SSH and the Ubuntu Server

Dustin Kirkland kirkland at ubuntu.com
Fri Nov 19 22:50:52 GMT 2010


Stephan Hermann <sh at sourcecode.de> wrote:
> Hi Scott,
>
> On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote:
>> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote:
>> > Confirmed this on RHEL6 yesterday.  I installed RHEL6 in multiple
>> > different modes (minimal, default, developer workstation), all of
>> > which a) were running sshd, b) had a root user with a password.
>>
>> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack
>> surface for a default RHEL6 install is rather more limited.
>
> To be honest, there is no difference in installing RHEL6 with a static
> ip address or Ubuntu Server with DHCP enabled.
>
> I think we need to find out first, what user base we want to point at.
>
> The SysAdmin of a Company with Enterprise Classed Datacenter
> or the guy/gal from around the corner who is testing ubuntu server?
>
> The SysAdmin will have network security in place (if not..oh well), and
> mostly is he/she not using public IP addresses, and/or they setup their
> DHCPd to match the MACs of the NICs inside their servers.
>
> I am now wondering if we really should change something. As long as I'm
> thinking about the topic, I'm coming to my conclusion, that we just
> should tick sshd by default during tasksel in the installer, and that's
> it. For most of the admins out there, it really doesn't matter, because
> they have other ways to deploy ubuntu server on their servers.

I agree, Stephan.

The installer complexity can be avoided by just ticking the "OpenSSH
Server" in the top of the tasksel page as you suggest;  document that
change thoroughly and publish it far and wide; note the stronger
sshd.conf configurations from Marc and the security team in the SSH
help page.

Unfortunately, I don't think we're reaching a consensus here on ubuntu-devel at .

I'm going to redraft the proposal, note that there was no general
consensus on the matter in the ubuntu-devel@ mailing list, and ask the
Tech Board for guidance.  Thanks everyone for the lively discussion.

:-Dustin



More information about the ubuntu-devel mailing list