SSH and the Ubuntu Server

Stephan Hermann sh at sourcecode.de
Thu Nov 18 07:20:20 GMT 2010


Hi Dustin,

On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote:
> Ubuntu has long maintained a "no open ports by default" policy.  This
> conservative approach arguably yields a more secure default
> installation.  Several exceptions have been granted to this policy,
> which install services on the target system without the user's
> explicit consent, but in the calculated interest and support of a
> vastly more usable Ubuntu.
> 
> Let me be clear: I am NOT requesting that sort of an exception.
> 
> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu
> Technical Board approval of a new prompt in the Ubuntu Server ISO's
> text-based installer, which would read something like the following:
> 
>  ----------------------------------------------------------
> |  If you need a secure connection to this
> |  server remotely, you may wish to install
> |  the openssh-server package.  Note that
> |  this service will open TCP port 22 on
> |  your system, and you should use a very
> |  strong password.
> |
> |  Do you want to install the SSH service?
> |
> |        [[YES]]        [no]
>  ----------------------------------------------------------
> 
> Rest assured that the exact text will be word-smithed by an
> appropriate committee to hash out an optimum verbiage.

If such a message would be displayed during alternative setup from CD,
it would give me a shock. 
It's just like 

"If you need a UI for this Desktop you may wish to install GNOME. Note
that this choice will install hundreds of other packages which can or
can not harm/destroy/pollute your system, and you should reconsider your
choice.

Do you want to install GNOME on your System?

	[[YES]] [no]
"

First of all, I think for Ubuntu Server the SSHD service should be
enabled by default, eventually having a question on what IP interface
the service should be listening and eventually giving a possibility to
push a ssh public key to the box (please not via Launchpad or other web
based services). SSHD is (for me) an essential server service.

Having SSHD not enabled by default on Servers is a bit of a strange
behaviour, regarding other enterprised based Distros.

On Ubuntu Desktop this is different. The Desktop doesn't need an sshd
server, and there ist shouldn' be installed or when installed, it
shouldn't be enabled.

A newly introduced service which opens a port could be documented in the
release notes and other prominent places.

Regards,

\sh

-- 
Stephan '\sh' Hermann
SysAdmin / Ubuntu Developer
xmpp: sh at sourcecode.de







More information about the ubuntu-devel mailing list