124

125

http://www.gentoo.org/doc/en/handbook/

126

https://wiki.gentoo.org/wiki/Project:Documentation/Overview

As for that elog message at the end of the merge, like I already said

131

it's a stupid dumbass message that could be much more useful but isn't.

132

From the ebuild:

133

134

pkg_postinst() {

135

...

136

   ewarn "Remember to merge your config files in /etc/ssh/ and then"

137

   ewarn "reload sshd: '/etc/init.d/sshd reload'."

138

...

139

}

140

141

So it always gets printed blindly, there's no check to see if it's

142

actually needed or not, and it's very badly worded.

143

144

You should use one of the update tools in portage, they make life so

145

much easier. There's no sensible reason to fiddle with configs in vim

146

when an automated tool is there and can do all the heavy lifting for you

147

148

--

149

Alan McKinnon

150

alan.mckinnon@×××××.com

Gentoo Archives: gentoo-user

Replies

1	On 04/01/2014 15:57, Gevisz wrote:
2	> On Sat, 04 Jan 2014 12:49:42 +0200
3	> Alan McKinnon <alan.mckinnon@×××××.com> wrote:
4	>
5	>> On 04/01/2014 12:24, Gevisz wrote:
6	>>>
7	>>> After today's update of the world, emerge printed the following
8	>>> message:
9	>>>
10	>>> * Messages for package net-misc/openssh-6.4_p1-r1:
11	>>> * dev-libs/openssl was built with 'bindist' - disabling ecdsa
12	>>> support
13	>>> * Remember to merge your config files in /etc/ssh/ and then
14	>>> * reload sshd: '/etc/init.d/sshd reload'.
15	>>>
16	>>> That was quite a surprise for me, as I never installed (open)ssh
17	>>> and it is not in my world.
18	>>>
19	>>> After the following query:
20	>>>
21	>>> # equery depends --indirect openssh
22	>>>
23	>>> I have got the following:
24	>>>
25	>>> * These packages depend on openssh:
26	>>> gnome-base/gvfs-1.16.4 (net-misc/openssh)
27	>>> app-cdr/brasero-3.8.0 (gnome-base/gvfs)
28	>>> media-gfx/gthumb-3.2.4 (cdr ? >=app-cdr/brasero-3.2)
29	>>> app-editors/gedit-3.8.3 (gnome-base/gvfs)
30	>>> gnome-base/nautilus-3.8.2 (>=gnome-base/gvfs-1.14[gtk])
31	>>> app-cdr/brasero-3.8.0 (nautilus ? >=gnome-base/nautilus-2.91.90)
32	>>> app-text/evince-3.8.3 (nautilus ?
33	>>> >=gnome-base/nautilus-2.91.4[introspection?])
34	>>> gnome-extra/sushi-3.8.1 (>=app-text/evince-3.0[introspection])
35	>>> gnome-base/nautilus-3.8.2 (previewer ? >=gnome-extra/sushi-0.1.9)
36	>>> gnome-extra/sushi-3.8.1 (>=gnome-base/nautilus-3.1.90)
37	>>> media-gfx/gimp-2.8.6 (gnome ? gnome-base/gvfs)
38	>>> app-doc/gimp-help-2.6.1 (>=media-gfx/gimp-2.4)
39	>>> media-gfx/dcraw-9.10 (gimp ? media-gfx/gimp) media-gfx/gthumb-3.2.4
40	>>> (!raw ? media-gfx/dcraw) xfce-base/thunar-1.6.2 (dbus ?
41	>>> >=gnome-base/gvfs-1.10.1) (udev ?
42	>>> >=gnome-base/gvfs-1.10.1[udisks,udev]) (udev ?
43	>>> >=gnome-base/gvfs-1.10.1[gdu,udev]) (xfce_plugins_trash ?
44	>>> >=gnome-base/gvfs-1.10.1) xfce-base/xfdesktop-4.10.2 (thunar ?
45	>>> >=xfce-base/thunar-1.6[dbus]) xfce-base/xfce4-meta-4.10
46	>>> (>=xfce-base/xfdesktop-4.10) virtual/ssh-0 (minimal ?
47	>>> net-misc/openssh) (!minimal ? net-misc/openssh)
48	>>>
49	>>> Inspecting my /etc/conf.d and /etc/init.d directories,
50	>>> I have found sshd files in both of them.
51	>>>
52	>>> So, my main question is as follows:
53	>>>
54	>>> Do I really need (open)sshd and, if no, how can I properly disable
55	>>> (open)sshd in my Gentoo box?
56	>>
57	>> If you have gvfs, you will have openssh, presumably so you can access
58	>> remote files over ssh.
59	>>
60	>> Why do you want to disable the daemon? Just don't run it.
61	>
62	> As, I have just found out by running "rc-update show", sshd does not
63	> run.
64	> So, in this respect everything is ok, thank you. :)
65	>
66	>> openssh is extremely useful for many reasons, you really don't want to
67	>> not have it. The package has the client and daemons, just don;t run
68	>> the sshd daemon
69	>>
70	>>>
71	>>> I guess that one of the ways to disable (open)sshd is to make
72	>>> /etc/init.d/sshd file unexacutable, but is it a clean way to do so?
73	>>
74	>> No, that's dumb. It gets reset every time openssh is updated.
75	>>
76	>> Just don't run it. It doesn't magically start by itself. If it's
77	>> security you are worried about, there are 100s of packages much more
78	>> troublesome, openssh is not something you should be worried about wrt
79	>> security. Just don't run the daemon.
80	>
81	> Yes, I was worried because of the security reasons.
82	>
83	>>> May be, it is relevant to this question that, in the future,
84	>>> I am going to employ the distributed compiling feature for
85	>>> this and another Gentoo box on the same local network.
86	>>
87	>> Not relevant. distcc has it's own listening daemon and doesn't
88	>> use ssh for file transfer
89	>
90	> Ok, thank you.
91	>
92	>>> The additional my question is as follows:
93	>>>
94	>>> What I am supposed to do in response to the "merge your config files
95	>>> in /etc/ssh/" message above?
96	>>
97	>> etc-update or conf-update or similar
98	>
99	> I was afraid to run etc-update as man says it will replace everything
100	> automatically. However, I run dispatch-conf and it does not see any
101	> problems at /etc/ssh, which have only the following three files:
102	> moduli, ssh_config, sshd_config (though I have added /etc/ssh to
103	> CONFIG_PROTECT_MASK).
104	>
105	> Actually, I also do not see any problems with this and do not understand
106	> how I can "merge" them.
107	>
108	> Why, on Earth, I have got that "merge your config files in /etc/ssh/"
109	> message from net-misc/openssh-6.4_p1-r1, then?
110	>
111	>> The ebuild has a dumbass elog() statement in it which you don't really
112	>> need to be there, as you should be running conf-update anyway after
113	>> every emerge right?
114	>
115	> Till now, I have always updated my configs manually using gvimdiff and
116	> did know nothing about conf-update, etc-update or dispatch-conf tools.
117	> The conf-update even have not been installed on my system. Do you think
118	> I should try it?
119
120
121	All the questions you are asking are basic Gentoo questions, answered in
122	the docs. Gentoo provides these tools such as etc-update and rc-update
123	to make your life easier. You should familiarize yourself with them:
124
125	http://www.gentoo.org/doc/en/handbook/
126	https://wiki.gentoo.org/wiki/Project:Documentation/Overview
127
128
129
130	As for that elog message at the end of the merge, like I already said
131	it's a stupid dumbass message that could be much more useful but isn't.
132	From the ebuild:
133
134	pkg_postinst() {
135	...
136	ewarn "Remember to merge your config files in /etc/ssh/ and then"
137	ewarn "reload sshd: '/etc/init.d/sshd reload'."
138	...
139	}
140
141	So it always gets printed blindly, there's no check to see if it's
142	actually needed or not, and it's very badly worded.
143
144	You should use one of the update tools in portage, they make life so
145	much easier. There's no sensible reason to fiddle with configs in vim
146	when an automated tool is there and can do all the heavy lifting for you
147
148	--
149	Alan McKinnon
150	alan.mckinnon@×××××.com