SSH and the Ubuntu Server
kirkland at ubuntu.com
Thu Nov 18 14:00:30 UTC 2010
I inadvertently left ubuntu-server@ off of the original distribution.
Sorry about that. CC'ing now.
There are a few responses already in the thread:
On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland <kirkland at ubuntu.com> wrote:
> Ubuntu has long maintained a "no open ports by default" policy. This
> conservative approach arguably yields a more secure default
> installation. Several exceptions have been granted to this policy,
> which install services on the target system without the user's
> explicit consent, but in the calculated interest and support of a
> vastly more usable Ubuntu.
> Let me be clear: I am NOT requesting that sort of an exception.
> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu
> Technical Board approval of a new prompt in the Ubuntu Server ISO's
> text-based installer, which would read something like the following:
> | If you need a secure connection to this
> | server remotely, you may wish to install
> | the openssh-server package. Note that
> | this service will open TCP port 22 on
> | your system, and you should use a very
> | strong password.
> | Do you want to install the SSH service?
> | [[YES]] [no]
> Rest assured that the exact text will be word-smithed by an
> appropriate committee to hash out an optimum verbiage.
> This proposal requests that:
> 1) a new prompt be added to the Ubuntu Server installer
> 2) this prompt be dedicated to the boolean installation, or
> non-installation, of the SSH service, as an essential facet of a
> typical server
> 3) the cursor highlights the affirmative (yes, please install SSH),
> but awaits the user's conscious decision
> These key points map to the following considerations:
> 1) the current option to install SSH on Ubuntu servers is buried in
> the tasksel menu
> - SSH is more fundamental to a server than the higher level
> profile selections for:
> DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc.
> 2) users of the installation ISO will have the option to not install
> SSH, as they so desire
> - it is quite well understood that some users may not want SSH
> installed on their server
> 3) highlighting the "YES" option on this page is absolutely essential
> to addressing this usability issue
> - and that selection is easily overridden by hitting <tab><enter>,
> or by experienced admins in preseed configurations
> Please consider that the very definition of a "server" implies that
> the system is running a "service". Moreover, our official Ubuntu
> Server images as published for the Amazon EC2 cloud are, in fact,
> running SSH by default listening on port 22 on the unrestricted
> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise
> Cloud installation by the very same ISO installs SSH on every every
> UEC system deployed. This is not unprecedented.
> Having discussed the proposal with a subset of this audience (at UDS
> and in IRC), here are some known FAQs:
> Q: WTF?!? Ubuntu has no open ports by default!
> A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs
> SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most
> importantly, this is not a "run by default" proposal. We have already
> compromised on that subject, culminating in this proposal, which is
> simply about providing Server users with an obvious way to install the
> typically essential SSH service.
> Q: Why not default the cursor on that question to "No", instead of "Yes"?
> A: That totally bypasses the value of this proposal, and is only
> microscopically better than what we currently have, where Ubuntu
> Server users must go out of their way to add one of the most
> fundamental packages to almost any server installation. The proposal,
> as it stands, is already a compromise from the original suggestion at
> UDS; which was, "if you're installing a server, you're expecting to
> run a service, so let's just install SSH by default". That idea is
> entirely out of scope now. We are proposing this installer question
> as a reasonable compromise.
> Q: What if the openssh-server package is compromised on the ISO?
> A: Although this has happened before, it is relatively rare over the
> history of Ubuntu. If/when this happens again, we would need to:
> a) recommend that people choose "no" when prompted, and install
> SSH post-installation from the security archive (same as we would do
> now, actually)
> b) and probably respin the ISOs (also been done before)
> Q: Why don't we disable password authentication?
> A: We could do this, and ask users to provide a public SSH key (or
> even just a simple Launchpad userid whose public key we could securely
> import). This would probably involve adding another page to the
> installer, public SSH keys are hard to memorize, while others will
> almost certainly object to even optionally tying their Launchpad ID to
> Ubuntu installations. Most importantly, Ubuntu does not set a root
> password, so an attacker would need to guess BOTH the username AND
> Q: What if I want a different sshd configuration than what's shipped
> by default in Ubuntu, before running sshd?
> A: You sound like an advanced user; please preseed your installation,
> or add SSH after the initial install (as you would do now).
> Q: Do we have to add another question to the Server installer to
> accomplish this?
> A: Actually, we don't. We could possibly simplify or remove a couple
> of other questions. That discussion belongs in another thread,
> Dustin Kirkland
> Ubuntu Core Developer | Server Team | Guarded Gorilla
More information about the Ubuntu-devel-discuss