[SOLVED] removing ssh

Message

farmer.ro · Post by **farmer.ro** » Sun Aug 21, 2016 6:04 pm

i am in no need for ssh, and i would like to completely remove the ssh service, i am also unsure if i am running the ssh client, or the ssh server.

when i

Code: Select all

emerge -C --ask ssh

it keeps pulling back in ssh, because it belongs to the base system.

Code: Select all

whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.bz2

Code: Select all

whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.bz2

Question: how can i make sure ssh gets fully removed from my system, and will not be pulled in by emerge again?

ct85711 · Post by **ct85711** » Sun Aug 21, 2016 7:01 pm

see here viewtopic-t-1048864.html

farmer.ro · Post by **farmer.ro** » Mon Aug 22, 2016 11:06 am

so i can not remove unwanted software from my computer? that is bad.

depontius · Post by **depontius** » Mon Aug 22, 2016 1:10 pm

Reading the reference, it looks to me as if you could remove ssh if you quit using GNOME. I don't know if KDE similarly requires ssh, you'd have to check that. Personally I use icewm and my wife uses xfce. I don't know if the latter requires ssh, but I use it all the time, so I want it installed.

However make sure you put the blame where it is due - presumably GNOME, not Gentoo. (It might be worth checking if ssh is part of @system before i make that statement.)

farmer.ro · Post by **farmer.ro** » Mon Aug 22, 2016 2:00 pm

I am using XFCE on Gentoo, and after removing the ssh package, it automatic gets pulled in after updating.

on Debian Jessie, i was using XFCE also, but there i could just

Code: Select all

apt-get --purge autoremove ssh

with no problems.

Question: is it even possible to remove the ssh package on XFCE/Gentoo, for example by blacklisting the ssh package in some way? i think i have seen somewhere that it is not advised to remove base parts of the system, because it could possibly break the system, is that true?

1clue · Post by **1clue** » Mon Aug 22, 2016 2:06 pm

I'm using headless gentoo, and eix -c --system includes ssh.

For me this is not a problem because it's my means of connecting to pretty much every box I'm not sitting at.

depontius · Post by **depontius** » Mon Aug 22, 2016 2:18 pm

You realize of course that as long as you don't start sshd, having ssh installed is only a slight waste of disk space, not a security exposure. If someone wanted to phone home and they're on your machine, there are so many ways to do that that having ssh installed is no significant additional exposure. For safety you could also configure /etc/sshd_config in such a way that no one could ever connect to it anyway. Compared to so much software out there these days, the wasted disk space is negligible.

1clue · Post by **1clue** » Mon Aug 22, 2016 2:58 pm

Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.

Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh.

farmer.ro · Post by **farmer.ro** » Mon Aug 22, 2016 3:41 pm

1clue wrote:Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.

Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh.

+1

mikegpitt · Post by **mikegpitt** » Mon Aug 22, 2016 8:35 pm

1clue wrote:Gentoo, a distro based on minimalism of requirements and choice of what to install

I would argue that Gentoo isn't about minimalism, but customization.

As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems. If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing. Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files.

1clue · Post by **1clue** » Mon Aug 22, 2016 11:06 pm

mikegpitt wrote:
1clue wrote:Gentoo, a distro based on minimalism of requirements and choice of what to install
I would argue that Gentoo isn't about minimalism, but customization.

As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems. If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing. Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files.

And if you build a system which has no networking, do you still think you should be required to have an ssh?

1clue · Post by **1clue** » Mon Aug 22, 2016 11:14 pm

IMO the best customization is minimalism. The less that is required the more flexible the design.

I've been using Gentoo for a long time without having to ever use a custom overlay. While I acknowledge that an overlay would be a workable solution, I simply think it's odd that ssh is a required package on a distro like Gentoo.

wjb · Post by **wjb** » Tue Aug 23, 2016 12:23 am

This any use?
viewtopic-t-963412-start-0.html

Personally its in the noise

Code: Select all

$ equery size openssh
 * net-misc/openssh-7.2_p2
         Total files : 75
         Total size  : 4.92 MiB

vs

Code: Select all

$ du /usr/portage/distfiles
...
15106972        total

???

haarp · Post by **haarp** » Tue Aug 23, 2016 8:54 am

Shouldn't adding ssh to package.provided solve this?

mv · Post by mv » Tue Aug 23, 2016 9:42 am

The correct way is to remove virtual/ssh from the local profile.

farmer.ro · Post by **farmer.ro** » Tue Aug 23, 2016 3:40 pm

mv wrote:The correct way is to remove virtual/ssh from the local profile.

how would one do such a thing in this case?

Ant P. · Post by **Ant P.** » Tue Aug 23, 2016 6:32 pm

farmer.ro wrote:how would one do such a thing in this case?

Code: Select all

mkdir -p /etc/portage/profile
echo '-*virtual/ssh' >> /etc/portage/profile/packages
emerge --depclean --ask --verbose net-misc/openssh

See `man 5 portage`.

Logicien · Post by **Logicien** » Tue Aug 23, 2016 6:54 pm

I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem. In plus, it is usefull in virtual networking. Sshd his started on all my Linux distributions at boot time.

The question is more in my opinion to configure Sshd to be completely secure in a local network to prevent any attack from the outside and the inside and keep it's administrative advantages than remove it and loose it's administrative advantages.

Some hints:

- not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).
- limit root previleges access.
- have a Firewall with good rules.

mv · Post by mv » Wed Aug 24, 2016 6:04 am

Logicien wrote:I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem.

If you have local access to the machine you can use a rescue CD which has ssh. No need to risk having ssh running all of the time. No matter what you do it is always a risk (though admittedly rather small).

- not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).
- limit root previleges access.
- have a Firewall with good rules.

Disallowing root connections also carries serious limitations with it (e.g. no easy backup/restore with rsync), and essentially just increases the length of your "secret" unless you remove all "regular" ways (su/sudo/...) to become root for your ssh accounts. In the latter case, it defeats the possibility to repair something over ssh.
The same with the firewall: If you let sshd listen only to localhost, a firewall does not increase security, but you cannot repair the system when you are not locally connected; similarly, if you want to allow connections from the net, a firewall cannot help. It can add some "security by obscurity" (e.g. port knocking), though.

farmer.ro · Post by **farmer.ro** » Wed Aug 24, 2016 6:22 am

Ant P. wrote:
farmer.ro wrote:how would one do such a thing in this case?
Code: Select all
mkdir -p /etc/portage/profile
echo '-*virtual/ssh' >> /etc/portage/profile/packages
emerge --depclean --ask --verbose net-misc/openssh
See `man 5 portage`.

Thanks this stopped "virtual/ssh" being pulled in

however when i try to do the same for net-misc/openssh, it keeps getting pulled in by emerge.

Code: Select all

Calculating dependencies... done!
[ebuild  N     ] net-misc/openssh-7.3_p1-r1  USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static" 
[ebuild  N     ] virtual/ssh-0  USE="-minimal

**edit** i think it is impossible to remove net-misc/openssh because of the USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static, dependencies.

any ideas on how to stop net-misc/openssh being pulled in?

mv · Post by mv » Wed Aug 24, 2016 7:23 am

farmer.ro wrote:Thanks this stopped "virtual/ssh" being pulled in :-)

According to your output, it is still pulled in. Probably some program you installed depends on it, or your /etc/portage/profile/packages does not work as expected. You might need also

Code: Select all

echo 5 >/etc/portage/profile/eapi

Logicien · Post by **Logicien** » Wed Aug 24, 2016 12:58 pm

mv,

other important hints:

- have a good password.
- stay with a stable version of Ssh.

Be able to connect to a freezed system via Ssh give from the beginning an important information, the system is not completely freeze, it's breathing. You can do something to resolv the problem when the system is alive and running with all other informations it can give, what a live media cannot do as well.

Is Openssh have a security issue? How many packages of the base system must be remove from the Portage tree? Anyway, it's a user right I recognise.

mikegpitt · Post by **mikegpitt** » Wed Aug 24, 2016 1:57 pm

farmer.ro wrote:any ideas on how to stop net-misc/openssh being pulled in?

Try this to see why it's being pulled:

Code: Select all

equery d net-misc/openssh

szatox · Post by **szatox** » Sun Aug 28, 2016 10:04 am

[ebuild N ] virtual/ssh-0 USE="-minimal

AFAIR USE="minimal" in this line will only pull ssh client and not the server.

Hint: you can mask a package you don't want. Once you attempt installing a package that depends on it, emerge will complain about it and - usually - offer a solution.

Logicien · Post by **Logicien** » Sun Aug 28, 2016 11:00 am

szatox,

is the Emerge solution will be something else than unmask the previously masked package?

I have a related question for anyone who want to anwser it. When you mask a package from the base system and you report a subsequent bug related or not to it, will it be take in account by the Gentoo developpers?