SSH and the Ubuntu Server

Kees Cook kees at ubuntu.com
Wed Nov 17 22:43:38 GMT 2010 

On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote:
> Ubuntu has long maintained a "no open ports by default" policy.

https://wiki.ubuntu.com/SecurityTeam/Policies#No%20Open%20Ports
"Default installations of Ubuntu must have no listening network services
after initial install."

One point of these policies is to provide users with a clear set of
guarantees they can depend on when planning their use of Ubuntu.

> Several exceptions have been granted to this policy,

To clarify, it is actually a "class" of services that have a standing
exception: those that are required become a member of the network itself
("network infrastructure services"), so far: DHCP, IPv4LL, and mDNS.

> Let me be clear: I am NOT requesting that sort of an exception.

Then it will be the language of the first sentence that matters.

> These key points map to the following considerations:
>  1) the current option to install SSH on Ubuntu servers is buried in
> the tasksel menu
>     - SSH is more fundamental to a server than the higher level
> profile selections for:
>       DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc.

Agreed, this makes perfect sense to me -- there is a large number of Ubuntu
Server users that immediately install openssh-server after the install is
finished.

>  3) highlighting the "YES" option on this page is absolutely essential
> to addressing this usability issue
>     - and that selection is easily overridden by hitting <tab><enter>,
> or by experienced admins in preseed configurations

I suspect this will be the core of the argument, and how it relates to
the definition of "default installation". I would argue that hitting
enter on all questions without reading them would result in a "default
installation". Taking this approach means highlighting "no" by default
would be policy-safe way to add this prompt.

> Please consider that the very definition of a "server" implies that
> the system is running a "service".

Well, I think this point is less clear-cut. There are people genuinely
interested in not running SSH. But, if it goes this way, then the argument
is centered around "installations of Ubuntu" for the definition of
"Ubuntu". Does that mean only "Desktop"? I would argue that it has meant
Desktop and Server, since security policy and features apply to both
equally.

> Moreover, our official Ubuntu
> Server images as published for the Amazon EC2 cloud are, in fact,
> running SSH by default listening on port 22 on the unrestricted
> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise
> Cloud installation by the very same ISO installs SSH on every every
> UEC system deployed. This is not unprecedented.

It was argued to me that "Ubuntu Enterprise Cloud" and "Ubuntu EC2 AMIs"
are not "default installations of Ubuntu", again centering around what
"Ubuntu" in the policy means. If this holds, then the language around
the policy should be clarified to handle these existing situations at the
same time as solving the "Server with SSH" situation.

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list