SSH and the Ubuntu Server

Dustin Kirkland kirkland at ubuntu.com
Wed Nov 17 21:38:53 GMT 2010 

Ubuntu has long maintained a "no open ports by default" policy.  This
conservative approach arguably yields a more secure default
installation.  Several exceptions have been granted to this policy,
which install services on the target system without the user's
explicit consent, but in the calculated interest and support of a
vastly more usable Ubuntu.

Let me be clear: I am NOT requesting that sort of an exception.

I am asking for ubuntu-devel's consensus, and an eventual Ubuntu
Technical Board approval of a new prompt in the Ubuntu Server ISO's
text-based installer, which would read something like the following:

 ----------------------------------------------------------
|  If you need a secure connection to this
|  server remotely, you may wish to install
|  the openssh-server package.  Note that
|  this service will open TCP port 22 on
|  your system, and you should use a very
|  strong password.
|
|  Do you want to install the SSH service?
|
|        [[YES]]        [no]
 ----------------------------------------------------------

Rest assured that the exact text will be word-smithed by an
appropriate committee to hash out an optimum verbiage.

This proposal requests that:
 1) a new prompt be added to the Ubuntu Server installer
 2) this prompt be dedicated to the boolean installation, or
non-installation, of the SSH service, as an essential facet of a
typical server
 3) the cursor highlights the affirmative (yes, please install SSH),
but awaits the user's conscious decision

These key points map to the following considerations:
 1) the current option to install SSH on Ubuntu servers is buried in
the tasksel menu
    - SSH is more fundamental to a server than the higher level
profile selections for:
      DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc.
 2) users of the installation ISO will have the option to not install
SSH, as they so desire
    - it is quite well understood that some users may not want SSH
installed on their server
 3) highlighting the "YES" option on this page is absolutely essential
to addressing this usability issue
    - and that selection is easily overridden by hitting <tab><enter>,
or by experienced admins in preseed configurations

Please consider that the very definition of a "server" implies that
the system is running a "service".  Moreover, our official Ubuntu
Server images as published for the Amazon EC2 cloud are, in fact,
running SSH by default listening on port 22 on the unrestricted
Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise
Cloud installation by the very same ISO installs SSH on every every
UEC system deployed.  This is not unprecedented.

Having discussed the proposal with a subset of this audience (at UDS
and in IRC), here are some known FAQs:

 Q: WTF?!?  Ubuntu has no open ports by default!
 A: That depends on which "Ubuntu" you mean.  Ubuntu-in-the-cloud runs
SSH.  Ubuntu-as-the-cloud runs SSH.  Ubuntu desktops run avahi.  Most
importantly, this is not a "run by default" proposal.  We have already
compromised on that subject, culminating in this proposal, which is
simply about providing Server users with an obvious way to install the
typically essential SSH service.

 Q: Why not default the cursor on that question to "No", instead of "Yes"?
 A: That totally bypasses the value of this proposal, and is only
microscopically better than what we currently have, where Ubuntu
Server users must go out of their way to add one of the most
fundamental packages to almost any server installation.  The proposal,
as it stands, is already a compromise from the original suggestion at
UDS; which was, "if you're installing a server, you're expecting to
run a service, so let's just install SSH by default".  That idea is
entirely out of scope now.  We are proposing this installer question
as a reasonable compromise.

 Q: What if the openssh-server package is compromised on the ISO?
 A: Although this has happened before, it is relatively rare over the
history of Ubuntu.  If/when this happens again, we would need to:
    a) recommend that people choose "no" when prompted, and install
SSH post-installation from the security archive (same as we would do
now, actually)
    b) and probably respin the ISOs (also been done before)

 Q: Why don't we disable password authentication?
 A: We could do this, and ask users to provide a public SSH key (or
even just a simple Launchpad userid whose public key we could securely
import).  This would probably involve adding another page to the
installer, public SSH keys are hard to memorize, while others will
almost certainly object to even optionally tying their Launchpad ID to
Ubuntu installations.  Most importantly, Ubuntu does not set a root
password, so an attacker would need to guess BOTH the username AND
password.

 Q: What if I want a different sshd configuration than what's shipped
by default in Ubuntu, before running sshd?
 A: You sound like an advanced user; please preseed your installation,
or add SSH after the initial install (as you would do now).

 Q: Do we have to add another question to the Server installer to
accomplish this?
 A: Actually, we don't.  We could possibly simplify or remove a couple
of other questions.  That discussion belongs in another thread,
though.


Sincerely,
Dustin Kirkland
Ubuntu Core Developer | Server Team | Guarded Gorilla
http://bit.ly/5-gorillas

More information about the ubuntu-devel mailing list