View previous topic :: View next topic |
Author |
Message |
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Sun Aug 21, 2016 6:04 pm Post subject: [SOLVED] removing ssh |
|
|
i am in no need for ssh, and i would like to completely remove the ssh service, i am also unsure if i am running the ssh client, or the ssh server.
when i Code: | emerge -C --ask ssh |
it keeps pulling back in ssh, because it belongs to the base system.
Code: | whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.bz2 |
Code: | whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.bz2 |
Question: how can i make sure ssh gets fully removed from my system, and will not be pulled in by emerge again?
Last edited by farmer.ro on Thu Oct 20, 2016 6:16 am; edited 3 times in total |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
|
Back to top |
|
|
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Mon Aug 22, 2016 11:06 am Post subject: |
|
|
so i can not remove unwanted software from my computer? that is bad. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Mon Aug 22, 2016 1:10 pm Post subject: |
|
|
Reading the reference, it looks to me as if you could remove ssh if you quit using GNOME. I don't know if KDE similarly requires ssh, you'd have to check that. Personally I use icewm and my wife uses xfce. I don't know if the latter requires ssh, but I use it all the time, so I want it installed.
However make sure you put the blame where it is due - presumably GNOME, not Gentoo. (It might be worth checking if ssh is part of @system before i make that statement.) _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Mon Aug 22, 2016 2:00 pm Post subject: |
|
|
I am using XFCE on Gentoo, and after removing the ssh package, it automatic gets pulled in after updating.
on Debian Jessie, i was using XFCE also, but there i could just Code: | apt-get --purge autoremove ssh | with no problems.
Question: is it even possible to remove the ssh package on XFCE/Gentoo, for example by blacklisting the ssh package in some way? i think i have seen somewhere that it is not advised to remove base parts of the system, because it could possibly break the system, is that true? |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Aug 22, 2016 2:06 pm Post subject: |
|
|
I'm using headless gentoo, and eix -c --system includes ssh.
For me this is not a problem because it's my means of connecting to pretty much every box I'm not sitting at. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Mon Aug 22, 2016 2:18 pm Post subject: |
|
|
You realize of course that as long as you don't start sshd, having ssh installed is only a slight waste of disk space, not a security exposure. If someone wanted to phone home and they're on your machine, there are so many ways to do that that having ssh installed is no significant additional exposure. For safety you could also configure /etc/sshd_config in such a way that no one could ever connect to it anyway. Compared to so much software out there these days, the wasted disk space is negligible. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Aug 22, 2016 2:58 pm Post subject: |
|
|
Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.
Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh. |
|
Back to top |
|
|
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Mon Aug 22, 2016 3:41 pm Post subject: |
|
|
1clue wrote: | Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.
Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh. |
+1 |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Aug 22, 2016 8:35 pm Post subject: |
|
|
1clue wrote: | Gentoo, a distro based on minimalism of requirements and choice of what to install | I would argue that Gentoo isn't about minimalism, but customization.
As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems. If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing. Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Aug 22, 2016 11:06 pm Post subject: |
|
|
mikegpitt wrote: | 1clue wrote: | Gentoo, a distro based on minimalism of requirements and choice of what to install | I would argue that Gentoo isn't about minimalism, but customization.
As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems. If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing. Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files. |
And if you build a system which has no networking, do you still think you should be required to have an ssh? |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Aug 22, 2016 11:14 pm Post subject: |
|
|
IMO the best customization is minimalism. The less that is required the more flexible the design.
I've been using Gentoo for a long time without having to ever use a custom overlay. While I acknowledge that an overlay would be a workable solution, I simply think it's odd that ssh is a required package on a distro like Gentoo. |
|
Back to top |
|
|
wjb l33t
Joined: 10 Jul 2005 Posts: 607 Location: Fife, Scotland
|
Posted: Tue Aug 23, 2016 12:23 am Post subject: |
|
|
This any use?
https://forums.gentoo.org/viewtopic-t-963412-start-0.html
Personally its in the noise
Code: | $ equery size openssh
* net-misc/openssh-7.2_p2
Total files : 75
Total size : 4.92 MiB
|
vs
Code: | $ du /usr/portage/distfiles
...
15106972 total |
??? |
|
Back to top |
|
|
haarp Guru
Joined: 31 Oct 2007 Posts: 535
|
Posted: Tue Aug 23, 2016 8:54 am Post subject: |
|
|
Shouldn't adding ssh to package.provided solve this? |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Tue Aug 23, 2016 9:42 am Post subject: |
|
|
The correct way is to remove virtual/ssh from the local profile. |
|
Back to top |
|
|
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Tue Aug 23, 2016 3:40 pm Post subject: |
|
|
mv wrote: | The correct way is to remove virtual/ssh from the local profile. |
how would one do such a thing in this case? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Aug 23, 2016 6:32 pm Post subject: |
|
|
farmer.ro wrote: | how would one do such a thing in this case? |
Code: | mkdir -p /etc/portage/profile
echo '-*virtual/ssh' >> /etc/portage/profile/packages
emerge --depclean --ask --verbose net-misc/openssh |
See `man 5 portage`. |
|
Back to top |
|
|
Logicien Veteran
Joined: 16 Sep 2005 Posts: 1555 Location: Montréal
|
Posted: Tue Aug 23, 2016 6:54 pm Post subject: |
|
|
I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem. In plus, it is usefull in virtual networking. Sshd his started on all my Linux distributions at boot time.
The question is more in my opinion to configure Sshd to be completely secure in a local network to prevent any attack from the outside and the inside and keep it's administrative advantages than remove it and loose it's administrative advantages.
Some hints:
- not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).
- limit root previleges access.
- have a Firewall with good rules. _________________ Paul |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Wed Aug 24, 2016 6:04 am Post subject: |
|
|
Logicien wrote: | I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem. |
If you have local access to the machine you can use a rescue CD which has ssh. No need to risk having ssh running all of the time. No matter what you do it is always a risk (though admittedly rather small).
Quote: | - not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).
- limit root previleges access.
- have a Firewall with good rules. |
Disallowing root connections also carries serious limitations with it (e.g. no easy backup/restore with rsync), and essentially just increases the length of your "secret" unless you remove all "regular" ways (su/sudo/...) to become root for your ssh accounts. In the latter case, it defeats the possibility to repair something over ssh.
The same with the firewall: If you let sshd listen only to localhost, a firewall does not increase security, but you cannot repair the system when you are not locally connected; similarly, if you want to allow connections from the net, a firewall cannot help. It can add some "security by obscurity" (e.g. port knocking), though. |
|
Back to top |
|
|
farmer.ro Apprentice
Joined: 20 Aug 2016 Posts: 179
|
Posted: Wed Aug 24, 2016 6:22 am Post subject: |
|
|
Ant P. wrote: | farmer.ro wrote: | how would one do such a thing in this case? |
Code: | mkdir -p /etc/portage/profile
echo '-*virtual/ssh' >> /etc/portage/profile/packages
emerge --depclean --ask --verbose net-misc/openssh |
See `man 5 portage`. |
Thanks this stopped "virtual/ssh" being pulled in
however when i try to do the same for net-misc/openssh, it keeps getting pulled in by emerge.
Code: | Calculating dependencies... done!
[ebuild N ] net-misc/openssh-7.3_p1-r1 USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static"
[ebuild N ] virtual/ssh-0 USE="-minimal |
**edit** i think it is impossible to remove net-misc/openssh because of the USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static, dependencies.
any ideas on how to stop net-misc/openssh being pulled in? |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Wed Aug 24, 2016 7:23 am Post subject: |
|
|
farmer.ro wrote: | Thanks this stopped "virtual/ssh" being pulled in :-) |
According to your output, it is still pulled in. Probably some program you installed depends on it, or your /etc/portage/profile/packages does not work as expected. You might need also Code: | echo 5 >/etc/portage/profile/eapi |
|
|
Back to top |
|
|
Logicien Veteran
Joined: 16 Sep 2005 Posts: 1555 Location: Montréal
|
Posted: Wed Aug 24, 2016 12:58 pm Post subject: |
|
|
mv,
other important hints:
- have a good password.
- stay with a stable version of Ssh.
Be able to connect to a freezed system via Ssh give from the beginning an important information, the system is not completely freeze, it's breathing. You can do something to resolv the problem when the system is alive and running with all other informations it can give, what a live media cannot do as well.
Is Openssh have a security issue? How many packages of the base system must be remove from the Portage tree? Anyway, it's a user right I recognise.
_________________ Paul |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Wed Aug 24, 2016 1:57 pm Post subject: |
|
|
farmer.ro wrote: | any ideas on how to stop net-misc/openssh being pulled in? |
Try this to see why it's being pulled: Code: | equery d net-misc/openssh |
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3134
|
Posted: Sun Aug 28, 2016 10:04 am Post subject: |
|
|
Quote: | [ebuild N ] virtual/ssh-0 USE="-minimal |
AFAIR USE="minimal" in this line will only pull ssh client and not the server.
Hint: you can mask a package you don't want. Once you attempt installing a package that depends on it, emerge will complain about it and - usually - offer a solution. |
|
Back to top |
|
|
Logicien Veteran
Joined: 16 Sep 2005 Posts: 1555 Location: Montréal
|
Posted: Sun Aug 28, 2016 11:00 am Post subject: |
|
|
szatox,
is the Emerge solution will be something else than unmask the previously masked package?
I have a related question for anyone who want to anwser it. When you mask a package from the base system and you report a subsequent bug related or not to it, will it be take in account by the Gentoo developpers? _________________ Paul |
|
Back to top |
|
|
|