SSH and the Ubuntu Server

Nicolas Barcet nick.barcet at canonical.com
Thu Nov 18 08:24:36 GMT 2010 

Hello Stephan,

On 11/18/2010 08:20 AM, Stephan Hermann wrote:
> On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote:
>> Ubuntu has long maintained a "no open ports by default" policy.  This
>> conservative approach arguably yields a more secure default
>> installation.  Several exceptions have been granted to this policy,
>> which install services on the target system without the user's
>> explicit consent, but in the calculated interest and support of a
>> vastly more usable Ubuntu.
>>
>> Let me be clear: I am NOT requesting that sort of an exception.
>>
>> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu
>> Technical Board approval of a new prompt in the Ubuntu Server ISO's
>> text-based installer, which would read something like the following:
>>
>>  ----------------------------------------------------------
>> |  If you need a secure connection to this
>> |  server remotely, you may wish to install
>> |  the openssh-server package.  Note that
>> |  this service will open TCP port 22 on
>> |  your system, and you should use a very
>> |  strong password.
>> |
>> |  Do you want to install the SSH service?
>> |
>> |        [[YES]]        [no]
>>  ----------------------------------------------------------
>>
>> Rest assured that the exact text will be word-smithed by an
>> appropriate committee to hash out an optimum verbiage.
>
> If such a message would be displayed during alternative setup from CD,
> it would give me a shock. 
> It's just like 
> 
> "If you need a UI for this Desktop you may wish to install GNOME. Note
> that this choice will install hundreds of other packages which can or
> can not harm/destroy/pollute your system, and you should reconsider your
> choice.
> 
> Do you want to install GNOME on your System?
> 
> 	[[YES]] [no]
> "
>
> First of all, I think for Ubuntu Server the SSHD service should be
> enabled by default, eventually having a question on what IP interface
> the service should be listening and eventually giving a possibility to
> push a ssh public key to the box (please not via Launchpad or other web
> based services). SSHD is (for me) an essential server service.
>
> Having SSHD not enabled by default on Servers is a bit of a strange
> behaviour, regarding other enterprised based Distros.

I think everyone in Corporate Services agrees with your above statement
that the default should be to include sshd.  However, what we are facing
here is a rather major change in default behavior and, as such,
justifies that users be properly informed about it.  Think about it this
way: wouldn't you like to see a warning if at some point the desktop was
not to install any graphical interface anymore?

> On Ubuntu Desktop this is different. The Desktop doesn't need an sshd
> server, and there ist shouldn' be installed or when installed, it
> shouldn't be enabled.
> 
> A newly introduced service which opens a port could be documented in the
> release notes and other prominent places.

If, as Kees mentioned in another email, we are facing users that press
next without looking, do you really think that the same users will take
the time to read the release notes?

I think I fully understand the security team's concerns here, but given
that:

 a/ Based on what I have heard at UDS, we are considering adding a post
boot install phase for additional package installation, it would seems
reasonable to make it available across the network.

 b/ Even if I have made my initial install with a CD or a USB stick, I
do not know much admins that want to stay in front of their servers more
than the strict minimum time.  Personally I generally hate myself when I
have missed to check the sshd service on the tasksel screen, because it
means that I'll have to wait in the noisy and cold server room an
additional 5 mins (yes, despite our efforts to improve boot times,
hardware manufacturer for servers still consider it a great idea to have
various checks been done during boot, prior to the OS being loaded)

 c/ Similarly to b, when I am installing a virtual machine, the less
time I spend in the server screen emulation the better, as this is
generally much slower and often much clumsier (think keyboard mapping
for example) than accessing the same server over SSH.

 d/ If the version of sshd that is provided on a CD becomes compromised,
we have seen in the past that it does not matter much whether it is
installed by default or not, since most people will have installed it.
It did not prevent us from re-spinning ISOs and it won't prevent people
from not applying security updates if they are not used to do so.

 e/ The biggest risk seems to be for people that would deploy a server
that have a direct connection to the Internet with a CD containing a
version of sshd that is compromised.  In this very case, we do however
have the mean to pull from security.ubuntu.com during the install, as
the machine is connected to the net, right?

Because of the above points, and given our history and our wish to
propose the best default possible for our users, I personally think that
Dustin's proposal is the best middle ground we can find, and I fully
support it, with the default set to yes.

Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20101118/ae75f477/attachment-0001.pgp

More information about the ubuntu-devel mailing list