[usrbinbash]

How is baking this into sshd "better"?

UNIX Philosophy: "Do one thing, and do it well". An encrypted remote shell protocol server should not be responsible for fending off attackers. That's the job of IDS and IPS daemons.

Password-based ssh is an anachronism anyway. For an internet-facing server, people should REALLY use ssh keys instead (and preferably use a non-standard port, and maybe even port knocking).

[hnlmorg]

It’s better if you want an out of the box secure experience. This might be quite a nice default for some VPSs.

If you have a IDS and IPS set up then you’re already enterprise enough that you want your logs shipped and managed by a single pane of glass. This new SSH feature isn’t intended to solve enterprise-level problems.

Plus if you want to argue about “unix philosophy” with regards to SSH then why aren’t you kicking off about SOCKS, file transfer, port forwarding, and the countless other features SSH has that aren’t related to “shell” part of SSH? The change you’re moaning about has more relevance than most of the other extended features people love SSH for.

[usrbinbash]

> This new SSH feature isn’t intended to solve enterprise-level problems.

But service level security features have the potential to cause enterprise-level problems.

Sure, in an ideal world, all admins would always make zero mistakes. And so would the admins of all of our clients, and their interns, and their automated deployment scripts. Also in that perfect world, service level security features would never be on by default, have the same default configuration across all distros, and be easy to configure.

But, alas, we don't live in a perfect world. And so I have seen more than one service-level security feature, implemented with the best of intentions, causing a production system to grind to a halt.

[hnlmorg]

> But service level security features have the potential to cause enterprise-level problems.

Only if you don’t know what you’re doing. Which you should given you’re paid to work on enterprise systems.

Whereas not having this causes problems for users are not paid to learn this technology.

So it seems completely reasonable to tailor some features to lesser experienced owners given the wide spectrum of users that run openssh.