New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
installer clean up #4235
installer clean up #4235
Conversation
Why would you remove backups option? Does it hurt someone? If not leave it in. ssh: Are you going to remove it also from sshd.service? |
k, I'll drop the commit.
nope. I keep it there. |
users are still free to add 'ssh' to syslinux.conf manualy
objections ? |
Not from me. Even if I don't see a reason why ssh should be removed from here. |
I dont like to give clueless people who do DMZ an easy way to have sshd always runing. right from beginning. for OE7, the way sshd start / runs should be re-workd (default keys only, big fat warning when you enable password auth). I'll do that and post a PR when done. |
I have no objections to SSH support being removed from the installer but I do object to any removal of ssh support from the init script. Being able to force it on is a useful debug capability for some situations and leaving that option there does no harm. |
NB: Our SSH default is OFF so user boxes are not accessible from local LAN, let alone the internet, and no matter what scheme we have, idiots will still be idiots and share their box to the world. Any move to key-only auth as the default creates the situation of needing access to the box to install a private key to make it secure, but access not being available as SSH access requires a key, and a pre-shared known key is worse than a known password as n00b users will presume "Secure SHell" access to be secure. At least a default password is understood to be weak by most users. I would prefer to see a solution to non-changable passwords, and if that is truly impossible I believe we already have the "n00b vs security" balance correct. |
I think this ssh issue is something should be leaved alone as is. Security issues will always be present if user doesn't understand things. I would say it is the same thing if you connect some 12 V electronic to 230 V. Instructions clearly say for what voltage is. And if user use higher voltage the best thing can be only blown fuse. The worst whole device in flame. So it is just like enabling ssh. In installer and in Openelec settings in Kodi there is a warning explaining thing. If user doesn't understand what this is it should educate first. |
What if you move the ssh on/off switch to a more hidden place instead directly at the front page. |
right now, I moved it to more hidden place -> syslinux.cfg ;) |
Restricting SSH access to only IANA private addresses removes most of the "fat fingers/n00b user" risks. |
'ssh' in syslinux.conf is not a good idea (anymore). must go.
backups.. this needs ack from @vpeter4 but "bug reports" like #4232 are meh if you ask me.