SSH and the Ubuntu Server

Dave Walker DaveWalker at ubuntu.com
Wed Nov 17 23:39:48 GMT 2010 

Hi,

Firstly, I think it's great that our default experience and policy is 
questioned on a regular basis.  However, on this particular issue I'm 
not passionate either way.  For my usage, when it's not preseeded, i'm 
now conditioned into installing sshd via the tasksel provided within 
d-i.  This proposal might make sense to improve discoverability.

On 17/11/10 22:43, Kees Cook wrote:
> On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote:
>> Ubuntu has long maintained a "no open ports by default" policy.
> https://wiki.ubuntu.com/SecurityTeam/Policies#No%20Open%20Ports
> "Default installations of Ubuntu must have no listening network services
> after initial install."
>
> One point of these policies is to provide users with a clear set of
> guarantees they can depend on when planning their use of Ubuntu.
It does make good sense to have this published policy, although it does 
seem that this policy should undergo a review to ensure we are providing 
the best default user experience, coupled with good level of security.  
When our Linux ecosphere peers, such as the other server distro's 
mentioned all seem to be installing this as default - we should probably 
ask ourselves if separating ourselves from the others on this aspect is 
really advantageous?

It doesn't seem that this suggestion is to make it the default, just 
increasing discoverability.  This should mean that it is still in-line 
with the current policy.
>> Several exceptions have been granted to this policy,
> To clarify, it is actually a "class" of services that have a standing
> exception: those that are required become a member of the network itself
> ("network infrastructure services"), so far: DHCP, IPv4LL, and mDNS.
>
>> Let me be clear: I am NOT requesting that sort of an exception.
> Then it will be the language of the first sentence that matters.
>
>> These key points map to the following considerations:
>>   1) the current option to install SSH on Ubuntu servers is buried in
>> the tasksel menu
>>      - SSH is more fundamental to a server than the higher level
>> profile selections for:
>>        DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc.
> Agreed, this makes perfect sense to me -- there is a large number of Ubuntu
> Server users that immediately install openssh-server after the install is
> finished.
>
>>   3) highlighting the "YES" option on this page is absolutely essential
>> to addressing this usability issue
>>      - and that selection is easily overridden by hitting<tab><enter>,
>> or by experienced admins in preseed configurations
> I suspect this will be the core of the argument, and how it relates to
> the definition of "default installation". I would argue that hitting
> enter on all questions without reading them would result in a "default
> installation". Taking this approach means highlighting "no" by default
> would be policy-safe way to add this prompt.
I would need to check, but it seems familiar that you cannot overwrite a 
disk partition without manually moving from No -> Yes.  This seems 
somewhat similar, but perhaps slightly different fields as one is 
considering data loss - and the ssh default highlight to "No" is 
regarding security.

However, I would suggest that as the vast majority of server users seem 
to require SSH - it is a 'de-facto default'... which perhaps highlights 
why many Hardy CD's became coasters purely because the CD had a 
vulnerable sshd bundled on their pool.... even though following a normal 
upgrade from the public archives would have resolved this issue.

The Hardy situation seemed to me that we reacted in a similar way, that 
we would have - if it was installed by default.
>> Please consider that the very definition of a "server" implies that
>> the system is running a "service".
> Well, I think this point is less clear-cut. There are people genuinely
> interested in not running SSH. But, if it goes this way, then the argument
> is centered around "installations of Ubuntu" for the definition of
> "Ubuntu". Does that mean only "Desktop"? I would argue that it has meant
> Desktop and Server, since security policy and features apply to both
> equally.
It seems to me, that as the Server edition is raising popularity; there 
clearly needs to be overlap policy - however, how often is Server 
considered in the general platform discussions?  It seems clear to me 
that Desktop and Server are two very different models, and should 
perhaps be considered slightly separately.

<SNIP>
> It was argued to me that "Ubuntu Enterprise Cloud" and "Ubuntu EC2 AMIs"
> are not "default installations of Ubuntu", again centering around what
> "Ubuntu" in the policy means. If this holds, then the language around
> the policy should be clarified to handle these existing situations at the
> same time as solving the "Server with SSH" situation.
>
> -Kees
This is something that clearly needs to be documented, as whilst the 
rational makes sense; I certainly didn't know that from a policy 
perspective.  Had you not added this insight, then it is reasonably 
likely that the traditional, "that is the way it's always been" argument 
would probably have raised it's head.

Where was the UEC / EC2 AMI's policy difference formulated?

Kind Regards,
Dave Walker

More information about the ubuntu-devel mailing list