Minimal Install Option

Bill Anderson bill at noreboots.com
Thu Aug 21 22:39:43 UTC 2003


On Thu, 2003-08-21 at 14:47, Chris Ricker wrote:
> On Thu, 21 Aug 2003, Bill Anderson wrote:
> 
> > > Wrong one. I wanted pam_krb5, which was also on your list. Makes sense on 
> > > interior routers (as might ssh, for the same reasons/uses), doesn't on 
> > > exterior.
> > 
> > Ahh, ok. However, below, you say no logging in remotely at all, so why
> > pam_krb at all then? The only time someone should need to log into a
> > firewall/router, is for administrative purposes.
> 
> Right, but we're talking about different machines there.
> 
> My point, which seems to have been lost in all sorts of security - related 
> sidetracks, was that "firewall / router" is not one category. It's all of:
...
> And that's nowhere near to covering all of them, ignores smaller shops
> (where pretty much everything is managed remotely in-band, often by 3rd
> parties), is based on my opinions / perceptions / experience -- which 
> probably don't match yours, and uses broad categorizations like border or 
> interior which don't really neatly apply
> 
> Having one category that happily fits all those just isn't going to happen.
> 

We aren't talking about the best desktop or server in general, nor are
we talking about the "best" configuration of packages to cover all
firewall/router possibilities. We are talking about a "Minimal" option,
which means least common denominator for the category. Do all
firewall/routers need krb? No? Then it is an option. Do they all need
NIS or DHCP? No? Then they optional. Do they need iproute? Yes? Then
it's in. In the vast majority of the cases, if you need kerberos, you
know that. If you need for some ungodly reason to make your firewall an
NIS client, you'll know that. So you add them in.

So you have the default minimum required be the ones that are* least
common denominator* (I what is the minimum amount they *all* need), and
provide the option to add additional packages as needed by clicking on
the "Details" link during the install. Just as is done with most of the
install group options.

There are two issue with the install-time option of Minimum "for
firewall/router".

1) It installs things that *most* people do not (or should not such as
rsh) put on those machines, and provides no way of easily deselecting
them. By that I mean you don't play the "OK, let us see if I found all
those nasty dependencies this time" game in the installer.

If you take the "install it and remove it" game, you wind up spending
even more time to install the system as you remove various bits and
pieces, and track down their dependencies.

2) Nearly all of these packages that should be optional are *mandatory*
when doing a minimal install.

Not all truck beds fit everybody. So manufacturers offer a variety of
beds, and a "Minimal" configuration which includes no bed. Then you can
add your own bed to it. This is easier (and cheaper) than "ahh just buy
the smallest bed and start removing pieces of the bed you don't
want/need". I see no reason why having a minimal installation for a
firewall/router has to have pieces that you do not need, pieces that
"may" be useful. Give me the choice to add them during the install. Even
if you have some of these things selected by default, being able to
*unselect* them makes a positive difference.

In fact, this option could be the means to remove all these "I want this
install package group X option but this way instead" pleas. You go into
the install, select the minimum, and start adding what you need. This is
far and away easier. Minimalization is the opposite of feature creep,
and it has a final point. 

Although, I think one could make an argument for a "stick" option that
installs the real basics selected earlier in the process. Where you
select Server, Workstation, etc.. there could be a "Base only" option
where it installs a base system that allows you to install things (RPM)
and connect to a network to get additional packages. Maybe even Base
w/Network, Base w/Dialup Networking.

But that's not the same issues as a Minimal Minimal Server install.

As I've noted, of the more than two dozen changes I suggested, only 3/4
have been challenged, and of them only 1/2 continually. :) That tells me
that there is plenty of room to trim this "Minimal" firewall/router
option down.

So we are hashing back and forth on ssh and kerberos. How about getting
a consensus on the rest, such as parted, talk, etc.?

Given the comments on DHCP client, here is the new list I propose:

Remove:
aspell
aspell-en
autofs
finger
irda-utils
mt-st
mtools
krb5-workstation
nfs-utils
pam_smb
rsh 
jwhois
wget
ypbind
unix2dos 
kudzu 
at 
parted 
sudo 
talk # TALK!?!?!?! on a FIREWALL??!?

Optional in the Minimal Group or Elsewhere:
<Dial Up Group?
dos2unix
eject
gpm
kernel-pcmcia-cs 
apmd
dump
ftp 
mtr 
nss_ldap 
pam_krb5 
pidentd 
reiserfs-utils 
rp-pppoe 
jfsutils 
sendmail 
slocate 
specspo 
tcsh  (MAYBE REMOVE?)
telnet 
traceroute
up2date 
wireless-tools 
lha 
bc  
lftp 
openssh-clients 

That is 20 package removals, 26 packages moved to an optional state.
That's 46 packages removed from the stock default "Minimum" install. Out
of these 46 changes, we seem to be hung on about 10%. 

> > Thus, moving files to it using kerberos auth will still leave those files
> > plaintext over the wire. Thus, for things like this ssh is a more secure
> > -in general- option.
> 
> They're not either-ors. You can use krb for scp authentication, for example.

Yes, but then one is back to the openssh exploit train. All abOORD! ;^)

-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com







More information about the fedora-test-list mailing list