SSH and the Ubuntu Server

[Dustin Kirkland]

I inadvertently left ubuntu-server@ off of the original distribution.

Sorry about that.  CC'ing now.

There are a few responses already in the thread:
 * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html

Thanks,
Dustin

On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland <kirkland at ubuntu.com> wrote:
> Ubuntu has long maintained a "no open ports by default" policy.  This
> conservative approach arguably yields a more secure default
> installation.  Several exceptions have been granted to this policy,
> which install services on the target system without the user's
> explicit consent, but in the calculated interest and support of a
> vastly more usable Ubuntu.
>
> Let me be clear: I am NOT requesting that sort of an exception.
>
> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu
> Technical Board approval of a new prompt in the Ubuntu Server ISO's
> text-based installer, which would read something like the following:
>
>  ----------------------------------------------------------
> |  If you need a secure connection to this
> |  server remotely, you may wish to install
> |  the openssh-server package.  Note that
> |  this service will open TCP port 22 on
> |  your system, and you should use a very
> |  strong password.
> |
> |  Do you want to install the SSH service?
> |
> |        [[YES]]        [no]
>  ----------------------------------------------------------
>
> Rest assured that the exact text will be word-smithed by an
> appropriate committee to hash out an optimum verbiage.
>
> This proposal requests that:
>  1) a new prompt be added to the Ubuntu Server installer
>  2) this prompt be dedicated to the boolean installation, or
> non-installation, of the SSH service, as an essential facet of a
> typical server
>  3) the cursor highlights the affirmative (yes, please install SSH),
> but awaits the user's conscious decision
>
> These key points map to the following considerations:
>  1) the current option to install SSH on Ubuntu servers is buried in
> the tasksel menu
>    - SSH is more fundamental to a server than the higher level
> profile selections for:
>      DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc.
>  2) users of the installation ISO will have the option to not install
> SSH, as they so desire
>    - it is quite well understood that some users may not want SSH
> installed on their server
>  3) highlighting the "YES" option on this page is absolutely essential
> to addressing this usability issue
>    - and that selection is easily overridden by hitting <tab><enter>,
> or by experienced admins in preseed configurations
>
> Please consider that the very definition of a "server" implies that
> the system is running a "service".  Moreover, our official Ubuntu
> Server images as published for the Amazon EC2 cloud are, in fact,
> running SSH by default listening on port 22 on the unrestricted
> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise
> Cloud installation by the very same ISO installs SSH on every every
> UEC system deployed.  This is not unprecedented.
>
> Having discussed the proposal with a subset of this audience (at UDS
> and in IRC), here are some known FAQs:
>
>  Q: WTF?!?  Ubuntu has no open ports by default!
>  A: That depends on which "Ubuntu" you mean.  Ubuntu-in-the-cloud runs
> SSH.  Ubuntu-as-the-cloud runs SSH.  Ubuntu desktops run avahi.  Most
> importantly, this is not a "run by default" proposal.  We have already
> compromised on that subject, culminating in this proposal, which is
> simply about providing Server users with an obvious way to install the
> typically essential SSH service.
>
>  Q: Why not default the cursor on that question to "No", instead of "Yes"?
>  A: That totally bypasses the value of this proposal, and is only
> microscopically better than what we currently have, where Ubuntu
> Server users must go out of their way to add one of the most
> fundamental packages to almost any server installation.  The proposal,
> as it stands, is already a compromise from the original suggestion at
> UDS; which was, "if you're installing a server, you're expecting to
> run a service, so let's just install SSH by default".  That idea is
> entirely out of scope now.  We are proposing this installer question
> as a reasonable compromise.
>
>  Q: What if the openssh-server package is compromised on the ISO?
>  A: Although this has happened before, it is relatively rare over the
> history of Ubuntu.  If/when this happens again, we would need to:
>    a) recommend that people choose "no" when prompted, and install
> SSH post-installation from the security archive (same as we would do
> now, actually)
>    b) and probably respin the ISOs (also been done before)
>
>  Q: Why don't we disable password authentication?
>  A: We could do this, and ask users to provide a public SSH key (or
> even just a simple Launchpad userid whose public key we could securely
> import).  This would probably involve adding another page to the
> installer, public SSH keys are hard to memorize, while others will
> almost certainly object to even optionally tying their Launchpad ID to
> Ubuntu installations.  Most importantly, Ubuntu does not set a root
> password, so an attacker would need to guess BOTH the username AND
> password.
>
>  Q: What if I want a different sshd configuration than what's shipped
> by default in Ubuntu, before running sshd?
>  A: You sound like an advanced user; please preseed your installation,
> or add SSH after the initial install (as you would do now).
>
>  Q: Do we have to add another question to the Server installer to
> accomplish this?
>  A: Actually, we don't.  We could possibly simplify or remove a couple
> of other questions.  That discussion belongs in another thread,
> though.
>
>
> Sincerely,
> Dustin Kirkland
> Ubuntu Core Developer | Server Team | Guarded Gorilla
> http://bit.ly/5-gorillas
>



-- 
:-Dustin