[Bug 2031067] Re: openssh-server installed with password auth despite deselected option

[Michael Hudson-Doyle]

This is fixed in the 23.10 daily images now.

** Changed in: subiquity (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2031067

Title:
  openssh-server installed with password auth despite deselected option

Status in subiquity package in Ubuntu:
  Fix Released

Bug description:
  I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
  libvirt/kvm instances.

  Steps to reproduce:
  1. Install Ubuntu Server using the installer
  2. Keep all defaults, including leaving "Install OpenSSH server" deselected.

  What we expect:
  We expect openssh-server to be uninstalled and the sshd service to be inactive/nonexistent, since it was not selected.

  What happened instead:
  Instead, the sshd daemon is active regardless, and the host is accessible by ssh with password authentication by default. This presents a major security risk, since, possibly unbeknownst to the user, it increases the attack surface for intrusion and leaves the server vulnerable to password-based authentication, which is normally considered insecure (namely, compared to key-based authentication). Users may be configuring servers with the expectation that they are only accessible by local login and inadvertently exposing their servers to SSH intrusion. 

  Suggested fix:
  The installer should respect the user's choice to leave openssh-server uninstalled if the option to install is deselected.

  Although this is easy to reproduce and may be obvious to malicious
  actors, because this is a potential security vulnerability, I am
  erring on the side of caution and filing as a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions