User avatar
Tass
Posts: 535
Joined: Sat Jan 21, 2012 11:15 am

Re: Preconfigured image with SSH and/or VNC

Fri Feb 24, 2012 11:06 pm

All the more reason for us to help those non-tech people learn how to set ssh up - nothing quite beats learning by carefully following a tutorial on your own system and getting to grips with it that way

oninoshiko
Posts: 76
Joined: Sun Jan 29, 2012 9:16 pm

Re: Preconfigured image with SSH and/or VNC

Fri Feb 24, 2012 11:07 pm

USING ssh assumes some technical capability. Those who want it will be able to easily find how to set it up. Those who don't shouldn't be bothered with it.

If you need SSH from the start, then configure it on your SD card before sticking it in the machine. This is the exception, easily.

Seriously folks, some of you are actually arguing that someone can afford a whole computer (what are they going to be SSHing in WITH?), but can't find a old TV to hook the $35 raspi to? That's just silly!

xkxx
Posts: 39
Joined: Sat Dec 10, 2011 5:26 am

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 3:49 am

Sorry, I can't resist not to reply to this post. It looks like every time someone brings up the sshd issue some others get angry. Just chill.

I think we all agree with the following:

1. ssh can be useful to those who wants to connect to raspi through another computer.

2. if ssh is not there or not enabled by default, those who need it will have to pre-configure the sd card image.

Some oppose enabling ssh by default with the following reasons:

1. Someone in the same network can mess with it.

2. Only geeks with no life will try to try to access raspi solely through ssh, and they will figure it out anyway.

3. People who wants to use ssh are rich because they already have computers, so they can afford a hdtv, a mouse, a keyboard, all the wires, etc.

Well, the 2nd and 3rd points are not necessarily true. For example, we are students in high school, and we have a weekly allowance of $20. We each have a cheap laptop, and that's it. We can't acquire monitors, because the desktops in complab are all-in-ones, and tvs don't have their wires come out. And we won't waste a whole weekend on figuring out a ridiculous hardware/software issue.

So I think it''d be best:

Not enable sshd by default, but provide an easy and quick way to set it up; and by easy and quick, I mean an one-line configuration, etc.

And whatever we get in the end, someone will post the instruction to enable sshd anyway. Or no one else does it, I will. So there's no sense to argue. So maybe a mod can close this thread?

rwgast
Posts: 31
Joined: Sat Feb 18, 2012 10:26 pm
Contact: Website

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 4:25 am

Ok im vary capable of finding a device on my network. My question was is there a way to enable ssh or vnc in the image before writing it to the sd card. Some of us just may not have a display on release becuase all we use is laptops for computing tv whatever. Im not asking for a
beginners how to just if its possible and a kick in the right directiction.

But if i understand right sshd is enabled by defualt in the squeeze image? Still if i wanna use fedora id like to know how to edit the image with ssh ena led

bbramble
Posts: 60
Joined: Wed Jan 04, 2012 4:10 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 8:45 am

oninoshiko said:


USING ssh assumes some technical capability. Those who want it will be able to easily find how to set it up. Those who don't shouldn't be bothered with it.

If you need SSH from the start, then configure it on your SD card before sticking it in the machine. This is the exception, easily.

Seriously folks, some of you are actually arguing that someone can afford a whole computer (what are they going to be SSHing in WITH?), but can't find a old TV to hook the $35 raspi to? That's just silly!


With respect, you are wrong on multiple counts. This is effectively a dev/preview release to a community of technical people. SSH is likely to be used on the majority of the boards that are used for something other than a pre-rolled media server (which is a nice "to-have" but not what the board is for).

If network security is upmost, either you need to know how to secure it, or you need a board without ethernet, for which I introduce you to the Model A when it is available.

If you can't afford another whole computer and are worrying what TV you'll plug it into, exactly what network are you using and why do you have a publicly accesible network and no computer?

Come on people, you are making up problems now.

bbramble
Posts: 60
Joined: Wed Jan 04, 2012 4:10 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 8:47 am

rwgast said:


But if i understand right sshd is enabled by defualt in the squeeze image? Still if i wanna use fedora id like to know how to edit the image with ssh ena led


The easiest way (assuming a Linux desktop) is probably to write the image to an SD card and the plug that SD card into a computer (with an SD reader, obvously!). You can then mount the partitions and access the file system directly.

oninoshiko
Posts: 76
Joined: Sun Jan 29, 2012 9:16 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 6:35 pm

bbramble said:

With respect, you are wrong on multiple counts. This is effectively a dev/preview release to a community of technical people. SSH is likely to be used on the majority of the boards that are used for something other than a pre-rolled media server (which is a nice "to-have" but not what the board is for).
If network security is upmost, either you need to know how to secure it, or you need a board without ethernet, for which I introduce you to the Model A when it is available.

If you can't afford another whole computer and are worrying what TV you'll plug it into, exactly what network are you using and why do you have a publicly accesible network and no computer?

Come on people, you are making up problems now.


You are wrong on multiple counts.

No network services should be enabled by default. This is the default config of every disto I've ever used, because it's the only sane default. There are a list of uses as long as my arm which do not require SSH, certainly not always on SSH, if you can't think of any other the XMBC it's just a lack of creativity on your part.

Network security should ALWAYS be a consideration when defining the defaults. If a user wants enable things to decrease security, fine, but not even CONSIDERING it in a DEFAULT?

Your missing the point (but I imagine you are already aware of that), so let me clarify. If you have access to a computer, you more then likely have access to a TV, making SSH-by-default a non-nessesity. Even if you don't have access to a screen, you have access to a computer and can just make the alterations to the card before inserting it, making SSH-by-default a non-nessesity.

SSH enabled by default is has always been a made up problem.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 6:42 pm

And that's that.  The king has spoken.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
grumpyoldgit
Posts: 1452
Joined: Thu Jan 05, 2012 12:20 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 7:07 pm

Looks like handbags at dawn to me. Lets see if we can get the pointless posts on this topic past the 100 mark. I'm hoping for Godwin's law to be applied before we get to that point!

User avatar
jojopi
Posts: 3402
Joined: Tue Oct 11, 2011 8:38 pm

Re: Preconfigured image with SSH and/or VNC

Sat Feb 25, 2012 8:11 pm

oninoshiko said:

This is the default config of every disto I've ever used, because it's the only sane default.
Can I ask which distros you have used?  For instance, Red Hat Enterprise Linux (and CentOS) and Fedora certainly run sshd by default from the first boot, and automatically punch a hole in iptables for it.

For the many other distros I have installed, I do not have sufficient recollection of the state between bare install and deployment to be sure what the default configuration was.  I would be surprised, however, if they all took the same absolutist "security over usability, every time" view that you seem to propose.  It is a judgement call, not a sanity issue.

oninoshiko
Posts: 76
Joined: Sun Jan 29, 2012 9:16 pm

Re: Preconfigured image with SSH and/or VNC

Sun Feb 26, 2012 2:43 am

jojopi said:


oninoshiko said:


This is the default config of every disto I've ever used, because it's the only sane default.


Can I ask which distros you have used?  For instance, Red Hat Enterprise Linux (and CentOS) and Fedora certainly run sshd by default from the first boot, and automatically punch a hole in iptables for it.

For the many other distros I have installed, I do not have sufficient recollection of the state between bare install and deployment to be sure what the default configuration was.  I would be surprised, however, if they all took the same absolutist "security over usability, every time" view that you seem to propose.  It is a judgement call, not a sanity issue.


Debian does not enable it by default, nor does Ubuntu.

It surprises me somewhat to find out RH does enable this by default (but not that CentOS just blindly follows whatever RH does), but at least they have passwords configured as part of the installation procedure.

Generally, I spend more time in true UNIXs, these days. Solaris (in fairness this post-Sol-10. There was a "secure by default" initiative a few years ago.) It was considered a no-brainer. OBSD makes in an option in the installation, which is a fair enough approach.

It's worth noting, even the systems which DO have sshd enabled by default, require you to define passwords. We do not (and cannot) have passwords configured as part of the installation process. Because of this there will be a period where, if you leave your network plugged in, you will be susceptible to someone using a script to try known default passwords. By the time you change the password, it's already over. If we are lucky (and I mean those of us who will targeted using your machine as a jumping off point, at this point I no longer care about your box.) you will notice it and clean it up promptly. If the attacker is good and you are not paying attention, it may never be noticed.

Default passwords with default enabled remote access daemons is the kind of security hole that would make even Bill "noone cares about security" Gates do a double-take.

User avatar
nick.mccloud
Posts: 804
Joined: Sat Feb 04, 2012 4:18 pm

Re: Preconfigured image with SSH and/or VNC

Sun Feb 26, 2012 10:06 am

oninoshiko said:


It's worth noting, even the systems which DO have sshd enabled by default, require you to define passwords. We do not (and cannot) have passwords configured as part of the installation process. Because of this there will be a period where, if you leave your network plugged in, you will be susceptible to someone using a script to try known default passwords.


Just to clarify for other readers so that they can make their own assessment as to the statistical likelihood of this happening is.

You are a home user. You have a standard broadband connection with a NAT router. You know nothing of port forwarding. You plug in your Pi. You use it. There is no incoming route to your Pi from the outside world for anyone to access your Pi.

Alternatively, you are a home user who has setup port forwarding for the only DHCP address available on your router - you are asking for trouble.

Alternatively, you are a power user who has a set of public IP addresses and you just plug your Pi in to your network - you are asking for trouble.

I'm sure you can think of other scenarios, most of which require the Pi owner to have some technical knowledge to even get themselves in to trouble in the first place.

Further clarification.

We are STILL talking about the preview Debian6 image which was kindly made available to us to keep us happy whilst the team work silly hours to get a Pi in to our hands. This is how we reward that kindness! Let's give them the benefit of the doubt.

oninoshiko
Posts: 76
Joined: Sun Jan 29, 2012 9:16 pm

Re: Preconfigured image with SSH and/or VNC

Mon Feb 27, 2012 4:50 pm

nmcc said:


oninoshiko said:


It's worth noting, even the systems which DO have sshd enabled by default, require you to define passwords. We do not (and cannot) have passwords configured as part of the installation process. Because of this there will be a period where, if you leave your network plugged in, you will be susceptible to someone using a script to try known default passwords.


Just to clarify for other readers so that they can make their own assessment as to the statistical likelihood of this happening is.

You are a home user. You have a standard broadband connection with a NAT router. You know nothing of port forwarding. You plug in your Pi. You use it. There is no incoming route to your Pi from the outside world for anyone to access your Pi.



Alternatively, you are a home user who has setup port forwarding for the only DHCP address available on your router - you are asking for trouble.

Alternatively, you are a power user who has a set of public IP addresses and you just plug your Pi in to your network - you are asking for trouble.

I'm sure you can think of other scenarios, most of which require the Pi owner to have some technical knowledge to even get themselves in to trouble in the first place.


You are making assumptions about the users network. I find when defining defaults, the best assumption to make is that you have no idea what the end-enviroment will be like.

You are also assuming that an attack comes from outside the network. Siemens AG made that assumption, now we have Stuxnet.


Further clarification.

We are STILL talking about the preview Debian6 image which was kindly made available to us to keep us happy whilst the team work silly hours to get a Pi in to our hands. This is how we reward that kindness! Let's give them the benefit of the doubt.


I thought this was a discussion of the implications of add remote access with default passwords. I thought explaining why it's a problem was fair game. Why do you seem to think this is some kind of personal attack against anyone? With such attitudes how is a disscussion of real-world issues supposed to occur?

10+10... 14

User avatar
RaTTuS
Posts: 10681
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: Preconfigured image with SSH and/or VNC

Mon Feb 27, 2012 5:13 pm

1) you are a home user – you have trojan infected windows boxes

2) you plug your RPi into your home network to do secure banking on it

3) you take your RPi round to your mates for a demo and don't re-create the SD card afterwards

4) you take your RPi into school
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

bbramble
Posts: 60
Joined: Wed Jan 04, 2012 4:10 pm

Re: Preconfigured image with SSH and/or VNC

Tue Feb 28, 2012 9:31 am

RaTTuS said:


1) you are a home user – you have trojan infected windows boxes

2) you plug your RPi into your home network to do secure banking on it

3) you take your RPi round to your mates for a demo and don't re-create the SD card afterwards

4) you take your RPi into school



You remember the RPi is a development board and not a home computer and none of this applies.

If you have a trojan infected windows box you have other issues anyway.

Car analogy: My brakes don't work, so kids should not cross the road. The problem isn't the kids crossing the road.

oninoshiko
Posts: 76
Joined: Sun Jan 29, 2012 9:16 pm

Re: Preconfigured image with SSH and/or VNC

Tue Feb 28, 2012 1:27 pm

bbramble said:


RaTTuS said:


1) you are a home user – you have trojan infected windows boxes

2) you plug your RPi into your home network to do secure banking on it

3) you take your RPi round to your mates for a demo and don't re-create the SD card afterwards

4) you take your RPi into school


You remember the RPi is a development board and not a home computer and none of this applies.

If you have a trojan infected windows box you have other issues anyway.


That may be, but it's so common it unignorable. Unnetworked machines in an industrial setting got hit.


Car analogy: My brakes don't work, so kids should not cross the road. The problem isn't the kids crossing the road.


This is, quite possibly one of the worst bad car analogies I've seen. You are taking a situation that you have a resonable expectation is uncommon and compairing it to one that is known highly common, ergo your analogy is completely invalid. Even if we did force it to be valid by saying you cut the breaklines of 90% of the population, the dead kids wouldn't care who was right.

Return to “General discussion”