Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] removing ssh
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sun Aug 28, 2016 4:27 pm    Post subject: Reply with quote

Quote:
is the Emerge solution will be something else than unmask the previously masked package?
Maybe. It may pull another package in the same place. It will name the package that pulls your masked stuff and quite often the offending USE flag. If you can drop that flag, you will also drop a dependency.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7050
Location: almost Mile High in the USA

PostPosted: Tue Oct 18, 2016 10:27 pm    Post subject: Reply with quote

From the other LOCKED thread https://forums.gentoo.org/viewtopic-t-1053214-highlight-.html the offending program is gvfs and it does have a hard runtime dependency on openssh. And Thunar has a hard build dependency on gvfs so you can't remove that either. Luckily ssh is a RDEP of gfvs, so simply unmerging openssh afterwards will work. Thunar is xfce's file manager.

As it is I think the only way is to just leave the mask there and ignore the error. Yes, ugly, but likely you'll need to get gvfs or perhaps there's a way to make gvfs work without enabling ssh, or perhaps the ebuild should be hacked to put in a fake switchable dependency on openssh as I think this is a soft rdep and thunar will work just fine as long as you never specify sftp/sshfs.

And all other things being said, I'm shocked a Linux user would never use ssh. It's like the bread and butter of remote access (since telnetd is completely insecure) - what Un*x was designed for.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13493

PostPosted: Wed Oct 19, 2016 1:08 am    Post subject: Reply with quote

This seems like a perfect use case for /etc/portage/profile/package.provided. Tell the system that openssh is provided, and it will stop trying to install it. Whether you actually provide it (as the feature is intended to be used) or omit it and live with the errors caused by not having it is up to you.
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Wed Oct 19, 2016 5:26 am    Post subject: Reply with quote

i was able to:
Code:
# emerge --ask -C openssh

after putting:
Code:
/etc/portage/profile/package.provided
net-misc/openssh-7.3_p1-r7
virtual/ssh-0

but now portage gives error:
Code:
# emerge --ask --update --changed-use --deep @world

These are the packages that would be merged, in order:

Calculating dependencies... done!

WARNING: A requested package will not be merged because it is listed in
package.provided:

  virtual/ssh pulled in by 'system'


Nothing to merge; quitting.


can the WARNING message be ignored?

i hope i did not break the system, however i never use ssh so removing it seems to enhance the security by the principle of least privilege.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7050
Location: almost Mile High in the USA

PostPosted: Wed Oct 19, 2016 7:34 am    Post subject: Reply with quote

That warning looks benign and correct.

I think that warning is good. You are indeed doing something not expected by the Gentoo developers, so it's just warning you that it's not their fault if you have strange behavior - you did break what the devs assumed to be on your computer, and that is ssh.

Note if you do need support in the future, this will be scrutinized, just like having esoteric USE or CFLAGS...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Wed Oct 19, 2016 12:10 pm    Post subject: Reply with quote

does this mean my entire system is unstable, or does it simply means that i do not have ssh software installed?
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1460
Location: KUUSANKOSKI, Finland

PostPosted: Wed Oct 19, 2016 2:04 pm    Post subject: Reply with quote

Usually virtual/ssh is pulled in by @system. I'm not sure if profile also affects that.
I would advice against removing ssh, but that has already been discussed.
Gentoo is about choice and customisation. Removing ssh should be possible without breakage because it's not a relevant part of running minimal Gentoo system (correct me if I'm wrong). And by "should be" I mean that one should be able to remove it without @system pulling it back.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Wed Oct 19, 2016 3:56 pm    Post subject: Reply with quote

i decided to leave sshd installed as it seems as a vital part of Gentoo.

Maybe offtopic but:
Previous i used to set PermitRootLogin to: "no" in the /etc/ssh/sshd

but in the release notes of ssh it says:
Code:
 * The default for the sshd_config(5) PermitRootLogin option has
   changed from "yes" to "prohibit-password".

 * PermitRootLogin=without-password/prohibit-password now bans all
   interactive authentication methods, allowing only public-key,
   hostbased and GSSAPI authentication (previously it permitted
   keyboard-interactive and password-less authentication if those
   were enabled).


does this mean that setting PermitRootLogin to "no" is not needed any more, and the default "PermitRootLogin prohibit-password" is secure enough?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13493

PostPosted: Thu Oct 20, 2016 1:41 am    Post subject: Reply with quote

You can set either of them. If I recall correctly, you posted at least once saying you would not run sshd at all, in which case your choice in its configuration file is irrelevant. Setting PermitRootLogin no prohibits sshd from ever allowing root to log in. PermitRootLogin prohibit-password prohibits sshd from allowing root to log in using certain types of authentication and permits it for other types, as described in the documentation. The greatest security comes from the least functionality. Disabling sshd entirely will protect you more than trying to configure it to restrict certain types of login.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7050
Location: almost Mile High in the USA

PostPosted: Thu Oct 20, 2016 3:11 am    Post subject: Reply with quote

All you need to do is to make sure you (openrc)

# service sshd stop
# rc-update delete sshd default

to make sure sshd does not run.

What thunar/gvfs is using is actually the client ssh programs: sftp (and I think scp but not sure). These do not need root privileges to run and run as the user you use gvfs under. These allow for secure network virtual filesystems so you can copy files back and forth to other machines through the GUI. If you don't have any other machines even on the internet somewhere that you could sftp to, then fine, yeah no reason to install.

However in either case all my machines have the other half of openssh: sshd - running. The main reason is that I can use another one of my machines to remote login to any other machine in case I freeze console and attempt to do recovery. I can copy files back and forth between them without having to run and do something on both machines. Ones that have soft power off, I can even shutdown remotely.

Granted yes this is of little use if you have only one machine and no network adapters/network equipment, but it'd confuse a lot less debug helpers if you simply had it installed but not running, so at least all the files are there and no warnings spat out.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum