SSH and the Ubuntu Server
sh at sourcecode.de
Mon Nov 22 10:24:25 UTC 2010
Good Morning Dustin,
On Fri, 2010-11-19 at 16:50 -0600, Dustin Kirkland wrote:
> Stephan Hermann <sh at sourcecode.de> wrote:
> > Hi Scott,
> > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote:
> >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote:
> >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple
> >> > different modes (minimal, default, developer workstation), all of
> >> > which a) were running sshd, b) had a root user with a password.
> >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack
> >> surface for a default RHEL6 install is rather more limited.
> > To be honest, there is no difference in installing RHEL6 with a static
> > ip address or Ubuntu Server with DHCP enabled.
> > I think we need to find out first, what user base we want to point at.
> > The SysAdmin of a Company with Enterprise Classed Datacenter
> > or the guy/gal from around the corner who is testing ubuntu server?
> > The SysAdmin will have network security in place (if not..oh well), and
> > mostly is he/she not using public IP addresses, and/or they setup their
> > DHCPd to match the MACs of the NICs inside their servers.
> > I am now wondering if we really should change something. As long as I'm
> > thinking about the topic, I'm coming to my conclusion, that we just
> > should tick sshd by default during tasksel in the installer, and that's
> > it. For most of the admins out there, it really doesn't matter, because
> > they have other ways to deploy ubuntu server on their servers.
> I agree, Stephan.
> The installer complexity can be avoided by just ticking the "OpenSSH
> Server" in the top of the tasksel page as you suggest; document that
> change thoroughly and publish it far and wide; note the stronger
> sshd.conf configurations from Marc and the security team in the SSH
> help page.
Yes. We can harden sshd a bit more and document the changes in d-i
tasksel via ReleaseNotes and some public announcement on blogs/p.u.c.
> Unfortunately, I don't think we're reaching a consensus here on ubuntu-devel at .
> I'm going to redraft the proposal, note that there was no general
> consensus on the matter in the ubuntu-devel@ mailing list, and ask the
> Tech Board for guidance. Thanks everyone for the lively discussion.
This is something we need to do anyhow. TB has the final say.
Stephan '\sh' Hermann
SysAdmin / Ubuntu Developer
xmpp: sh at sourcecode.de
More information about the ubuntu-server