FreeBSD - a lesson in poor defaults?
Dan Lukes
dan at obluda.cz
Wed Jul 13 08:57:26 UTC 2016
On 13.7.2016 9:38, Steve Clement wrote:
> https://vez.mrsk.me/freebsd-defaults.txt
This document is based on premise I can't agree with. I will not dispute
each argument in the document, but there are two main ideas.
Features compiled in and features turned on by default.
According features compiled in ...
I'm administrator responsible for a computer configuration.
If OpenSSH devs have publicly said threads are too risky and won't be
added, I'm hearing their opinion and taking them seriously, but final
decision shall be mine.
I wish I will be allowed to decide I wish to use threads, NONE cipher
and so on.
In short, no features should be removed/disabled at compiled time
because if "security" (assuming the "insecure" feature can be disabled
by configuration).
According features turned on by default ...
To say true, I don't care them so much. Performance, backward
compatibility and security require trade offs all the time. There are no
generic answers.
I assume the virgin installed system will be ready to be remotely
configured (e.g. sshd running, no firewall).
Particular system needs to be tuned according local environment, goal
and requirements. Thus I don't care install-time defaults so much.
Just $0.02 ...
Dan
More information about the freebsd-security
mailing list