# [SOLVED] removing ssh

## farmer.ro

i am in no need for ssh, and i would like to completely remove the ssh service, i am also unsure if i am running the ssh client, or the ssh server.

when i 

```
emerge -C --ask ssh
```

it keeps pulling back in ssh, because it belongs to the base system.

```
whereis sshd

sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.bz2
```

```
whereis ssh

ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.bz2
```

Question: how can i make sure ssh gets fully removed from my system, and will not be pulled in by emerge again?Last edited by farmer.ro on Thu Oct 20, 2016 6:16 am; edited 3 times in total

----------

## ct85711

see here https://forums.gentoo.org/viewtopic-t-1048864.html

----------

## farmer.ro

so i can not remove unwanted software from my computer? that is bad.

----------

## depontius

Reading the reference, it looks to me as if you could remove ssh if you quit using GNOME.  I don't know if KDE similarly requires ssh, you'd have to check that.  Personally I use icewm and my wife uses xfce.  I don't know if the latter requires ssh, but I use it all the time, so I want it installed.

However make sure you put the blame where it is due - presumably GNOME, not Gentoo.  (It might be worth checking if ssh is part of @system before i make that statement.)

----------

## farmer.ro

I am using XFCE on Gentoo, and after removing the ssh package, it automatic gets pulled in after updating.

on Debian Jessie, i was using XFCE also, but there i could just 

```
apt-get --purge autoremove ssh
```

 with no problems.

Question: is it even possible to remove the ssh package on XFCE/Gentoo, for example by blacklisting the ssh package in some way? i think i have seen somewhere that it is not advised to remove base parts of the system, because it could possibly break the system, is that true?

----------

## 1clue

I'm using headless gentoo, and eix -c --system includes ssh.

For me this is not a problem because it's my means of connecting to pretty much every box I'm not sitting at.

----------

## depontius

You realize of course that as long as you don't start sshd, having ssh installed is only a slight waste of disk space, not a security exposure.  If someone wanted to phone home and they're on your machine, there are so many ways to do that that having ssh installed is no significant additional exposure.  For safety you could also configure /etc/sshd_config in such a way that no one could ever connect to it anyway.  Compared to so much software out there these days, the wasted disk space is negligible.

----------

## 1clue

Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.

Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh.

----------

## farmer.ro

 *1clue wrote:*   

> Nonetheless it seems odd that Gentoo, a distro based on minimalism of requirements and choice of what to install, has ssh in its @system set.
> 
> Personally I'll install it anyway, but it's odd that they make us choose an event logger and an init system, but don't let us choose to not install ssh.

 

+1

----------

## mikegpitt

 *1clue wrote:*   

> Gentoo, a distro based on minimalism of requirements and choice of what to install

 I would argue that Gentoo isn't about minimalism, but customization.

As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems.  If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing.  Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files.

----------

## 1clue

 *mikegpitt wrote:*   

>  *1clue wrote:*   Gentoo, a distro based on minimalism of requirements and choice of what to install I would argue that Gentoo isn't about minimalism, but customization.
> 
> As such, you have the choice of two packages that fit the requirement of virtual/ssh, openssh and dropbear. I've never used the latter, but it's an option for USE='minimal' systems.  If you really wanted to purge SSH completely, another option is to use a custom portage overlay and add your own version of virtual/ssh with a new dependency that installs some sort of custom ebuild that installs nothing.  Or, even better, if you want to keep the ssh client but not the server, modify the ssh ebuild, in a custom overlay, to have a new 'ssh-server' USE flag and skip installing the sshd related files.

 

And if you build a system which has no networking, do you still  think you should be required to have an ssh?

----------

## 1clue

IMO the best customization is minimalism. The less that is required the more flexible the design.

I've been using Gentoo for a long time without having to ever use a custom overlay. While I acknowledge that an overlay would be a workable solution, I simply think it's odd that ssh is a required package on a distro like Gentoo.

----------

## wjb

This any use?

https://forums.gentoo.org/viewtopic-t-963412-start-0.html

Personally its in the noise

```
$ equery size openssh

 * net-misc/openssh-7.2_p2

         Total files : 75

         Total size  : 4.92 MiB

```

vs

```
$ du /usr/portage/distfiles

...

15106972        total
```

???

----------

## haarp

Shouldn't adding ssh to package.provided solve this?

----------

## mv

The correct way is to remove virtual/ssh from the local profile.

----------

## farmer.ro

 *mv wrote:*   

> The correct way is to remove virtual/ssh from the local profile.

 

how would one do such a thing in this case?

----------

## Ant P.

 *farmer.ro wrote:*   

> how would one do such a thing in this case?

 

```
mkdir -p /etc/portage/profile

echo '-*virtual/ssh' >> /etc/portage/profile/packages

emerge --depclean --ask --verbose net-misc/openssh
```

See `man 5 portage`.

----------

## Logicien

I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem. In plus, it is usefull in virtual networking. Sshd his started on all my Linux distributions at boot time.

The question is more in my opinion to configure Sshd to be completely secure in a local network to prevent any attack from the outside and the inside and keep it's administrative advantages than remove it and loose it's administrative advantages.

Some hints:

- not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).

- limit root previleges access.

- have a Firewall with good rules.

----------

## mv

 *Logicien wrote:*   

> I don't think that remove Ssh and Sshd is brilliant. Even with no local network, you never know when a problem occur and you need to plug an other computer to it to debug the problem.

 

If you have local access to the machine you can use a rescue CD which has ssh. No need to risk having ssh running all of the time. No matter what you do it is always a risk (though admittedly rather small).

 *Quote:*   

> - not allow root connexions in /etc/ssh/sshd_config (this is the default anyway).
> 
> - limit root previleges access.
> 
> - have a Firewall with good rules.

 

Disallowing root connections also carries serious limitations with it (e.g. no easy backup/restore with rsync), and essentially just increases the length of your "secret" unless you remove all "regular" ways (su/sudo/...) to become root for your ssh accounts. In the latter case, it defeats the possibility to repair something over ssh.

The same with the firewall: If you let sshd listen only to localhost, a firewall does not increase security, but you cannot repair the system when you are not locally connected; similarly, if you want to allow connections from the net, a firewall cannot help. It can add some "security by obscurity" (e.g. port knocking), though.

----------

## farmer.ro

 *Ant P. wrote:*   

>  *farmer.ro wrote:*   how would one do such a thing in this case? 
> 
> ```
> mkdir -p /etc/portage/profile
> 
> ...

 

Thanks this stopped "virtual/ssh" being pulled in  :Smile: 

however when i try to do the same for net-misc/openssh, it keeps getting pulled in by emerge.

```
Calculating dependencies... done!

[ebuild  N     ] net-misc/openssh-7.3_p1-r1  USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static" 

[ebuild  N     ] virtual/ssh-0  USE="-minimal
```

**edit** i think it is impossible to remove net-misc/openssh because of the USE="X bindist ldap pam pie ssl -X509 -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp (-selinux) -skey -ssh1 -static, dependencies. 

any ideas on how to stop net-misc/openssh being pulled in?

----------

## mv

 *farmer.ro wrote:*   

> Thanks this stopped "virtual/ssh" being pulled in :-)

 

According to your output, it is still pulled in. Probably some program you installed depends on it, or your /etc/portage/profile/packages does not work as expected. You might need also 

```
echo 5 >/etc/portage/profile/eapi
```

----------

## Logicien

mv,

other important hints:

- have a good password.

- stay with a stable version of Ssh.

Be able to connect to a freezed system via Ssh give from the beginning an important information, the system is not completely freeze, it's breathing. You can do something to resolv the problem when the system is alive and running with all other informations it can give, what a live media cannot do as well.

Is Openssh have a security issue? How many packages of the base system must be remove from the Portage tree? Anyway, it's a user right I recognise.

 :Very Happy: 

----------

## mikegpitt

 *farmer.ro wrote:*   

> any ideas on how to stop net-misc/openssh being pulled in?

 

Try this to see why it's being pulled:

```
equery d net-misc/openssh
```

----------

## szatox

 *Quote:*   

> [ebuild  N     ] virtual/ssh-0  USE="-minimal

 

AFAIR USE="minimal" in this line will only pull ssh client and not the server.

Hint: you can mask a package you don't want. Once you attempt installing a package that depends on it, emerge will complain about it and - usually - offer a solution.

----------

## Logicien

szatox,

is the Emerge solution will be something else than unmask the previously masked package?

I have a related question for anyone who want to anwser it. When you mask a package from the base system and you report a subsequent bug related or not to it, will it be take in account by the Gentoo developpers?

----------

## szatox

 *Quote:*   

> is the Emerge solution will be something else than unmask the previously masked package?

  Maybe. It may pull another package in the same place. It will name the package that pulls your masked stuff and quite often the offending USE flag. If you can drop that flag, you will also drop a dependency.

----------

## eccerr0r

From the other LOCKED thread https://forums.gentoo.org/viewtopic-t-1053214-highlight-.html the offending program is gvfs and it does have a hard runtime dependency on openssh.  And Thunar has a hard build dependency on gvfs so you can't remove that either.  Luckily ssh is a RDEP of gfvs, so simply unmerging openssh afterwards will work.   Thunar is xfce's file manager.

As it is I think the only way is to just leave the mask there and ignore the error.  Yes, ugly, but likely you'll need to get gvfs or perhaps there's a way to make gvfs work without enabling ssh, or perhaps the ebuild should be hacked to put in a fake switchable dependency on openssh as I think this is a soft rdep and thunar will work just fine as long as you never specify sftp/sshfs.

And all other things being said, I'm shocked a Linux user would never use ssh.  It's like the bread and butter of remote access (since telnetd is completely insecure) - what Un*x was designed for.

----------

## Hu

This seems like a perfect use case for /etc/portage/profile/package.provided.  Tell the system that openssh is provided, and it will stop trying to install it.  Whether you actually provide it (as the feature is intended to be used) or omit it and live with the errors caused by not having it is up to you.

----------

## farmer.ro

i was able to:

```
# emerge --ask -C openssh
```

after putting:

```
/etc/portage/profile/package.provided

net-misc/openssh-7.3_p1-r7

virtual/ssh-0
```

but now portage gives error:

```
# emerge --ask --update --changed-use --deep @world

These are the packages that would be merged, in order:

Calculating dependencies... done!

WARNING: A requested package will not be merged because it is listed in

package.provided:

  virtual/ssh pulled in by 'system'

Nothing to merge; quitting.
```

can the WARNING message be ignored?

i hope i did not break the system, however i never use ssh so removing it seems to enhance the security by the principle of least privilege.

----------

## eccerr0r

That warning looks benign and correct.

I think that warning is good.  You are indeed doing something not expected by the Gentoo developers, so it's just warning you that it's not their fault if you have strange behavior - you did break what the devs assumed to be on your computer, and that is ssh.

Note if you do need support in the future, this will be scrutinized, just like having esoteric USE or CFLAGS...

----------

## farmer.ro

does this mean my entire system is unstable, or does it simply means that i do not have ssh software installed?

----------

## Zucca

Usually virtual/ssh is pulled in by @system. I'm not sure if profile also affects that.

I would advice against removing ssh, but that has already been discussed.

Gentoo is about choice and customisation. Removing ssh should be possible without breakage because it's not a relevant part of running minimal Gentoo system (correct me if I'm wrong). And by "should be" I mean that one should be able to remove it without @system pulling it back.

----------

## farmer.ro

i decided to leave sshd installed as it seems as a vital part of Gentoo.

Maybe offtopic but:

Previous i used to set PermitRootLogin to: "no" in the /etc/ssh/sshd

but in the release notes of ssh it says:

```
 * The default for the sshd_config(5) PermitRootLogin option has

   changed from "yes" to "prohibit-password".

 * PermitRootLogin=without-password/prohibit-password now bans all

   interactive authentication methods, allowing only public-key,

   hostbased and GSSAPI authentication (previously it permitted

   keyboard-interactive and password-less authentication if those

   were enabled).
```

does this mean that setting PermitRootLogin to "no" is not needed any more, and the default "PermitRootLogin prohibit-password" is secure enough?

----------

## Hu

You can set either of them.  If I recall correctly, you posted at least once saying you would not run sshd at all, in which case your choice in its configuration file is irrelevant.  Setting PermitRootLogin no prohibits sshd from ever allowing root to log in.  PermitRootLogin prohibit-password prohibits sshd from allowing root to log in using certain types of authentication and permits it for other types, as described in the documentation.  The greatest security comes from the least functionality.  Disabling sshd entirely will protect you more than trying to configure it to restrict certain types of login.

----------

## eccerr0r

All you need to do is to make sure you (openrc)

# service sshd stop

# rc-update delete sshd default

to make sure sshd does not run.

What thunar/gvfs is using is actually the client ssh programs: sftp (and I think scp but not sure).  These do not need root privileges to run and run as the user you use gvfs under.  These allow for secure network virtual filesystems so you can copy files back and forth to other machines through the GUI.  If you don't have any other machines even on the internet somewhere that you could sftp to, then fine, yeah no reason to install.

However in either case all my machines have the other half of openssh: sshd - running. The main reason is that I can use another one of my machines to remote login to any other machine in case I freeze console and attempt to do recovery.  I can copy files back and forth between them without having to run and do something on both machines.  Ones that have soft power off, I can even shutdown remotely.

Granted yes this is of little use if you have only one machine and no network adapters/network equipment, but it'd confuse a lot less debug helpers if you simply had it installed but not running, so at least all the files are there and no warnings spat out.

----------

