ssh

Message

ysbeer · Post by **ysbeer** » Wed Jul 27, 2016 12:07 am

I might asked before on another thread, but did not get the answer yet:

i want to completely remove/disable ssh(client) "emerge -C openssh" - removes it, but after a reboot, the ssh(client) keeps coming back,

Question: how do i completely remove ssh and make sure it does not get back after a reboot?

Post by Hu » Wed Jul 27, 2016 1:37 am

It looks to me like your question was answered, by fedeliallalinea, about 18 hours before you opened this thread: ssh ; Re: some newbie questions. If his answer is not satisfactory, you would be better off responding in that thread, so that future readers can keep straight the full exchange. What you described should have removed ssh already. Please explain what you mean by "keeps coming back." What exactly happens between when you run emerge --unmerge openssh and when you see that ssh has "come back"? What do you see that makes you say that ssh has "come back"?

ysbeer · Post by **ysbeer** » Wed Jul 27, 2016 12:14 pm

Hu wrote:It looks to me like your question was answered, by fedeliallalinea, about 18 hours before you opened this thread: ssh ; Re: some newbie questions. If his answer is not satisfactory, you would be better off responding in that thread, so that future readers can keep straight the full exchange. What you described should have removed ssh already. Please explain what you mean by "keeps coming back." What exactly happens between when you run emerge --unmerge openssh and when you see that ssh has "come back"? What do you see that makes you say that ssh has "come back"?

i am sorry for starting a new thread,

when i "emerge -C openssh" the command "ssh" seems to be gone from the terminal, however when i fully update my system, it seems to pull in the openssh package again (i think because openssh client belongs to the base system) so when i "ssh" command in terminal again the ssh client seems to be back.

Post by **fedeliallalinea** » Wed Jul 27, 2016 12:22 pm

ysbeer wrote:(i think because openssh client belongs to the base system)

For check which packages depends on openssh install gentoolkit and then run:

Code: Select all

$ equery d openssh

If at least one package depend on it you cannot uninstall openssh

ysbeer · Post by **ysbeer** » Wed Jul 27, 2016 12:29 pm

* These packages depend on openssh:
gnome-base/gvfs-1.28.2 (net-misc/openssh)
virtual/ssh-0 (minimal ? net-misc/openssh)
(!minimal ? net-misc/openssh)

i am using XFCE, so if i understand correctly i can not remove the ssh package?

i am not using ssh, so this leaves an extra vulnerability to my system if i do not use it anyway? i am not familiar with ssh, i can assume this is the client and not the server? do i need to further configure it with some security options?

Post by **fedeliallalinea** » Wed Jul 27, 2016 12:51 pm

ysbeer wrote:i am not using ssh

Not you, but gvfs package yes (its dependency).

ysbeer wrote:i am not familiar with ssh, i can assume this is the client and not the server? do i need to further configure it with some security options?

As already mentioned, openssh package contains both (client and server). Default openssh server is not started, for check this in openrc:

Code: Select all

# rc-status default

or systemd

Code: Select all

# systemctl status sshd.service

If server is not started I don't see big security problem (at least in a desktop system)

Genone · Post by **Genone** » Wed Jul 27, 2016 12:59 pm

The openssh package includes both client and server, but unless you actually start the server (which requires root permission unless you adjust the configuration) it isn't a security concern at all.

To abuse the client an attacker would already need access to your system, in which case he could also simply download a ssh client on his own (unless your system is locked down really tight).

So in short simply installing openssh does not reduce the security of your system.

And yes, virtual/ssh is part of the base system profile as ssh is considered a vital administration tool for many people.

ysbeer · Post by **ysbeer** » Wed Jul 27, 2016 1:07 pm

i used : https://dev.gentoo.org/~swift/docs/secu ... enssh.html to secure the /etc/ssh/sshd_config

thanks for making it more clear.

ysbeer · Post by **ysbeer** » Wed Jul 27, 2016 7:50 pm

addition: i discovered that sftp is also installed, and that when "emerge -C sftp" or "emerge --unmerge sftp" Couldn't find 'ftp' to unmerge.

whereis sftp
sftp: /usr/bin/sftp /usr/share/man/man1/sftp.1.bz2

is sftp part of the openssh package, and should i leave it as it is?

ian.au · Post by **ian.au** » Thu Jul 28, 2016 12:47 am

ysbeer wrote:i used : https://dev.gentoo.org/~swift/docs/secu ... enssh.html to secure the /etc/ssh/sshd_config

thanks for making it more clear.

Is it more clear, though? If, as you state above, you aren't enabling and have no plans to run an ssh server there really wasn't anything achieved by modifying the daemon config file, which only regulates connections to the server; so it's irrelevant in your case. Your ssh security is pretty much complete if you don't start the server, as others have told you several times.

Similarly, sftp, which is a method to move files around over ssh is hardly worth worrying about if you are not running an ssh server, as there is no ssh transport available for sftp to utilize. Both of these tools are essential admin tools for managing networked systems, if you're running a standalone desktop I doubt you even have to think about them, they're installed but not enabled by default.

The devs here incorporate sane and secure defaults for these services, what is making you think you need to improve upon them?