Re: SSH and the Ubuntu Server
On Fri, Nov 19, 2010 at 4:50 PM, Dustin Kirkland kirkl...@ubuntu.com wrote: I'm going to redraft the proposal, note that there was no general consensus on the matter in the ubuntu-devel@ mailing list, and ask the Tech Board for guidance. Thanks everyone for the lively discussion. Thank you for the discussions at UDS, in IRC, and in this thread. Colin's changes to the server tasksel (moving SSH to the top of the list, albeit unchecked) is a reasonable step towards improving the usability of the server installer. Let's just roll with this for now and evaluate its effectiveness next cycle. Thanks again! :-) :-Dustin Dustin Kirkland Ubuntu Core Developer -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Quoting Oliver Grawert (o...@ubuntu.com): the serial port should be enabled automatically if you set the console= boot parameter to a serial tty (i.e. console=ttyS0,115200n8) its rerally Are you sure? Bc when I tried this just last night on a 10.04 server, I still had to create an /etc/init/ttyS0.conf with the obvious contents in order to get a login prompt (even, iirc, boot messages) on ttyS0. It's not a big deal, but of course it means you have to have some other way of getting into the box after install to set that up first. -serge -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Good Morning Dustin, On Fri, 2010-11-19 at 16:50 -0600, Dustin Kirkland wrote: Stephan Hermann s...@sourcecode.de wrote: Hi Scott, On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack surface for a default RHEL6 install is rather more limited. To be honest, there is no difference in installing RHEL6 with a static ip address or Ubuntu Server with DHCP enabled. I think we need to find out first, what user base we want to point at. The SysAdmin of a Company with Enterprise Classed Datacenter or the guy/gal from around the corner who is testing ubuntu server? The SysAdmin will have network security in place (if not..oh well), and mostly is he/she not using public IP addresses, and/or they setup their DHCPd to match the MACs of the NICs inside their servers. I am now wondering if we really should change something. As long as I'm thinking about the topic, I'm coming to my conclusion, that we just should tick sshd by default during tasksel in the installer, and that's it. For most of the admins out there, it really doesn't matter, because they have other ways to deploy ubuntu server on their servers. I agree, Stephan. The installer complexity can be avoided by just ticking the OpenSSH Server in the top of the tasksel page as you suggest; document that change thoroughly and publish it far and wide; note the stronger sshd.conf configurations from Marc and the security team in the SSH help page. Yes. We can harden sshd a bit more and document the changes in d-i tasksel via ReleaseNotes and some public announcement on blogs/p.u.c. Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. I'm going to redraft the proposal, note that there was no general consensus on the matter in the ubuntu-devel@ mailing list, and ask the Tech Board for guidance. Thanks everyone for the lively discussion. This is something we need to do anyhow. TB has the final say. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi Nicolas, On Thu, 2010-11-18 at 09:24 +0100, Nicolas Barcet wrote: Hello Stephan, On 11/18/2010 08:20 AM, Stephan Hermann wrote: First of all, I think for Ubuntu Server the SSHD service should be enabled by default, eventually having a question on what IP interface the service should be listening and eventually giving a possibility to push a ssh public key to the box (please not via Launchpad or other web based services). SSHD is (for me) an essential server service. Having SSHD not enabled by default on Servers is a bit of a strange behaviour, regarding other enterprised based Distros. I think everyone in Corporate Services agrees with your above statement that the default should be to include sshd. However, what we are facing here is a rather major change in default behavior and, as such, justifies that users be properly informed about it. Think about it this way: wouldn't you like to see a warning if at some point the desktop was not to install any graphical interface anymore? Well, when I take the desktop install media, I would like to see a fully working desktop after the installation up and running. That's why I think someone installing from a server install media would like to see a fully running server installation afterwards which is accessable. Now, we can discuss what a fully running server installation is? I would say, that running Ubuntu server in a datacenter, is mostly behind a secured network, where e.g. SSHD is listening on a special ip interface, which is not accessible by everyone but only to a team of admins with Godmode enabled. And yes, most of the time you have remote insight boards etc. to access the machines. On Amazon EC2 this is totally different. I don't actually know if you can somehow access the xen vm without remote access from the public (NATed) network of Amazon. When we are thinking now to enable a service by default, which wasn't installed and enabled in the past, we need to inform the admin. Agreed. But what is the best way? We don't want to have the admin stay as long as it takes at the console. Most admins (at least those I know) do read documentations, and release notes are at least one of the documentations every admin should read (just think about the change of behaviour of the bonding interface setups from jaunty - karmic - lucid). On Ubuntu Desktop this is different. The Desktop doesn't need an sshd server, and there ist shouldn' be installed or when installed, it shouldn't be enabled. A newly introduced service which opens a port could be documented in the release notes and other prominent places. If, as Kees mentioned in another email, we are facing users that press next without looking, do you really think that the same users will take the time to read the release notes? Really, this is difficult to answer. Regarding the user base of non-technicians, comsuming-only desktop users (please, don't interpretate it as all ubuntu users are non-technicians and consuming only), I don't think that those users are reading a lot of documentation. Seeing that from the Windows world, I think we can drop documentation completely. Regarding the Admin people, they do read documentation and especially release notes, ChangeLogs etc. when they are in the field of Operating System Deployment (again, at least the admins I do know and I'm working/had worked with) I think I fully understand the security team's concerns here, but given that: a/ Based on what I have heard at UDS, we are considering adding a post boot install phase for additional package installation, it would seems reasonable to make it available across the network. b/ Even if I have made my initial install with a CD or a USB stick, I do not know much admins that want to stay in front of their servers more than the strict minimum time. Personally I generally hate myself when I have missed to check the sshd service on the tasksel screen, because it means that I'll have to wait in the noisy and cold server room an additional 5 mins (yes, despite our efforts to improve boot times, hardware manufacturer for servers still consider it a great idea to have various checks been done during boot, prior to the OS being loaded) Actually I don't know any admin anymore who stands in front of a console in a cold datacenter, mostly we are using ILOs and other remote console access methods to get hands on the server (most of our servers don't even have CD drives anymore, totally useless nowadays). That's why I already think that we are discussing a matter which isn't really one. What we are trying now is to deliver a better user experience, for people trying out our server media. c/ Similarly to b, when I am installing a virtual machine, the less time I spend in the server screen emulation the better, as this is generally much slower and often much clumsier (think keyboard mapping for example) than accessing the same server over SSH.
Re: SSH and the Ubuntu Server
On Nov 18, 2010, at 10:49 AM, Marc Deslauriers marc.deslauri...@canonical.com wrote: Hello, Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. As far as I recall, EC2 opens the ssh port from your ip address only, and authenticates using certificates and not passwords. the default EC2 security group firewalls the machine completely. The user takes explicit action to open port 22 (euca-authorize). the same is true for UEC. Actually, now that you mention it, we should probably disable SSH password authentication by default in the EC2 images... Instances of the official images have exactly zero users that have a password set. Password auth is allowed, but useless until the user sets a password. on boot, the public key specified at launch is pulled from the metadata service and inserted into the 'ubuntu' users authorized keys. the corresponding private key is the only way in.-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 17:00, Serge Hallyn wrote: Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? From Dustin's original e-mail: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 16:49, Marc Deslauriers wrote: I want the person installing the server to actually make the choice to install ssh in order to realize that doing so may have consequences. ie: Oh wait, If I install ssh now, I should unplug the server from the network and configure ssh properly before hooking it back up... What does configure ssh properly usually entail? Are these some defaults we can change or offer as follow-on questions if people answer Yes to this dialog? (Yes, I fully realise that will very likely result in a net loss in usability on account of more questions asked, just trying to get something constructive out of this thread) -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 21:59, Alex Chiang wrote: I would expect that a data center set up in this manner would also have remote serial consoles to all the machines there too, using conserver or conman something similar. I wonder if the no-open-ports-by-default policy applies to serial ports as well? If not (which I'm guessing is the case), perhaps this is something we should do set up default? -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/19/2010 11:11 AM, Soren Hansen wrote: I wonder if the no-open-ports-by-default policy applies to serial ports as well? If not (which I'm guessing is the case), perhaps this is something we should do set up default? I think the issue is network services, not periphery. Enabling serial ports with a getty by default would probably be beneficial. -- ╒═╕ │Luke Faraone ╭Debian / Ubuntu Developer╮│ │http://luke.faraone.cc╰Sugar Labs, Systems Admin╯│ │PGP: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506 │ ╘═╛ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stephan Hermann s...@sourcecode.de wrote: Moins, On Thu, 2010-11-18 at 12:24 -0500, Luke Faraone wrote: On 11/18/2010 12:04 PM, Dustin Kirkland wrote: On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson cjwat...@ubuntu.com wrote: No, it's not. In Maverick it was arguably buried. In Natty, it is the very top entry on the tasksel menu, and the cursor rests on it when you reach that screen. [snip] I would gladly revise this proposal to simply: * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen Which would also sit there and wait for the user to consciously affirm their selection, and would avoid the countless server installations where people forget to install SSH and must make their way back to a console on their newly installed system and add the openssh-server package. As many people have mentioned, this will cause a surprise for users who click through the install dialogs expecting things to not change since they last used it. Sorry, but this is something which strucks me, really. When we don't change things over time, we will never have a better user experience. When we change something it needs to be documented in a public place where everyone interested can read it first hand. +1 Also, since this occurs late in the install process, no dialogs to prompt the user to harden their password can be offered, as others have suggested. Oh well, we can change that inside the installer as well. Not prompting for a user choice, but choosing a hardened password automatically and showing it to the user mkpasswd --chars=20 --crypt-md5 or whatever should be enough. that's only a technical problem easily to solve. You say there are countless installations. I don't think anybody expects SSH to be automatically installed in a new server; it's a service that should be enabled carefully after consideration of your network environment and security needs. I feel that the potential for harm of accidental installation exceeds the increase in convenience from not having to explicitly select the task. I think we have more installations of RHEL or SLES in the enterprise server market, and they do have sshd enabled by default. Even when you install an VMWare ESX host, ssh is enabled by default, without the questionable root access. Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Simply the fact that Ubuntu does not have an active root password by default means that network attacks via ssh must guess BOTH the username AND the password. Choose both wisely and you should be able to repel attacks between the time that your new Ubuntu Server reboots for the first time and the time it takes for you to login for the first time and configure sshd.conf to your liking. If you're actively working the installation, we're talking less than 5 minutes. If you've automated the deployment via puppet or somesuch, it can be far less than that. :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 13:06 -0500, Scott Kitterman wrote: On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: On 18-11-2010 16:49, Marc Deslauriers wrote: I want the person installing the server to actually make the choice to install ssh in order to realize that doing so may have consequences. ie: Oh wait, If I install ssh now, I should unplug the server from the network and configure ssh properly before hooking it back up... What does configure ssh properly usually entail? Are these some defaults we can change or offer as follow-on questions if people answer Yes to this dialog? (Yes, I fully realise that will very likely result in a net loss in usability on account of more questions asked, just trying to get something constructive out of this thread) I think this highly depends on the environment the server is set up in, and is beyond the scope of the installer, but typically one or more of the following: - Limit ssh to a specific network interface - Disable password authentication and copy over keys - Configure AllowUsers and/or AllowGroups - Disable DebianBanner - Configure a firewall to limit connections from specific IPs and enable rate limiting - Configure tcpwrappers to limit connections from specific IPs - Install fail2ban or denyhosts - Add server to corporate IPS ssh-monitored host group - etc. SSH password brute-forcing has been on the SANS Top 20 vulnerability list for the past 10 years or so. Where do we document this for our users so they can take appropriate actions? Same place we document everything else: in our wiki and on help.ubuntu.com. https://help.ubuntu.com/community/SSH https://help.ubuntu.com/community/SSH/OpenSSH/Configuring Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi Scott, On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack surface for a default RHEL6 install is rather more limited. To be honest, there is no difference in installing RHEL6 with a static ip address or Ubuntu Server with DHCP enabled. I think we need to find out first, what user base we want to point at. The SysAdmin of a Company with Enterprise Classed Datacenter or the guy/gal from around the corner who is testing ubuntu server? The SysAdmin will have network security in place (if not..oh well), and mostly is he/she not using public IP addresses, and/or they setup their DHCPd to match the MACs of the NICs inside their servers. I am now wondering if we really should change something. As long as I'm thinking about the topic, I'm coming to my conclusion, that we just should tick sshd by default during tasksel in the installer, and that's it. For most of the admins out there, it really doesn't matter, because they have other ways to deploy ubuntu server on their servers. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stephan Hermann s...@sourcecode.de wrote: Hi Scott, On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack surface for a default RHEL6 install is rather more limited. To be honest, there is no difference in installing RHEL6 with a static ip address or Ubuntu Server with DHCP enabled. I think we need to find out first, what user base we want to point at. The SysAdmin of a Company with Enterprise Classed Datacenter or the guy/gal from around the corner who is testing ubuntu server? The SysAdmin will have network security in place (if not..oh well), and mostly is he/she not using public IP addresses, and/or they setup their DHCPd to match the MACs of the NICs inside their servers. I am now wondering if we really should change something. As long as I'm thinking about the topic, I'm coming to my conclusion, that we just should tick sshd by default during tasksel in the installer, and that's it. For most of the admins out there, it really doesn't matter, because they have other ways to deploy ubuntu server on their servers. I agree, Stephan. The installer complexity can be avoided by just ticking the OpenSSH Server in the top of the tasksel page as you suggest; document that change thoroughly and publish it far and wide; note the stronger sshd.conf configurations from Marc and the security team in the SSH help page. Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. I'm going to redraft the proposal, note that there was no general consensus on the matter in the ubuntu-devel@ mailing list, and ask the Tech Board for guidance. Thanks everyone for the lively discussion. :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 17:11 +0100, Soren Hansen wrote: On 18-11-2010 21:59, Alex Chiang wrote: I would expect that a data center set up in this manner would also have remote serial consoles to all the machines there too, using conserver or conman something similar. I wonder if the no-open-ports-by-default policy applies to serial ports as well? If not (which I'm guessing is the case), perhaps this is something we should do set up default? This is an excellent idea. I've had more than one person ask me why the serial port isn't enabled to perform headless installations. Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 16:49, Marc Deslauriers wrote: I want the person installing the server to actually make the choice to install ssh in order to realize that doing so may have consequences. ie: Oh wait, If I install ssh now, I should unplug the server from the network and configure ssh properly before hooking it back up... What does configure ssh properly usually entail? Are these some defaults we can change or offer as follow-on questions if people answer Yes to this dialog? (Yes, I fully realise that will very likely result in a net loss in usability on account of more questions asked, just trying to get something constructive out of this thread) -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On 18 November 2010 08:38, Dustin Kirkland kirkl...@ubuntu.com wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision For what it's worth, I think at least 12 would be worthwhile; we don't want to ask about every possible question but adding an SSH server is extremely common. One observation: doing this at install time would present an easy opportunity to insist fairly firmly that the default user password is not easily guessable. Although this proposal has certain risks and costs, it may also reduce the number of machines that are broken into with a password of 'ubuntu' or similar. (Or perhaps we already do that, or should consider it regardless of ssh.) Perhaps the autogenerated motd could mention the listening service, though that would probably be the type of information that's quickly ignored.. -- Martin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hello Stephan, On 11/18/2010 08:20 AM, Stephan Hermann wrote: On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: Ubuntu has long maintained a no open ports by default policy. This conservative approach arguably yields a more secure default installation. Several exceptions have been granted to this policy, which install services on the target system without the user's explicit consent, but in the calculated interest and support of a vastly more usable Ubuntu. Let me be clear: I am NOT requesting that sort of an exception. I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | |[[YES]][no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. If such a message would be displayed during alternative setup from CD, it would give me a shock. It's just like If you need a UI for this Desktop you may wish to install GNOME. Note that this choice will install hundreds of other packages which can or can not harm/destroy/pollute your system, and you should reconsider your choice. Do you want to install GNOME on your System? [[YES]] [no] First of all, I think for Ubuntu Server the SSHD service should be enabled by default, eventually having a question on what IP interface the service should be listening and eventually giving a possibility to push a ssh public key to the box (please not via Launchpad or other web based services). SSHD is (for me) an essential server service. Having SSHD not enabled by default on Servers is a bit of a strange behaviour, regarding other enterprised based Distros. I think everyone in Corporate Services agrees with your above statement that the default should be to include sshd. However, what we are facing here is a rather major change in default behavior and, as such, justifies that users be properly informed about it. Think about it this way: wouldn't you like to see a warning if at some point the desktop was not to install any graphical interface anymore? On Ubuntu Desktop this is different. The Desktop doesn't need an sshd server, and there ist shouldn' be installed or when installed, it shouldn't be enabled. A newly introduced service which opens a port could be documented in the release notes and other prominent places. If, as Kees mentioned in another email, we are facing users that press next without looking, do you really think that the same users will take the time to read the release notes? I think I fully understand the security team's concerns here, but given that: a/ Based on what I have heard at UDS, we are considering adding a post boot install phase for additional package installation, it would seems reasonable to make it available across the network. b/ Even if I have made my initial install with a CD or a USB stick, I do not know much admins that want to stay in front of their servers more than the strict minimum time. Personally I generally hate myself when I have missed to check the sshd service on the tasksel screen, because it means that I'll have to wait in the noisy and cold server room an additional 5 mins (yes, despite our efforts to improve boot times, hardware manufacturer for servers still consider it a great idea to have various checks been done during boot, prior to the OS being loaded) c/ Similarly to b, when I am installing a virtual machine, the less time I spend in the server screen emulation the better, as this is generally much slower and often much clumsier (think keyboard mapping for example) than accessing the same server over SSH. d/ If the version of sshd that is provided on a CD becomes compromised, we have seen in the past that it does not matter much whether it is installed by default or not, since most people will have installed it. It did not prevent us from re-spinning ISOs and it won't prevent people from not applying security updates if they are not used to do so. e/ The biggest risk seems to be for people that would deploy a server that have a direct connection to the Internet with a CD containing a version of sshd that is compromised. In this very case, we do however have the mean to pull from security.ubuntu.com during the install, as the machine is connected to the net, right? Because of the above points, and given our history and our wish to propose the best default possible for our users, I personally think that Dustin's
Re: SSH and the Ubuntu Server
On Wednesday, November 17, 2010 04:38:53 pm Dustin Kirkland wrote: Q: Why not default the cursor on that question to No, instead of Yes? A: That totally bypasses the value of this proposal, and is only microscopically better than what we currently have ... Dustin, I think this seriously under values the many benifits of your proposal. The concern I have with defaulting a new question to yes the first time it appears is that if someone has a standard preseed they are using this will change what they get installed and they will never see the question (If I understand how all this works correctly and that's not certain). If we are going to change the no open ports by default policy (and I think your proposal would do that), I think we should not be in a great rush to do that. I would propose that the question should at least exist in an LTS release with a conservative default (no in this case) before defaulting to the less conservative default. My thought would be to do all as you propose, except leave it as default No for now and then consider swtiching to yes in 12.10. I know that's a longer timeline than you'd prefer, but I think it pays to be conservative in how we approach this. BTW, given the number of knocks I see on the door at port 22, this is very much not like the gorrilla thing. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Quoting Clint Byrum (cl...@ubuntu.com): On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? -serge -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] You can't be lucky all the time, but you can be smart everyday -Mos Def Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you. -Me ;) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Clint Byrum (cl...@ubuntu.com): On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? It's not any better, Serge. :-( :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stefan Potyra stefan.pot...@informatik.uni-erlangen.de wrote: Hi, Am Thursday 18 November 2010 19:34:58 schrieb Robbie Williamson: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). Would command-to-start-second-stage-installer amount to a better usability compared to apt-get install openssh-server with the original question in mind? If you didn't get SSH installed the first time around, you're going to have to mosey back down the datacenter to 'apt-get install openssh-server' before you can do anything remotely with your server. The aforementioned command-to-start-second-stage-installer could be displayed in the MOTD, like our cloud images. Something like To finish customizing this server, you can run 'sudo tasksel' now or whatever. But that assumes you can *get* to your server. I'm arguing that SSH is generally needed to access your server and get to the point where you can login and do useful things with it after installation (like a running second stage installer). :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/18/2010 03:08 PM, Mathias Gug wrote: Excerpts from Robbie Williamson's message of Thu Nov 18 13:34:58 -0500 2010: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). I'd add that the 2nd stage would just be tasksel. I don't know what the 2-stage installer was like back in the old days. The proposal discussed at UDS was: * to have the installer create a minimal-lean install (ie 1st stage - same thing as of today). It creates a basic working system which upon reboot can be configured for its final role (either by a sysadmin via a console or ssh login [1] or a configuration management system such as puppet, chef, cfengine, shell script, etc...). * Remove the tasksel step in the installer and add a note in the motd pointing to tasksel so that a sysadmin can finish the configuration of the system after reboot (as outlined in [1] above). This would provide a similar user experience to the one provided by the Ubuntu cloud images on EC2 and UEC. Once an instance is started the following text is displayed upon login into it via ssh: - At the moment, only the core of the system is installed. To tune the system to your needs, you can choose to install one or more predefined collections of software by running the following command: sudo tasksel --section server - A similar message would be displayed when a user logs into the newly-installed system (either via console or ssh). Hi, If that what you were thinking of a second stage installer. Then I think you might want something in between, functionailty wise, d-i and a yast type program. But simpler. chuck -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). The problem is that doing task selection in the second stage, for a CD installer, requires keeping copies of a bunch of packages because it's quite plausible that the user ejected the CD. The code necessary for this was horrific, and I think the problems with it are fundamental. It's really much better to do the whole installation in one go, IMO. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
* Dustin Kirkland kirkl...@ubuntu.com: If you didn't get SSH installed the first time around, you're going to have to mosey back down the datacenter to 'apt-get install openssh-server' before you can do anything remotely with your server. [...] But that assumes you can *get* to your server. I'm arguing that SSH is generally needed to access your server and get to the point where you can login and do useful things with it after installation (like a running second stage installer). I would expect that a data center set up in this manner would also have remote serial consoles to all the machines there too, using conserver or conman something similar. At least that's how I'd set up *my* data center. ;) In the event that it is a common setup, it reduces the strength of argument of needing to go back to the machine room to apt-get install openssh-server. But of course, that is speculation on my part. I have no data as to how common remote serial consoles actually are in data centers. If someone has a better feel for it than I, it would be useful data. /ac -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 17/11/10 21:38, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision you could make the ssh server recommend denyhosts or fail2ban (both prevent brute force attacks by blocking hosts that make to many failed login attempts) sam -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
I inadvertently left ubuntu-server@ off of the original distribution. Sorry about that. CC'ing now. There are a few responses already in the thread: * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html Thanks, Dustin On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland kirkl...@ubuntu.com wrote: Ubuntu has long maintained a no open ports by default policy. This conservative approach arguably yields a more secure default installation. Several exceptions have been granted to this policy, which install services on the target system without the user's explicit consent, but in the calculated interest and support of a vastly more usable Ubuntu. Let me be clear: I am NOT requesting that sort of an exception. I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | | [[YES]] [no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which Ubuntu you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a run by default proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. Q: Why not default the cursor on that question to No, instead of Yes? A: That totally bypasses the value of this proposal, and is only microscopically better than what we currently have, where Ubuntu Server users must go out of their way to add one of the most fundamental packages to almost any server installation. The proposal, as it stands, is already a compromise from the original suggestion at UDS; which was, if you're installing a server, you're expecting to run a service, so let's just install SSH by default. That idea is entirely out of scope now. We are proposing this installer question as a reasonable compromise. Q: What if the openssh-server package is compromised on the ISO? A: Although this has happened before, it is relatively rare over the history of Ubuntu. If/when this happens again, we would need to: a) recommend that people choose no when prompted, and install SSH post-installation from the security archive (same as we would do now, actually) b) and probably respin the ISOs (also been done before) Q: Why don't we disable password authentication? A: We could do this, and ask users to provide a public SSH key (or even just a simple Launchpad userid whose public key we could securely import). This would probably involve adding another page to the installer, public SSH keys are hard to memorize, while others will almost certainly object to even
Re: SSH and the Ubuntu Server
(Please, in future, do not cross-post between the moderated ubuntu-devel and the unmoderated ubuntu-devel-discuss. Doing so produces time lags which confuse people.) On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | |[[YES]][no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. Without wishing to express any opinion either way: this is an excessively painful choice of implementation. If you want to default it to yes, it would be sufficient, and much easier (take it from me, I'm the one who gets to deal with the translation merge workload when you guys add questions ...) to check the SSH server entry in tasksel by default. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu No, it's not. In Maverick it was arguably buried. In Natty, it is the very top entry on the tasksel menu, and the cursor rests on it when you reach that screen. - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations We change preseeding too much, and it requires work from admins each time they bump to a new Ubuntu release. Many of those admins turn up on #ubuntu-installer and ask for help. The load is not insignificant. Cheers, -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thursday, November 18, 2010 04:21:42 am sam tygier wrote: On 17/11/10 21:38, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision you could make the ssh server recommend denyhosts or fail2ban (both prevent brute force attacks by blocking hosts that make to many failed login attempts) No. This is a bad idea. There are too many different ways to solve this problem (and IMO these are not the most robust) to impose a default on the user. Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Wednesday, November 17, 2010 04:38:53 pm Dustin Kirkland wrote: Q: Why not default the cursor on that question to No, instead of Yes? A: That totally bypasses the value of this proposal, and is only microscopically better than what we currently have ... Dustin, I think this seriously under values the many benifits of your proposal. The concern I have with defaulting a new question to yes the first time it appears is that if someone has a standard preseed they are using this will change what they get installed and they will never see the question (If I understand how all this works correctly and that's not certain). If we are going to change the no open ports by default policy (and I think your proposal would do that), I think we should not be in a great rush to do that. I would propose that the question should at least exist in an LTS release with a conservative default (no in this case) before defaulting to the less conservative default. My thought would be to do all as you propose, except leave it as default No for now and then consider swtiching to yes in 12.10. I know that's a longer timeline than you'd prefer, but I think it pays to be conservative in how we approach this. BTW, given the number of knocks I see on the door at port 22, this is very much not like the gorrilla thing. Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:51:29AM -0500, Scott Kitterman wrote: I think this seriously under values the many benifits of your proposal. The concern I have with defaulting a new question to yes the first time it appears is that if someone has a standard preseed they are using this will change what they get installed and they will never see the question (If I understand how all this works correctly and that's not certain). You are in general correct. (There are some workarounds for that kind of thing, but they're nasty and not particularly robust.) I would propose that the question should at least exist in an LTS release with a conservative default (no in this case) before defaulting to the less conservative default. My thought would be to do all as you propose, except leave it as default No for now and then consider swtiching to yes in 12.10. My counter-proposal would be to see how things work out with the openssh-server task at the top of tasksel's menu, as it now is in Natty. We haven't given that enough time (there hasn't even been a milestone containing it yet!) to see how it works out for server users. -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] You can't be lucky all the time, but you can be smart everyday -Mos Def Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you. -Me ;) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Clint Byrum (cl...@ubuntu.com): On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? It's not any better, Serge. :-( :-Dustin -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson cjwat...@ubuntu.com wrote: (Please, in future, do not cross-post between the moderated ubuntu-devel and the unmoderated ubuntu-devel-discuss. Doing so produces time lags which confuse people.) Dang. Sorry, Colin. Live and learn. On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | | [[YES]] [no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. Without wishing to express any opinion either way: this is an excessively painful choice of implementation. If you want to default it to yes, it would be sufficient, and much easier (take it from me, I'm the one who gets to deal with the translation merge workload when you guys add questions ...) to check the SSH server entry in tasksel by default. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu No, it's not. In Maverick it was arguably buried. In Natty, it is the very top entry on the tasksel menu, and the cursor rests on it when you reach that screen. Right, that's a great change. Makes it more obvious. I can concede your point that adding the proposed page to the installer would create work for you, which of course, is not my goal. I would gladly revise this proposal to simply: * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen Which would also sit there and wait for the user to consciously affirm their selection, and would avoid the countless server installations where people forget to install SSH and must make their way back to a console on their newly installed system and add the openssh-server package. :-Dustin -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
Dustin Kirkland [2010-11-18 10:57 -0600]: On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? It's not any better, Serge. :-( My first knee-jerk reaction to your initial mail was the same as Serge's -- I think it would be absolutely straightforward to enable ssh server by default by enabling this task, and it remains a conscious decision by the user. However, I'm a bit confused by your answer -- are you saying that the ssh task is enough to accomplish this, or that you don't consider that good enough? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). -Robbie -- Colin Watson [cjwat...@ubuntu.com] -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] You can't be lucky all the time, but you can be smart everyday -Mos Def Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you. -Me ;) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On 11/18/2010 09:49 AM, Marc Deslauriers wrote: Q: What if the openssh-server package is compromised on the ISO? A: Although this has happened before, it is relatively rare over the history of Ubuntu. If/when this happens again, we would need to: a) recommend that people choose no when prompted, and install SSH post-installation from the security archive (same as we would do now, actually) b) and probably respin the ISOs (also been done before) This isn't the only reason to not have SSH by default. My point was not having SSH installed by default before the administrator can properly secure a server, including installing security updates, and configuring ssh to respond to a particular network interface with password authentication disabled. I do not see this as a major issue: in corporate environments (where you will usually find multiple network interfaces) a system is installed in a protected area (either physically, or network-wise, or both). It is not just installing the basic system, but all the necessary configuration that needs to be done. Only after this post-install configuration a system will be set in the firewalls/routers. On the other hand, having SSH installed by default will help the majority of corporate users: we go (either physically, or via a serial console), install, and then happily use SSH to configure the rest of the system (and get out of the -- usually -- lights-out and cold environment, or off the bloody serial console). Q: Why don't we disable password authentication? A: We could do this, and ask users to provide a public SSH key (or even just a simple Launchpad userid whose public key we could securely import). This would probably involve adding another page to the installer, public SSH keys are hard to memorize, while others will almost certainly object to even optionally tying their Launchpad ID to Ubuntu installations. Most importantly, Ubuntu does not set a root password, so an attacker would need to guess BOTH the username AND password. Password authentication should definitely be disabled when SSH servers are exposed to untrusted networks. But in a lot of cases though, SSH password authentication is acceptable, such as on my home network, or in a corporate environment where the SSH port is restricted behind a firewall. I respectfully disagree. Password authentication should be disabled by default. Downgrading security -- in corporate environments -- usually requires a formal risk acceptance process. Also, in every audit I participated a system accepting SSH password authentication would be flagged an audit finding, and documentation would be required to justify it. It strikes me as inconsistent that we allow a known risk as default. It should be the other way: if I want to downgrade security, I have to explicitly choose to do so. Of course, in this discussion, having only PK-authentication would require either the person installing to provide an out-of-band public key, or the installer to have this option. I don't think disabling SSH password authentication is something that can realistically be done by default for now. Q: What if I want a different sshd configuration than what's shipped by default in Ubuntu, before running sshd? A: You sound like an advanced user; please preseed your installation, or add SSH after the initial install (as you would do now). Securing your ssh installation is mentioned in every single security checklist I've seen. This isn't something only advanced users need to do. Making novice users install SSH without knowing the impact of doing so is not something we should be recommending. Even more reason for us to provide a sensible -- and more secure -- default SSH configuration. Cheers, ..C.. signature.asc Description: OpenPGP digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
Excerpts from Robbie Williamson's message of Thu Nov 18 13:34:58 -0500 2010: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: I think this screen is a good idea if in fact tasksel is moved to after the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). I'd add that the 2nd stage would just be tasksel. I don't know what the 2-stage installer was like back in the old days. The proposal discussed at UDS was: * to have the installer create a minimal-lean install (ie 1st stage - same thing as of today). It creates a basic working system which upon reboot can be configured for its final role (either by a sysadmin via a console or ssh login [1] or a configuration management system such as puppet, chef, cfengine, shell script, etc...). * Remove the tasksel step in the installer and add a note in the motd pointing to tasksel so that a sysadmin can finish the configuration of the system after reboot (as outlined in [1] above). This would provide a similar user experience to the one provided by the Ubuntu cloud images on EC2 and UEC. Once an instance is started the following text is displayed upon login into it via ssh: - At the moment, only the core of the system is installed. To tune the system to your needs, you can choose to install one or more predefined collections of software by running the following command: sudo tasksel --section server - A similar message would be displayed when a user logs into the newly-installed system (either via console or ssh). -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). The problem is that doing task selection in the second stage, for a CD installer, requires keeping copies of a bunch of packages because it's quite plausible that the user ejected the CD. The code necessary for this was horrific, and I think the problems with it are fundamental. It's really much better to do the whole installation in one go, IMO. -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
Excerpts from Colin Watson's message of Thu Nov 18 18:39:33 -0500 2010: On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). The problem is that doing task selection in the second stage, for a CD installer, requires keeping copies of a bunch of packages because it's quite plausible that the user ejected the CD. The code necessary for this was horrific, and I think the problems with it are fundamental. Good point. I'd suggest to keep on the -server iso only the packages that are required to create a minimal/lean install. The assumption is that upon reboot the system will have access to an archive via the network (which is different from having access to the Internet). It's really much better to do the whole installation in one go, IMO. Agreed. And there is only one choice for the whole installation: a minimal/lean install (as the tasksel screen would be removed from the installer - or replaced with a message suggesting that system can be configured for certain roles (with a list of examples) once it has rebooted). -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 23:39 +, Colin Watson wrote: On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). The problem is that doing task selection in the second stage, for a CD installer, requires keeping copies of a bunch of packages because it's quite plausible that the user ejected the CD. The code necessary for this was horrific, and I think the problems with it are fundamental. It's really much better to do the whole installation in one go, IMO. We weren't even considering using the CD during the 2nd stage. I happen to think that trying to use the CD after the installer is done, as anything other than a source for a local package mirror, is more trouble than it is worth. I sat here and tried to type out my reasons for still wanting a 2 stage installer, but I couldn't make sense of it. I think you're right. One install, with really well thought out defaults and not too many questions seems the simplest (but not too simple) solution. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: Ubuntu has long maintained a no open ports by default policy. https://wiki.ubuntu.com/SecurityTeam/Policies#No%20Open%20Ports Default installations of Ubuntu must have no listening network services after initial install. One point of these policies is to provide users with a clear set of guarantees they can depend on when planning their use of Ubuntu. Several exceptions have been granted to this policy, To clarify, it is actually a class of services that have a standing exception: those that are required become a member of the network itself (network infrastructure services), so far: DHCP, IPv4LL, and mDNS. Let me be clear: I am NOT requesting that sort of an exception. Then it will be the language of the first sentence that matters. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed, this makes perfect sense to me -- there is a large number of Ubuntu Server users that immediately install openssh-server after the install is finished. 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations I suspect this will be the core of the argument, and how it relates to the definition of default installation. I would argue that hitting enter on all questions without reading them would result in a default installation. Taking this approach means highlighting no by default would be policy-safe way to add this prompt. Please consider that the very definition of a server implies that the system is running a service. Well, I think this point is less clear-cut. There are people genuinely interested in not running SSH. But, if it goes this way, then the argument is centered around installations of Ubuntu for the definition of Ubuntu. Does that mean only Desktop? I would argue that it has meant Desktop and Server, since security policy and features apply to both equally. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. It was argued to me that Ubuntu Enterprise Cloud and Ubuntu EC2 AMIs are not default installations of Ubuntu, again centering around what Ubuntu in the policy means. If this holds, then the language around the policy should be clarified to handle these existing situations at the same time as solving the Server with SSH situation. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed completely. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server I'd rather assume that those who do want SSH will be looking for the option to enable it, and those who do not, won't be accidentally exposed to any problems that it includes. 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue Side stepping the issue of what is a default install, I would like to delve into the usage of the term 'usability' in the above sentence. I think setting it to No by default in the first iteration of this prompt may be a little less controversial. If users are still complaining that I always have to stop at that point and hit tab,enter to enable ssh then I could see making a usability argument. However, its also annoying that sudo times out and asks for the admin password after a while, one could even argue it is less usable, but it is *far* more secure as a default setting. Any more secure and it would be unbearable. Any less, and it wouldn't help users much. - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations The same is true if it is No, and can be changed to Yes. This is precisely why I think this particular selection (default to yes, or default to no) isn't really a usability issue, but a secure default issue. The usability issue arises when one says no. Then its not totally clear after the install finishes how to enable SSH access so you can leave the server room/closet/etc and go back to your desk to admin the darn thing. However, I think its fair to also add this to the first boot motd, something like Looking for SSH? Install it with sudo aptitude install openssh-server. Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. The default Amazon security group allows nothing from the internet: Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).[1] I recall being puzzled the first time I spawned an EC2 node and not being able to SSH to it, but soon finding it comforting that I could only SSH to my instances from the class C that my home connection sits on after adding that explicitly to the security group. I don't know how Euca/UEC security zones are setup by default. Also consider that there are plenty of servers built to do data collection only, without ever being remotely managed. Yes, this is probably less than 1% of installed servers, but I think its unfair to characterize these systems as not servers because they do not allow incoming connections or remote management. In the context of this discussion though, this actually suggests that for these few weird systems, stopping to switch to No, would seem natural. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which Ubuntu you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a run by default proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. I agree with Kees, that settling the choice on Yes is, in fact, a default. However, settling it on No is a fantastic idea and doesn't in any way incite
Re: SSH and the Ubuntu Server
Hi Dustin, On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: Ubuntu has long maintained a no open ports by default policy. This conservative approach arguably yields a more secure default installation. Several exceptions have been granted to this policy, which install services on the target system without the user's explicit consent, but in the calculated interest and support of a vastly more usable Ubuntu. Let me be clear: I am NOT requesting that sort of an exception. I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | |[[YES]][no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. If such a message would be displayed during alternative setup from CD, it would give me a shock. It's just like If you need a UI for this Desktop you may wish to install GNOME. Note that this choice will install hundreds of other packages which can or can not harm/destroy/pollute your system, and you should reconsider your choice. Do you want to install GNOME on your System? [[YES]] [no] First of all, I think for Ubuntu Server the SSHD service should be enabled by default, eventually having a question on what IP interface the service should be listening and eventually giving a possibility to push a ssh public key to the box (please not via Launchpad or other web based services). SSHD is (for me) an essential server service. Having SSHD not enabled by default on Servers is a bit of a strange behaviour, regarding other enterprised based Distros. On Ubuntu Desktop this is different. The Desktop doesn't need an sshd server, and there ist shouldn' be installed or when installed, it shouldn't be enabled. A newly introduced service which opens a port could be documented in the release notes and other prominent places. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed completely. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server I'd rather assume that those who do want SSH will be looking for the option to enable it, and those who do not, won't be accidentally exposed to any problems that it includes. 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue Side stepping the issue of what is a default install, I would like to delve into the usage of the term 'usability' in the above sentence. I think setting it to No by default in the first iteration of this prompt may be a little less controversial. If users are still complaining that I always have to stop at that point and hit tab,enter to enable ssh then I could see making a usability argument. However, its also annoying that sudo times out and asks for the admin password after a while, one could even argue it is less usable, but it is *far* more secure as a default setting. Any more secure and it would be unbearable. Any less, and it wouldn't help users much. - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations The same is true if it is No, and can be changed to Yes. This is precisely why I think this particular selection (default to yes, or default to no) isn't really a usability issue, but a secure default issue. The usability issue arises when one says no. Then its not totally clear after the install finishes how to enable SSH access so you can leave the server room/closet/etc and go back to your desk to admin the darn thing. However, I think its fair to also add this to the first boot motd, something like Looking for SSH? Install it with sudo aptitude install openssh-server. Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. The default Amazon security group allows nothing from the internet: Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).[1] I recall being puzzled the first time I spawned an EC2 node and not being able to SSH to it, but soon finding it comforting that I could only SSH to my instances from the class C that my home connection sits on after adding that explicitly to the security group. I don't know how Euca/UEC security zones are setup by default. Also consider that there are plenty of servers built to do data collection only, without ever being remotely managed. Yes, this is probably less than 1% of installed servers, but I think its unfair to characterize these systems as not servers because they do not allow incoming connections or remote management. In the context of this discussion though, this actually suggests that for these few weird systems, stopping to switch to No, would seem natural. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which Ubuntu you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a run by default proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. I agree with Kees, that settling the choice on Yes is, in fact, a default. However, settling it on No is a fantastic idea and doesn't in any way incite
