Re: SSH and the Ubuntu Server
On Fri, Nov 19, 2010 at 4:50 PM, Dustin Kirkland wrote: > I'm going to redraft the proposal, note that there was no general > consensus on the matter in the ubuntu-devel@ mailing list, and ask the > Tech Board for guidance. Thanks everyone for the lively discussion. Thank you for the discussions at UDS, in IRC, and in this thread. Colin's changes to the server tasksel (moving SSH to the top of the list, albeit "unchecked") is a reasonable step towards improving the usability of the server installer. Let's just roll with this for now and evaluate its effectiveness next cycle. Thanks again! :-) :-Dustin Dustin Kirkland Ubuntu Core Developer -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Good Morning Dustin, On Fri, 2010-11-19 at 16:50 -0600, Dustin Kirkland wrote: > Stephan Hermann wrote: > > Hi Scott, > > > > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: > >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > >> > different modes (minimal, default, developer workstation), all of > >> > which a) were running sshd, b) had a root user with a password. > >> > >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack > >> surface for a default RHEL6 install is rather more limited. > > > > To be honest, there is no difference in installing RHEL6 with a static > > ip address or Ubuntu Server with DHCP enabled. > > > > I think we need to find out first, what user base we want to point at. > > > > The SysAdmin of a Company with Enterprise Classed Datacenter > > or the guy/gal from around the corner who is testing ubuntu server? > > > > The SysAdmin will have network security in place (if not..oh well), and > > mostly is he/she not using public IP addresses, and/or they setup their > > DHCPd to match the MACs of the NICs inside their servers. > > > > I am now wondering if we really should change something. As long as I'm > > thinking about the topic, I'm coming to my conclusion, that we just > > should tick sshd by default during tasksel in the installer, and that's > > it. For most of the admins out there, it really doesn't matter, because > > they have other ways to deploy ubuntu server on their servers. > > I agree, Stephan. > > The installer complexity can be avoided by just ticking the "OpenSSH > Server" in the top of the tasksel page as you suggest; document that > change thoroughly and publish it far and wide; note the stronger > sshd.conf configurations from Marc and the security team in the SSH > help page. Yes. We can harden sshd a bit more and document the changes in d-i tasksel via ReleaseNotes and some public announcement on blogs/p.u.c. > > Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. > > I'm going to redraft the proposal, note that there was no general > consensus on the matter in the ubuntu-devel@ mailing list, and ask the > Tech Board for guidance. Thanks everyone for the lively discussion. This is something we need to do anyhow. TB has the final say. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Quoting Oliver Grawert (o...@ubuntu.com): > the serial port should be enabled automatically if you set the console= > boot parameter to a serial tty (i.e. console=ttyS0,115200n8) its rerally Are you sure? Bc when I tried this just last night on a 10.04 server, I still had to create an /etc/init/ttyS0.conf with the obvious contents in order to get a login prompt (even, iirc, boot messages) on ttyS0. It's not a big deal, but of course it means you have to have some other way of getting into the box after install to set that up first. -serge -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
hi, Am Freitag, den 19.11.2010, 19:03 -0500 schrieb Marc Deslauriers: > On Fri, 2010-11-19 at 17:11 +0100, Soren Hansen wrote: > > On 18-11-2010 21:59, Alex Chiang wrote: > > > I would expect that a data center set up in this manner would > > > also have remote serial consoles to all the machines there too, > > > using conserver or conman something similar. > > > > I wonder if the no-open-ports-by-default policy applies to serial ports > > as well? If not (which I'm guessing is the case), perhaps this is > > something we should do set up default? > > > > This is an excellent idea. I've had more than one person ask me why the > serial port isn't enabled to perform headless installations. the serial port should be enabled automatically if you set the console= boot parameter to a serial tty (i.e. console=ttyS0,115200n8) its rerally a matter of the default console the kernel offers, we should probably have "install through serial" which sets this comdline as an option on the first screen. ciao oli signature.asc Description: This is a digitally signed message part -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 17:11 +0100, Soren Hansen wrote: > On 18-11-2010 21:59, Alex Chiang wrote: > > I would expect that a data center set up in this manner would > > also have remote serial consoles to all the machines there too, > > using conserver or conman something similar. > > I wonder if the no-open-ports-by-default policy applies to serial ports > as well? If not (which I'm guessing is the case), perhaps this is > something we should do set up default? > This is an excellent idea. I've had more than one person ask me why the serial port isn't enabled to perform headless installations. Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stephan Hermann wrote: > Hi Scott, > > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple >> > different modes (minimal, default, developer workstation), all of >> > which a) were running sshd, b) had a root user with a password. >> >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack >> surface for a default RHEL6 install is rather more limited. > > To be honest, there is no difference in installing RHEL6 with a static > ip address or Ubuntu Server with DHCP enabled. > > I think we need to find out first, what user base we want to point at. > > The SysAdmin of a Company with Enterprise Classed Datacenter > or the guy/gal from around the corner who is testing ubuntu server? > > The SysAdmin will have network security in place (if not..oh well), and > mostly is he/she not using public IP addresses, and/or they setup their > DHCPd to match the MACs of the NICs inside their servers. > > I am now wondering if we really should change something. As long as I'm > thinking about the topic, I'm coming to my conclusion, that we just > should tick sshd by default during tasksel in the installer, and that's > it. For most of the admins out there, it really doesn't matter, because > they have other ways to deploy ubuntu server on their servers. I agree, Stephan. The installer complexity can be avoided by just ticking the "OpenSSH Server" in the top of the tasksel page as you suggest; document that change thoroughly and publish it far and wide; note the stronger sshd.conf configurations from Marc and the security team in the SSH help page. Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. I'm going to redraft the proposal, note that there was no general consensus on the matter in the ubuntu-devel@ mailing list, and ask the Tech Board for guidance. Thanks everyone for the lively discussion. :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi Scott, On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: > On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > > different modes (minimal, default, developer workstation), all of > > which a) were running sshd, b) had a root user with a password. > > Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack > surface for a default RHEL6 install is rather more limited. To be honest, there is no difference in installing RHEL6 with a static ip address or Ubuntu Server with DHCP enabled. I think we need to find out first, what user base we want to point at. The SysAdmin of a Company with Enterprise Classed Datacenter or the guy/gal from around the corner who is testing ubuntu server? The SysAdmin will have network security in place (if not..oh well), and mostly is he/she not using public IP addresses, and/or they setup their DHCPd to match the MACs of the NICs inside their servers. I am now wondering if we really should change something. As long as I'm thinking about the topic, I'm coming to my conclusion, that we just should tick sshd by default during tasksel in the installer, and that's it. For most of the admins out there, it really doesn't matter, because they have other ways to deploy ubuntu server on their servers. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 13:06 -0500, Scott Kitterman wrote: > On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > > I want the person installing the server to actually make the choice > > > > to install ssh in order to realize that doing so may have > > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > > server from the network and configure ssh properly before hooking it > > > > back up..." > > > > > > What does "configure ssh properly" usually entail? Are these some > > > defaults we can change or offer as follow-on questions if people answer > > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > > in a net loss in usability on account of more questions asked, just > > > trying to get something constructive out of this thread) > > > > I think this highly depends on the environment the server is set up in, > > and is beyond the scope of the installer, but typically one or more of > > the following: > > > > - Limit ssh to a specific network interface > > - Disable password authentication and copy over keys > > - Configure AllowUsers and/or AllowGroups > > - Disable DebianBanner > > - Configure a firewall to limit connections from specific IPs and enable > > rate limiting > > - Configure tcpwrappers to limit connections from specific IPs > > - Install fail2ban or denyhosts > > - Add server to corporate IPS ssh-monitored host group > > - etc. > > > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > > list for the past 10 years or so. > > Where do we document this for our users so they can take appropriate actions? Same place we document everything else: in our wiki and on help.ubuntu.com. https://help.ubuntu.com/community/SSH https://help.ubuntu.com/community/SSH/OpenSSH/Configuring Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > different modes (minimal, default, developer workstation), all of > which a) were running sshd, b) had a root user with a password. Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack surface for a default RHEL6 install is rather more limited. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > I want the person installing the server to actually make the choice > > > to install ssh in order to realize that doing so may have > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > server from the network and configure ssh properly before hooking it > > > back up..." > > > > What does "configure ssh properly" usually entail? Are these some > > defaults we can change or offer as follow-on questions if people answer > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > in a net loss in usability on account of more questions asked, just > > trying to get something constructive out of this thread) > > I think this highly depends on the environment the server is set up in, > and is beyond the scope of the installer, but typically one or more of > the following: > > - Limit ssh to a specific network interface > - Disable password authentication and copy over keys > - Configure AllowUsers and/or AllowGroups > - Disable DebianBanner > - Configure a firewall to limit connections from specific IPs and enable > rate limiting > - Configure tcpwrappers to limit connections from specific IPs > - Install fail2ban or denyhosts > - Add server to corporate IPS ssh-monitored host group > - etc. > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > list for the past 10 years or so. Where do we document this for our users so they can take appropriate actions? Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > On 18-11-2010 16:49, Marc Deslauriers wrote: > > I want the person installing the server to actually make the choice > > to install ssh in order to realize that doing so may have > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > server from the network and configure ssh properly before hooking it > > back up..." > > What does "configure ssh properly" usually entail? Are these some > defaults we can change or offer as follow-on questions if people answer > "Yes" to this dialog? (Yes, I fully realise that will very likely result > in a net loss in usability on account of more questions asked, just > trying to get something constructive out of this thread) > I think this highly depends on the environment the server is set up in, and is beyond the scope of the installer, but typically one or more of the following: - Limit ssh to a specific network interface - Disable password authentication and copy over keys - Configure AllowUsers and/or AllowGroups - Disable DebianBanner - Configure a firewall to limit connections from specific IPs and enable rate limiting - Configure tcpwrappers to limit connections from specific IPs - Install fail2ban or denyhosts - Add server to corporate IPS ssh-monitored host group - etc. SSH password brute-forcing has been on the SANS Top 20 vulnerability list for the past 10 years or so. Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Quoting Luke Faraone (lfara...@ubuntu.com): > On 11/19/2010 11:11 AM, Soren Hansen wrote: > > I wonder if the no-open-ports-by-default policy applies to serial ports > > as well? If not (which I'm guessing is the case), perhaps this is > > something we should do set up default? > > I think the issue is network services, not periphery. Enabling serial > ports with a getty by default would probably be beneficial. Yes, that would be great. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stephan Hermann wrote: > Moins, > > On Thu, 2010-11-18 at 12:24 -0500, Luke Faraone wrote: >> On 11/18/2010 12:04 PM, Dustin Kirkland wrote: >> > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: >> >> No, it's not. In Maverick it was arguably buried. In Natty, it is the >> >> very top entry on the tasksel menu, and the cursor rests on it when you >> >> reach that screen. >> > [snip] >> > >> > I would gladly revise this proposal to simply: >> > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel >> > screen >> > >> > Which would also sit there and wait for the user to consciously affirm >> > their selection, and would avoid the countless server installations >> > where people forget to install SSH and must make their way back to a >> > console on their newly installed system and add the openssh-server >> > package. >> >> As many people have mentioned, this will cause a surprise for users who >> click through the install dialogs expecting things to not change since >> they last used it. > > Sorry, but this is something which strucks me, really. When we don't > change things over time, we will never have a better user experience. > When we change something it needs to be documented in a public place > where everyone interested can read it first hand. +1 >> Also, since this occurs late in the install process, no dialogs to >> prompt the user to harden their password can be offered, as others have >> suggested. > > Oh well, we can change that inside the installer as well. Not prompting > for a user choice, but choosing a hardened password automatically and > showing it to the user > mkpasswd --chars=20 --crypt-md5 or whatever should be enough. that's > only a technical problem easily to solve. > > >> You say there are "countless" installations. I don't think anybody >> expects SSH to be automatically installed in a new server; it's a >> service that should be enabled carefully after consideration of your >> network environment and security needs. I feel that the potential for >> harm of accidental installation exceeds the increase in convenience from >> not having to explicitly select the task. > > I think we have more installations of RHEL or SLES in the enterprise > server market, and they do have sshd enabled by default. > Even when you install an VMWare ESX host, ssh is enabled by default, > without the questionable root access. Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Simply the fact that Ubuntu does not have an active root password by default means that network attacks via ssh must guess BOTH the username AND the password. Choose both wisely and you should be able to repel attacks between the time that your new Ubuntu Server reboots for the first time and the time it takes for you to login for the first time and configure sshd.conf to your liking. If you're actively working the installation, we're talking less than 5 minutes. If you've automated the deployment via puppet or somesuch, it can be far less than that. :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/19/2010 11:11 AM, Soren Hansen wrote: > I wonder if the no-open-ports-by-default policy applies to serial ports > as well? If not (which I'm guessing is the case), perhaps this is > something we should do set up default? I think the issue is network services, not periphery. Enabling serial ports with a getty by default would probably be beneficial. -- ╒═╕ │Luke Faraone ╭Debian / Ubuntu Developer╮│ │http://luke.faraone.cc╰Sugar Labs, Systems Admin╯│ │PGP: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506 │ ╘═╛ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 21:59, Alex Chiang wrote: > I would expect that a data center set up in this manner would > also have remote serial consoles to all the machines there too, > using conserver or conman something similar. I wonder if the no-open-ports-by-default policy applies to serial ports as well? If not (which I'm guessing is the case), perhaps this is something we should do set up default? -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 16:49, Marc Deslauriers wrote: > I want the person installing the server to actually make the choice > to install ssh in order to realize that doing so may have > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > server from the network and configure ssh properly before hooking it > back up..." What does "configure ssh properly" usually entail? Are these some defaults we can change or offer as follow-on questions if people answer "Yes" to this dialog? (Yes, I fully realise that will very likely result in a net loss in usability on account of more questions asked, just trying to get something constructive out of this thread) -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 18-11-2010 17:00, Serge Hallyn wrote: > Forgive me if the answer is obvious - but how is this any > better then than simply expecting users to click 'ssh server' > in the tasksel window which always comes up? From Dustin's original e-mail: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Nov 18, 2010, at 01:05 PM, C de-Avillez wrote: >On the other hand, having SSH installed by default will help the >majority of corporate users: we go (either physically, or via a >serial console), install, and then happily use SSH to configure the >rest of the system (and get out of the -- usually -- lights-out and >cold environment, or off the bloody serial console). FWIW, installing the ssh server (and editing the sshd_config file to remove password authentication) is almost always the first thing I do on any new Ubuntu install, be it server or desktop. Cheers, -Barry signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Sorry if anyone gets dupes of the message below. I sent from a phone, and its sitting (i think) in moderator limbo. On Nov 18, 2010, at 10:49 AM, Marc Deslauriers wrote: > Hello, > >>> >>> Please consider that the very definition of a "server" implies that >>> the system is running a "service". Moreover, our official Ubuntu >>> Server images as published for the Amazon EC2 cloud are, in fact, >>> running SSH by default listening on port 22 on the unrestricted >>> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise >>> Cloud installation by the very same ISO installs SSH on every every >>> UEC system deployed. This is not unprecedented. > > As far as I recall, EC2 opens the ssh port from your ip address only, > and authenticates using certificates and not passwords. > the default EC2 security group firewalls the machine completely. The user takes explicit action to open port 22 (euca-authorize). the same is true for UEC. > Actually, now that you mention it, we should probably disable SSH > password authentication by default in the EC2 images... Instances of the official images have exactly zero users that have a password set. Password auth is allowed, but useless until the user sets a password. on boot, the public key specified at launch is pulled from the metadata service and inserted into the 'ubuntu' users authorized keys. the corresponding private key is the only way in. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Nov 18, 2010, at 10:49 AM, Marc Deslauriers wrote: > Hello, > >>> >>> Please consider that the very definition of a "server" implies that >>> the system is running a "service". Moreover, our official Ubuntu >>> Server images as published for the Amazon EC2 cloud are, in fact, >>> running SSH by default listening on port 22 on the unrestricted >>> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise >>> Cloud installation by the very same ISO installs SSH on every every >>> UEC system deployed. This is not unprecedented. > > As far as I recall, EC2 opens the ssh port from your ip address only, > and authenticates using certificates and not passwords. > the default EC2 security group firewalls the machine completely. The user takes explicit action to open port 22 (euca-authorize). the same is true for UEC. > Actually, now that you mention it, we should probably disable SSH > password authentication by default in the EC2 images... Instances of the official images have exactly zero users that have a password set. Password auth is allowed, but useless until the user sets a password. on boot, the public key specified at launch is pulled from the metadata service and inserted into the 'ubuntu' users authorized keys. the corresponding private key is the only way in.-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Moins, On Thu, 2010-11-18 at 12:24 -0500, Luke Faraone wrote: > On 11/18/2010 12:04 PM, Dustin Kirkland wrote: > > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: > >> No, it's not. In Maverick it was arguably buried. In Natty, it is the > >> very top entry on the tasksel menu, and the cursor rests on it when you > >> reach that screen. > > [snip] > > > > I would gladly revise this proposal to simply: > > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel > > screen > > > > Which would also sit there and wait for the user to consciously affirm > > their selection, and would avoid the countless server installations > > where people forget to install SSH and must make their way back to a > > console on their newly installed system and add the openssh-server > > package. > > As many people have mentioned, this will cause a surprise for users who > click through the install dialogs expecting things to not change since > they last used it. Sorry, but this is something which strucks me, really. When we don't change things over time, we will never have a better user experience. When we change something it needs to be documented in a public place where everyone interested can read it first hand. > > Also, since this occurs late in the install process, no dialogs to > prompt the user to harden their password can be offered, as others have > suggested. Oh well, we can change that inside the installer as well. Not prompting for a user choice, but choosing a hardened password automatically and showing it to the user mkpasswd --chars=20 --crypt-md5 or whatever should be enough. that's only a technical problem easily to solve. > You say there are "countless" installations. I don't think anybody > expects SSH to be automatically installed in a new server; it's a > service that should be enabled carefully after consideration of your > network environment and security needs. I feel that the potential for > harm of accidental installation exceeds the increase in convenience from > not having to explicitly select the task. I think we have more installations of RHEL or SLES in the enterprise server market, and they do have sshd enabled by default. Even when you install an VMWare ESX host, ssh is enabled by default, without the questionable root access. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi Nicolas, On Thu, 2010-11-18 at 09:24 +0100, Nicolas Barcet wrote: > Hello Stephan, > > On 11/18/2010 08:20 AM, Stephan Hermann wrote: > > > > First of all, I think for Ubuntu Server the SSHD service should be > > enabled by default, eventually having a question on what IP interface > > the service should be listening and eventually giving a possibility to > > push a ssh public key to the box (please not via Launchpad or other web > > based services). SSHD is (for me) an essential server service. > > > > Having SSHD not enabled by default on Servers is a bit of a strange > > behaviour, regarding other enterprised based Distros. > > I think everyone in Corporate Services agrees with your above statement > that the default should be to include sshd. However, what we are facing > here is a rather major change in default behavior and, as such, > justifies that users be properly informed about it. Think about it this > way: wouldn't you like to see a warning if at some point the desktop was > not to install any graphical interface anymore? Well, when I take the desktop install media, I would like to see a fully working desktop after the installation up and running. That's why I think someone installing from a server install media would like to see a fully running server installation afterwards which is accessable. Now, we can discuss what a "fully running server installation" is? I would say, that running Ubuntu server in a datacenter, is mostly behind a secured network, where e.g. SSHD is listening on a special ip interface, which is not accessible by everyone but only to a team of admins with Godmode enabled. And yes, most of the time you have remote insight boards etc. to access the machines. On Amazon EC2 this is totally different. I don't actually know if you can somehow access the xen vm without remote access from the public (NATed) network of Amazon. When we are thinking now to enable a service by default, which wasn't installed and enabled in the past, we need to inform the admin. Agreed. But what is the best way? We don't want to have the admin stay as long as it takes at the console. Most admins (at least those I know) do read documentations, and release notes are at least one of the documentations every admin should read (just think about the change of behaviour of the bonding interface setups from jaunty -> karmic -> lucid). > > > On Ubuntu Desktop this is different. The Desktop doesn't need an sshd > > server, and there ist shouldn' be installed or when installed, it > > shouldn't be enabled. > > > > A newly introduced service which opens a port could be documented in the > > release notes and other prominent places. > > If, as Kees mentioned in another email, we are facing users that press > next without looking, do you really think that the same users will take > the time to read the release notes? Really, this is difficult to answer. Regarding the user base of non-technicians, comsuming-only desktop users (please, don't interpretate it as all ubuntu users are non-technicians and consuming only), I don't think that those users are reading a lot of documentation. Seeing that from the Windows world, I think we can drop documentation completely. Regarding the Admin people, they do read documentation and especially release notes, ChangeLogs etc. when they are in the field of Operating System Deployment (again, at least the admins I do know and I'm working/had worked with) > > I think I fully understand the security team's concerns here, but given > that: > > a/ Based on what I have heard at UDS, we are considering adding a post > boot install phase for additional package installation, it would seems > reasonable to make it available across the network. > > b/ Even if I have made my initial install with a CD or a USB stick, I > do not know much admins that want to stay in front of their servers more > than the strict minimum time. Personally I generally hate myself when I > have missed to check the sshd service on the tasksel screen, because it > means that I'll have to wait in the noisy and cold server room an > additional 5 mins (yes, despite our efforts to improve boot times, > hardware manufacturer for servers still consider it a great idea to have > various checks been done during boot, prior to the OS being loaded) Actually I don't know any admin anymore who stands in front of a console in a cold datacenter, mostly we are using ILOs and other remote console access methods to get hands on the server (most of our servers don't even have CD drives anymore, totally useless nowadays). That's why I already think that we are discussing a matter which isn't really one. What we are trying now is to deliver a better user experience, for people trying out our server media. > > c/ Similarly to b, when I am installing a virtual machine, the less > time I spend in the server screen emulation the better, as this is > generally much slower and often much clumsier (think keyb
Re: SSH and the Ubuntu Server
Hi, On Thu, 2010-11-18 at 13:59 -0700, Alex Chiang wrote: > * Dustin Kirkland : > > > > If you didn't get SSH installed the first time around, you're going to > > have to mosey back down the datacenter to 'apt-get install > > openssh-server' before you can do anything remotely with your server. > [...] > > But that assumes you can *get* to your server. I'm arguing that SSH > > is generally needed to access your server and get to the point where > > you can login and do useful things with it after installation (like a > > running second stage installer). > > I would expect that a data center set up in this manner would > also have remote serial consoles to all the machines there too, > using conserver or conman something similar. HP ILOs (whatever dell or IBM are using) or RIBs (Peppercon , Intel, etc.) are most commonly used remote console access for out of band administration. > > At least that's how I'd set up *my* data center. ;) Well, in a good datacenter you won't have to deal with CD media or ISO media setup...your deployment of your OS is already automated, and installs SSHd automatically ;) including a configuration which matches your needs. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Clint Byrum wrote: > On Thu, 2010-11-18 at 23:39 +, Colin Watson wrote: >> On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: >>> So I see the 1st stage as just installing the minimal server, then we >>> boot to a login prompt...user logs in and can either do his/her business >>> as desired or launch the 2nd stage (which they are told about in a 1st >>> boot motd-type message). >> >> The problem is that doing task selection in the second stage, for a CD >> installer, requires keeping copies of a bunch of packages because it's >> quite plausible that the user ejected the CD. The code necessary for >> this was horrific, and I think the problems with it are fundamental. >> >> It's really much better to do the whole installation in one go, IMO. > > We weren't even considering using the CD during the 2nd stage. I happen > to think that trying to use the CD after the installer is done, as > anything other than a source for a local package mirror, is more trouble > than it is worth. I think the term "2-stage" installer is a bit misleading, since there is no "second stage of the installer" per se. The idea is just to bootstrap a minimal system and let something else (cloud-init / puppet / tasksel / whatever) turn that into a usable system. So this is really about simplifying the one-stage installer and allow the resulting system to plug into configuration management frameworks easily. We are trading the convenience of setting up a LAMP server from the CD, against a simplification of the installer and a more consistent experience, compatible with real-world deployment use cases. I think that's worth it and will participate in defining what "Ubuntu Server" is, be it a cloud image or a netbooted system or an ISO install. -- Thierry Carrez Ubuntu core developer -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 23:39 +, Colin Watson wrote: > On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: > > So I see the 1st stage as just installing the minimal server, then we > > boot to a login prompt...user logs in and can either do his/her business > > as desired or launch the 2nd stage (which they are told about in a 1st > > boot motd-type message). > > The problem is that doing task selection in the second stage, for a CD > installer, requires keeping copies of a bunch of packages because it's > quite plausible that the user ejected the CD. The code necessary for > this was horrific, and I think the problems with it are fundamental. > > It's really much better to do the whole installation in one go, IMO. We weren't even considering using the CD during the 2nd stage. I happen to think that trying to use the CD after the installer is done, as anything other than a source for a local package mirror, is more trouble than it is worth. I sat here and tried to type out my reasons for still wanting a 2 stage installer, but I couldn't make sense of it. I think you're right. One install, with really well thought out defaults and not too many questions seems the simplest (but not too simple) solution. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Excerpts from Colin Watson's message of Thu Nov 18 18:39:33 -0500 2010: > On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: > > On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: > > > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > > > > What if the Server team maintained the 2nd stage? Then we'd be making > > > > life easier for you, right? ;) > > > > > > Er. :-) > > > > > > (In seriousness, any good-quality second stage would require some level > > > of cooperation from the first stage. We tried that and it was awful.) > > > > So I see the 1st stage as just installing the minimal server, then we > > boot to a login prompt...user logs in and can either do his/her business > > as desired or launch the 2nd stage (which they are told about in a 1st > > boot motd-type message). > > The problem is that doing task selection in the second stage, for a CD > installer, requires keeping copies of a bunch of packages because it's > quite plausible that the user ejected the CD. The code necessary for > this was horrific, and I think the problems with it are fundamental. > Good point. I'd suggest to keep on the -server iso only the packages that are required to create a minimal/lean install. The assumption is that upon reboot the system will have access to an archive via the network (which is different from having access to the Internet). > It's really much better to do the whole installation in one go, IMO. Agreed. And there is only one choice for the whole installation: a minimal/lean install (as the tasksel screen would be removed from the installer - or replaced with a message suggesting that system can be configured for certain roles (with a list of examples) once it has rebooted). -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
* Dustin Kirkland : > > If you didn't get SSH installed the first time around, you're going to > have to mosey back down the datacenter to 'apt-get install > openssh-server' before you can do anything remotely with your server. [...] > But that assumes you can *get* to your server. I'm arguing that SSH > is generally needed to access your server and get to the point where > you can login and do useful things with it after installation (like a > running second stage installer). I would expect that a data center set up in this manner would also have remote serial consoles to all the machines there too, using conserver or conman something similar. At least that's how I'd set up *my* data center. ;) In the event that it is a common setup, it reduces the strength of argument of "needing to go back to the machine room to apt-get install openssh-server". But of course, that is speculation on my part. I have no data as to how common remote serial consoles actually are in data centers. If someone has a better feel for it than I, it would be useful data. /ac -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/18/2010 09:49 AM, Marc Deslauriers wrote: >>> Q: What if the openssh-server package is compromised on the ISO? >>> A: Although this has happened before, it is relatively rare over the >>> history of Ubuntu. If/when this happens again, we would need to: >>>a) recommend that people choose "no" when prompted, and install >>> SSH post-installation from the security archive (same as we would do >>> now, actually) >>>b) and probably respin the ISOs (also been done before) > > This isn't the only reason to not have SSH by default. My point was not > having SSH installed by default before the administrator can properly > secure a server, including installing security updates, and configuring > ssh to respond to a particular network interface with password > authentication disabled. I do not see this as a major issue: in corporate environments (where you will usually find multiple network interfaces) a system is installed in a protected area (either physically, or network-wise, or both). It is not just installing the basic system, but all the necessary configuration that needs to be done. Only after this post-install configuration a system will be set in the firewalls/routers. On the other hand, having SSH installed by default will help the majority of corporate users: we go (either physically, or via a serial console), install, and then happily use SSH to configure the rest of the system (and get out of the -- usually -- lights-out and cold environment, or off the bloody serial console). >>> >>> Q: Why don't we disable password authentication? >>> A: We could do this, and ask users to provide a public SSH key (or >>> even just a simple Launchpad userid whose public key we could securely >>> import). This would probably involve adding another page to the >>> installer, public SSH keys are hard to memorize, while others will >>> almost certainly object to even optionally tying their Launchpad ID to >>> Ubuntu installations. Most importantly, Ubuntu does not set a root >>> password, so an attacker would need to guess BOTH the username AND >>> password. > > Password authentication should definitely be disabled when SSH servers > are exposed to untrusted networks. But in a lot of cases though, SSH > password authentication is acceptable, such as on my home network, or in > a corporate environment where the SSH port is restricted behind a > firewall. I respectfully disagree. Password authentication should be disabled by default. Downgrading security -- in corporate environments -- usually requires a formal risk acceptance process. Also, in every audit I participated a system accepting SSH password authentication would be flagged an audit finding, and documentation would be required to justify it. It strikes me as inconsistent that we allow a known risk as default. It should be the other way: if I want to downgrade security, I have to explicitly choose to do so. Of course, in this discussion, having only PK-authentication would require either the person installing to provide an out-of-band public key, or the installer to have this option. > I don't think disabling SSH password authentication is something that > can realistically be done by default for now. > >>> Q: What if I want a different sshd configuration than what's shipped >>> by default in Ubuntu, before running sshd? >>> A: You sound like an advanced user; please preseed your installation, >>> or add SSH after the initial install (as you would do now). > > Securing your ssh installation is mentioned in every single security > checklist I've seen. This isn't something only advanced users need to > do. Making novice users install SSH without knowing the impact of doing > so is not something we should be recommending. Even more reason for us to provide a sensible -- and more secure -- default SSH configuration. Cheers, ..C.. signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 12:34:58PM -0600, Robbie Williamson wrote: > On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: > > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > > > What if the Server team maintained the 2nd stage? Then we'd be making > > > life easier for you, right? ;) > > > > Er. :-) > > > > (In seriousness, any good-quality second stage would require some level > > of cooperation from the first stage. We tried that and it was awful.) > > So I see the 1st stage as just installing the minimal server, then we > boot to a login prompt...user logs in and can either do his/her business > as desired or launch the 2nd stage (which they are told about in a 1st > boot motd-type message). The problem is that doing task selection in the second stage, for a CD installer, requires keeping copies of a bunch of packages because it's quite plausible that the user ejected the CD. The code necessary for this was horrific, and I think the problems with it are fundamental. It's really much better to do the whole installation in one go, IMO. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/18/2010 03:08 PM, Mathias Gug wrote: > Excerpts from Robbie Williamson's message of Thu Nov 18 13:34:58 -0500 2010: >> On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: >>> On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: >> I think this screen is a good idea if in fact tasksel is moved to after >> the first boot. > We used to have a two-stage installer and it was a nightmare to maintain > for several reasons. Since we moved to a single-stage installer several > years back, we've burned all the necessary code with fire and enjoyed > it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) >>> Er. :-) >>> >>> (In seriousness, any good-quality second stage would require some level >>> of cooperation from the first stage. We tried that and it was awful.) >> So I see the 1st stage as just installing the minimal server, then we >> boot to a login prompt...user logs in and can either do his/her business >> as desired or launch the 2nd stage (which they are told about in a 1st >> boot motd-type message). >> > I'd add that the 2nd stage would just be tasksel. > > I don't know what the 2-stage installer was like back in the old days. > The proposal discussed at UDS was: > > * to have the installer create a minimal-lean install (ie 1st > stage - same thing as of today). It creates a basic working system > which upon reboot can be configured for its final role (either by a > sysadmin via a console or ssh login [1] or a configuration management > system such as puppet, chef, cfengine, shell script, etc...). > > * Remove the tasksel step in the installer and add a note in the > motd pointing to tasksel so that a sysadmin can finish the > configuration of the system after reboot (as outlined in [1] above). > > This would provide a similar user experience to the one provided by > the Ubuntu cloud images on EC2 and UEC. Once an instance is started > the following text is displayed upon login into it via ssh: > > - > At the moment, only the core of the system is installed. To tune the > system to your needs, you can choose to install one or more > predefined collections of software by running the following > command: > > sudo tasksel --section server > - > > A similar message would be displayed when a user logs into the > newly-installed system (either via console or ssh). > Hi, If that what you were thinking of a "second stage installer". Then I think you might want something in between, functionailty wise, d-i and a yast type program. But simpler. chuck -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Stefan Potyra wrote: > Hi, > > Am Thursday 18 November 2010 19:34:58 schrieb Robbie Williamson: >> On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: >> > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: >> > > On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: >> > > > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: >> > > > > I think this screen is a good idea if in fact tasksel is moved to >> > > > > after the first boot. >> > > > >> > > > We used to have a two-stage installer and it was a nightmare to >> > > > maintain for several reasons. Since we moved to a single-stage >> > > > installer several years back, we've burned all the necessary code >> > > > with fire and enjoyed it. Please don't make me go back to that. >> > > >> > > What if the Server team maintained the 2nd stage? Then we'd be making >> > > life easier for you, right? ;) >> > >> > Er. :-) >> > >> > (In seriousness, any good-quality second stage would require some level >> > of cooperation from the first stage. We tried that and it was awful.) >> >> So I see the 1st stage as just installing the minimal server, then we >> boot to a login prompt...user logs in and can either do his/her business >> as desired or launch the 2nd stage (which they are told about in a 1st >> boot motd-type message). > > Would > command-to-start-second-stage-installer > amount to a better usability compared to > apt-get install openssh-server > with the original question in mind? If you didn't get SSH installed the first time around, you're going to have to mosey back down the datacenter to 'apt-get install openssh-server' before you can do anything remotely with your server. The aforementioned "command-to-start-second-stage-installer" could be displayed in the MOTD, like our cloud images. Something like "To finish customizing this server, you can run 'sudo tasksel' now" or whatever. But that assumes you can *get* to your server. I'm arguing that SSH is generally needed to access your server and get to the point where you can login and do useful things with it after installation (like a running second stage installer). :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Excerpts from Robbie Williamson's message of Thu Nov 18 13:34:58 -0500 2010: > On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: > > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > > > On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > > > > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > > > > > I think this screen is a good idea if in fact tasksel is moved to > > > > > after > > > > > the first boot. > > > > > > > > We used to have a two-stage installer and it was a nightmare to maintain > > > > for several reasons. Since we moved to a single-stage installer several > > > > years back, we've burned all the necessary code with fire and enjoyed > > > > it. Please don't make me go back to that. > > > > > > What if the Server team maintained the 2nd stage? Then we'd be making > > > life easier for you, right? ;) > > > > Er. :-) > > > > (In seriousness, any good-quality second stage would require some level > > of cooperation from the first stage. We tried that and it was awful.) > > So I see the 1st stage as just installing the minimal server, then we > boot to a login prompt...user logs in and can either do his/her business > as desired or launch the 2nd stage (which they are told about in a 1st > boot motd-type message). > I'd add that the 2nd stage would just be tasksel. I don't know what the 2-stage installer was like back in the old days. The proposal discussed at UDS was: * to have the installer create a minimal-lean install (ie 1st stage - same thing as of today). It creates a basic working system which upon reboot can be configured for its final role (either by a sysadmin via a console or ssh login [1] or a configuration management system such as puppet, chef, cfengine, shell script, etc...). * Remove the tasksel step in the installer and add a note in the motd pointing to tasksel so that a sysadmin can finish the configuration of the system after reboot (as outlined in [1] above). This would provide a similar user experience to the one provided by the Ubuntu cloud images on EC2 and UEC. Once an instance is started the following text is displayed upon login into it via ssh: - At the moment, only the core of the system is installed. To tune the system to your needs, you can choose to install one or more predefined collections of software by running the following command: sudo tasksel --section server - A similar message would be displayed when a user logs into the newly-installed system (either via console or ssh). -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 10:57 -0600, Dustin Kirkland wrote: > On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn > wrote: > > Quoting Clint Byrum (cl...@ubuntu.com): > >> On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > >> > >> > > >> > This proposal requests that: > >> > 1) a new prompt be added to the Ubuntu Server installer > >> > 2) this prompt be dedicated to the boolean installation, or > >> > non-installation, of the SSH service, as an essential facet of a > >> > typical server > >> > >> +1 for adding this prompt > >> > >> > 3) the cursor highlights the affirmative (yes, please install SSH), > >> > but awaits the user's conscious decision > >> > > >> > >> -1 for having it default to Yes. > > > > Forgive me if the answer is obvious - but how is this any > > better then than simply expecting users to click 'ssh server' > > in the tasksel window which always comes up? > > It's not any better, Serge. :-( > I think "better" or "worse" needs some kind of metric to be objective. >From a user perspective, they will measure the install complexity in the number of *decisions* they have to make during the installation. Deciding not to change any boxes is an easy decision. Deciding to tick/untick the first box is a pretty easy decision. Deciding which of 10-15 boxes, is 10 - 15 decisions. So, I think given Colin's revelation of OpenSSH being at the top of the list as of natty, ticked or not, it seems that it will result in a far less complex install experience for *most* users. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi, Am Thursday 18 November 2010 19:34:58 schrieb Robbie Williamson: > On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: > > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > > > On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > > > > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > > > > > I think this screen is a good idea if in fact tasksel is moved to > > > > > after the first boot. > > > > > > > > We used to have a two-stage installer and it was a nightmare to > > > > maintain for several reasons. Since we moved to a single-stage > > > > installer several years back, we've burned all the necessary code > > > > with fire and enjoyed it. Please don't make me go back to that. > > > > > > What if the Server team maintained the 2nd stage? Then we'd be making > > > life easier for you, right? ;) > > > > Er. :-) > > > > (In seriousness, any good-quality second stage would require some level > > of cooperation from the first stage. We tried that and it was awful.) > > So I see the 1st stage as just installing the minimal server, then we > boot to a login prompt...user logs in and can either do his/her business > as desired or launch the 2nd stage (which they are told about in a 1st > boot motd-type message). Would command-to-start-second-stage-installer amount to a better usability compared to apt-get install openssh-server with the original question in mind? Cheers, Stefan. signature.asc Description: This is a digitally signed message part. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: > On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > > On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > > > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > > > > I think this screen is a good idea if in fact tasksel is moved to after > > > > the first boot. > > > > > > We used to have a two-stage installer and it was a nightmare to maintain > > > for several reasons. Since we moved to a single-stage installer several > > > years back, we've burned all the necessary code with fire and enjoyed > > > it. Please don't make me go back to that. > > > > What if the Server team maintained the 2nd stage? Then we'd be making > > life easier for you, right? ;) > > Er. :-) > > (In seriousness, any good-quality second stage would require some level > of cooperation from the first stage. We tried that and it was awful.) So I see the 1st stage as just installing the minimal server, then we boot to a login prompt...user logs in and can either do his/her business as desired or launch the 2nd stage (which they are told about in a 1st boot motd-type message). -Robbie > > -- > Colin Watson [cjwat...@ubuntu.com] > -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] "You can't be lucky all the time, but you can be smart everyday" -Mos Def "Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you." -Me ;) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Dustin Kirkland [2010-11-18 10:57 -0600]: > On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn > > Forgive me if the answer is obvious - but how is this any > > better then than simply expecting users to click 'ssh server' > > in the tasksel window which always comes up? > > It's not any better, Serge. :-( My first knee-jerk reaction to your initial mail was the same as Serge's -- I think it would be absolutely straightforward to enable ssh server by default by enabling this task, and it remains a conscious decision by the user. However, I'm a bit confused by your answer -- are you saying that the "ssh" task is enough to accomplish this, or that you don't consider that good enough? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On 11/18/2010 12:04 PM, Dustin Kirkland wrote: > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: >> No, it's not. In Maverick it was arguably buried. In Natty, it is the >> very top entry on the tasksel menu, and the cursor rests on it when you >> reach that screen. > [snip] > > I would gladly revise this proposal to simply: > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen > > Which would also sit there and wait for the user to consciously affirm > their selection, and would avoid the countless server installations > where people forget to install SSH and must make their way back to a > console on their newly installed system and add the openssh-server > package. As many people have mentioned, this will cause a surprise for users who click through the install dialogs expecting things to not change since they last used it. Also, since this occurs late in the install process, no dialogs to prompt the user to harden their password can be offered, as others have suggested. You say there are "countless" installations. I don't think anybody expects SSH to be automatically installed in a new server; it's a service that should be enabled carefully after consideration of your network environment and security needs. I feel that the potential for harm of accidental installation exceeds the increase in convenience from not having to explicitly select the task. -- ╒═╕ │Luke Faraone ╭Debian / Ubuntu Developer╮│ │http://luke.faraone.cc╰Sugar Labs, Systems Admin╯│ │PGP: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506 │ ╘═╛ signature.asc Description: OpenPGP digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: > (Please, in future, do not cross-post between the moderated ubuntu-devel > and the unmoderated ubuntu-devel-discuss. Doing so produces time lags > which confuse people.) Dang. Sorry, Colin. Live and learn. > On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: >> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu >> Technical Board approval of a new prompt in the Ubuntu Server ISO's >> text-based installer, which would read something like the following: >> >> -- >> | If you need a secure connection to this >> | server remotely, you may wish to install >> | the openssh-server package. Note that >> | this service will open TCP port 22 on >> | your system, and you should use a very >> | strong password. >> | >> | Do you want to install the SSH service? >> | >> | [[YES]] [no] >> -- >> >> Rest assured that the exact text will be word-smithed by an >> appropriate committee to hash out an optimum verbiage. > > Without wishing to express any opinion either way: this is an > excessively painful choice of implementation. If you want to default it > to yes, it would be sufficient, and much easier (take it from me, I'm > the one who gets to deal with the translation merge workload when you > guys add questions ...) to check the "SSH server" entry in tasksel by > default. > >> These key points map to the following considerations: >> 1) the current option to install SSH on Ubuntu servers is buried in >> the tasksel menu > > No, it's not. In Maverick it was arguably buried. In Natty, it is the > very top entry on the tasksel menu, and the cursor rests on it when you > reach that screen. Right, that's a great change. Makes it more obvious. I can concede your point that adding the proposed page to the installer would create work for you, which of course, is not my goal. I would gladly revise this proposal to simply: * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen Which would also sit there and wait for the user to consciously affirm their selection, and would avoid the countless server installations where people forget to install SSH and must make their way back to a console on their newly installed system and add the openssh-server package. :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:00 AM, Serge Hallyn wrote: > Quoting Clint Byrum (cl...@ubuntu.com): >> On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: >> >> > >> > This proposal requests that: >> > 1) a new prompt be added to the Ubuntu Server installer >> > 2) this prompt be dedicated to the boolean installation, or >> > non-installation, of the SSH service, as an essential facet of a >> > typical server >> >> +1 for adding this prompt >> >> > 3) the cursor highlights the affirmative (yes, please install SSH), >> > but awaits the user's conscious decision >> > >> >> -1 for having it default to Yes. > > Forgive me if the answer is obvious - but how is this any > better then than simply expecting users to click 'ssh server' > in the tasksel window which always comes up? It's not any better, Serge. :-( :-Dustin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: > On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > > > I think this screen is a good idea if in fact tasksel is moved to after > > > the first boot. > > > > We used to have a two-stage installer and it was a nightmare to maintain > > for several reasons. Since we moved to a single-stage installer several > > years back, we've burned all the necessary code with fire and enjoyed > > it. Please don't make me go back to that. > > What if the Server team maintained the 2nd stage? Then we'd be making > life easier for you, right? ;) Er. :-) (In seriousness, any good-quality second stage would require some level of cooperation from the first stage. We tried that and it was awful.) -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > > I think this screen is a good idea if in fact tasksel is moved to after > > the first boot. > > We used to have a two-stage installer and it was a nightmare to maintain > for several reasons. Since we moved to a single-stage installer several > years back, we've burned all the necessary code with fire and enjoyed > it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] "You can't be lucky all the time, but you can be smart everyday" -Mos Def "Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you." -Me ;) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer Having gone through the install of RHEL, SLES, CentOS, Debian, and Ubuntu this past week, I don't think adding this is a big deal. I our install will still be one of the shortest (in terms of user required actions). With that said, I think we should definitely re-assess the Server install experience, to determine if we are meeting the needs of both the expert and novice Ubuntu Server user. > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server No problems here to me. > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision No problems here either, however I can see the uneasiness with defaulting to "Yes", as the default install will now be vulnerable to attack. My question is this: What are our obligations in terms of "protecting" users from themselves? We don't enable the firewall by default and other distros do...we prompt installers to setup a non-root user account, while other distros let you log right in as root...we enable the networking adapters by default, while other distros don't. My point is that I don't think there is a right or wrong answer here...it's just opinion. As far as the "No Open Ports" policy, maybe it's time we re-evaluate it...maybe we make a distinction between Ubuntu Desktop and Ubuntu Server...I dunno. Anyway, that's my .02 on the topic. I suspect we'll have to goto the TB on the "Yes" or "No" portion anyway. -Robbie -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] "You can't be lucky all the time, but you can be smart everyday" -Mos Def "Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you." -Me ;) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Quoting Clint Byrum (cl...@ubuntu.com): > On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > > > > > This proposal requests that: > > 1) a new prompt be added to the Ubuntu Server installer > > 2) this prompt be dedicated to the boolean installation, or > > non-installation, of the SSH service, as an essential facet of a > > typical server > > +1 for adding this prompt > > > 3) the cursor highlights the affirmative (yes, please install SSH), > > but awaits the user's conscious decision > > > > -1 for having it default to Yes. Forgive me if the answer is obvious - but how is this any better then than simply expecting users to click 'ssh server' in the tasksel window which always comes up? -serge -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:51:29AM -0500, Scott Kitterman wrote: > I think this seriously under values the many benifits of your proposal. The > concern I have with defaulting a new question to yes the first time it > appears > is that if someone has a standard preseed they are using this will change > what > they get installed and they will never see the question (If I understand how > all this works correctly and that's not certain). You are in general correct. (There are some workarounds for that kind of thing, but they're nasty and not particularly robust.) > I would propose that the question should at least exist in an LTS release > with > a conservative default (no in this case) before defaulting to the less > conservative default. My thought would be to do all as you propose, except > leave it as default No for now and then consider swtiching to yes in 12.10. My counter-proposal would be to see how things work out with the openssh-server task at the top of tasksel's menu, as it now is in Natty. We haven't given that enough time (there hasn't even been a milestone containing it yet!) to see how it works out for server users. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: > I think this screen is a good idea if in fact tasksel is moved to after > the first boot. We used to have a two-stage installer and it was a nightmare to maintain for several reasons. Since we moved to a single-stage installer several years back, we've burned all the necessary code with fire and enjoyed it. Please don't make me go back to that. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Wednesday, November 17, 2010 04:38:53 pm Dustin Kirkland wrote: > Q: Why not default the cursor on that question to "No", instead of "Yes"? > A: That totally bypasses the value of this proposal, and is only > microscopically better than what we currently have ... Dustin, I think this seriously under values the many benifits of your proposal. The concern I have with defaulting a new question to yes the first time it appears is that if someone has a standard preseed they are using this will change what they get installed and they will never see the question (If I understand how all this works correctly and that's not certain). If we are going to change the no open ports by default policy (and I think your proposal would do that), I think we should not be in a great rush to do that. I would propose that the question should at least exist in an LTS release with a conservative default (no in this case) before defaulting to the less conservative default. My thought would be to do all as you propose, except leave it as default No for now and then consider swtiching to yes in 12.10. I know that's a longer timeline than you'd prefer, but I think it pays to be conservative in how we approach this. BTW, given the number of knocks I see on the door at port 22, this is very much not like the gorrilla thing. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hello, On Thu, 2010-11-18 at 08:00 -0600, Dustin Kirkland wrote: > > -- > > | If you need a secure connection to this > > | server remotely, you may wish to install > > | the openssh-server package. Note that > > | this service will open TCP port 22 on > > | your system, and you should use a very > > | strong password. > > | > > | Do you want to install the SSH service? > > | > > |[[YES]][no] > > -- > > > > Rest assured that the exact text will be word-smithed by an > > appropriate committee to hash out an optimum verbiage. I think this screen is a good idea if in fact tasksel is moved to after the first boot. We would need to change the wording though as using ssh with password authentication is insecure and should not be something we recommend. A lot of users who come to #ubuntu-hardened trying to figure out why their server was compromised end up discovering that ssh password brute-forcing was the cause. > > > > This proposal requests that: > > 1) a new prompt be added to the Ubuntu Server installer > > 2) this prompt be dedicated to the boolean installation, or > > non-installation, of the SSH service, as an essential facet of a > > typical server > > 3) the cursor highlights the affirmative (yes, please install SSH), > > but awaits the user's conscious decision This is where I disagree. Dangerous actions should not be the default choice. I've seen numerous corporate environments where the default/generic account used during server installation was still enabled when the server went into production. I want the person installing the server to actually make the choice to install ssh in order to realize that doing so may have consequences. ie: "Oh wait, If I install ssh now, I should unplug the server from the network and configure ssh properly before hooking it back up..." Making the cursor default to "yes" means people who install the server and don't know the impact of answering yes will get something dangerous installed that they weren't counting on. > > > > These key points map to the following considerations: > > 1) the current option to install SSH on Ubuntu servers is buried in > > the tasksel menu > >- SSH is more fundamental to a server than the higher level > > profile selections for: > > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > > 2) users of the installation ISO will have the option to not install > > SSH, as they so desire > >- it is quite well understood that some users may not want SSH > > installed on their server Corporate environments don't typically allow ssh access to servers from the main network for security and conformance reasons. Remote management cards and IP KVMs are often used from an isolated administrative network, or SSH is configured to listen only to a specific network interface. Contrary to what some people have suggested, pre-seeding isn't used in a lot of these cases. This is one of the reasons I like having SSH as a choice during install, and not simply installed by default. > > 3) highlighting the "YES" option on this page is absolutely essential > > to addressing this usability issue > >- and that selection is easily overridden by hitting , > > or by experienced admins in preseed configurations SSH can just as easily be enabled by hitting also. > > > > Please consider that the very definition of a "server" implies that > > the system is running a "service". Moreover, our official Ubuntu > > Server images as published for the Amazon EC2 cloud are, in fact, > > running SSH by default listening on port 22 on the unrestricted > > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > > Cloud installation by the very same ISO installs SSH on every every > > UEC system deployed. This is not unprecedented. As far as I recall, EC2 opens the ssh port from your ip address only, and authenticates using certificates and not passwords. Actually, now that you mention it, we should probably disable SSH password authentication by default in the EC2 images... As for UEC, I don't think that's a "default installation" as the person installing is selecting to install a bunch of software that opens a bunch of ports, including SSH. > > > > Having discussed the proposal with a subset of this audience (at UDS > > and in IRC), here are some known FAQs: > > > > Q: WTF?!? Ubuntu has no open ports by default! > > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > > importantly, this is not a "run by default" proposal. We have already > > compromised on that subject, culminating in this proposal, which is > > simply about providing Server users with an obvious way to install the > > typically essential SSH service. > > > > Q: Why not default the cursor on that question to "No", i
Re: SSH and the Ubuntu Server
On Thursday, November 18, 2010 04:21:42 am sam tygier wrote: > On 17/11/10 21:38, Dustin Kirkland wrote: > > This proposal requests that: > > 1) a new prompt be added to the Ubuntu Server installer > > 2) this prompt be dedicated to the boolean installation, or > > > > non-installation, of the SSH service, as an essential facet of a > > typical server > > > > 3) the cursor highlights the affirmative (yes, please install SSH), > > > > but awaits the user's conscious decision > > you could make the ssh server recommend denyhosts or fail2ban (both prevent > brute force attacks by blocking hosts that make to many failed login > attempts) No. This is a bad idea. There are too many different ways to solve this problem (and IMO these are not the most robust) to impose a default on the user. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
(Please, in future, do not cross-post between the moderated ubuntu-devel and the unmoderated ubuntu-devel-discuss. Doing so produces time lags which confuse people.) On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: > I am asking for ubuntu-devel's consensus, and an eventual Ubuntu > Technical Board approval of a new prompt in the Ubuntu Server ISO's > text-based installer, which would read something like the following: > > -- > | If you need a secure connection to this > | server remotely, you may wish to install > | the openssh-server package. Note that > | this service will open TCP port 22 on > | your system, and you should use a very > | strong password. > | > | Do you want to install the SSH service? > | > |[[YES]][no] > -- > > Rest assured that the exact text will be word-smithed by an > appropriate committee to hash out an optimum verbiage. Without wishing to express any opinion either way: this is an excessively painful choice of implementation. If you want to default it to yes, it would be sufficient, and much easier (take it from me, I'm the one who gets to deal with the translation merge workload when you guys add questions ...) to check the "SSH server" entry in tasksel by default. > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu No, it's not. In Maverick it was arguably buried. In Natty, it is the very top entry on the tasksel menu, and the cursor rests on it when you reach that screen. > - and that selection is easily overridden by hitting , > or by experienced admins in preseed configurations We change preseeding too much, and it requires work from admins each time they bump to a new Ubuntu release. Many of those admins turn up on #ubuntu-installer and ask for help. The load is not insignificant. Cheers, -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hello Stephan, On 11/18/2010 08:20 AM, Stephan Hermann wrote: > On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: >> Ubuntu has long maintained a "no open ports by default" policy. This >> conservative approach arguably yields a more secure default >> installation. Several exceptions have been granted to this policy, >> which install services on the target system without the user's >> explicit consent, but in the calculated interest and support of a >> vastly more usable Ubuntu. >> >> Let me be clear: I am NOT requesting that sort of an exception. >> >> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu >> Technical Board approval of a new prompt in the Ubuntu Server ISO's >> text-based installer, which would read something like the following: >> >> -- >> | If you need a secure connection to this >> | server remotely, you may wish to install >> | the openssh-server package. Note that >> | this service will open TCP port 22 on >> | your system, and you should use a very >> | strong password. >> | >> | Do you want to install the SSH service? >> | >> |[[YES]][no] >> -- >> >> Rest assured that the exact text will be word-smithed by an >> appropriate committee to hash out an optimum verbiage. > > If such a message would be displayed during alternative setup from CD, > it would give me a shock. > It's just like > > "If you need a UI for this Desktop you may wish to install GNOME. Note > that this choice will install hundreds of other packages which can or > can not harm/destroy/pollute your system, and you should reconsider your > choice. > > Do you want to install GNOME on your System? > > [[YES]] [no] > " > > First of all, I think for Ubuntu Server the SSHD service should be > enabled by default, eventually having a question on what IP interface > the service should be listening and eventually giving a possibility to > push a ssh public key to the box (please not via Launchpad or other web > based services). SSHD is (for me) an essential server service. > > Having SSHD not enabled by default on Servers is a bit of a strange > behaviour, regarding other enterprised based Distros. I think everyone in Corporate Services agrees with your above statement that the default should be to include sshd. However, what we are facing here is a rather major change in default behavior and, as such, justifies that users be properly informed about it. Think about it this way: wouldn't you like to see a warning if at some point the desktop was not to install any graphical interface anymore? > On Ubuntu Desktop this is different. The Desktop doesn't need an sshd > server, and there ist shouldn' be installed or when installed, it > shouldn't be enabled. > > A newly introduced service which opens a port could be documented in the > release notes and other prominent places. If, as Kees mentioned in another email, we are facing users that press next without looking, do you really think that the same users will take the time to read the release notes? I think I fully understand the security team's concerns here, but given that: a/ Based on what I have heard at UDS, we are considering adding a post boot install phase for additional package installation, it would seems reasonable to make it available across the network. b/ Even if I have made my initial install with a CD or a USB stick, I do not know much admins that want to stay in front of their servers more than the strict minimum time. Personally I generally hate myself when I have missed to check the sshd service on the tasksel screen, because it means that I'll have to wait in the noisy and cold server room an additional 5 mins (yes, despite our efforts to improve boot times, hardware manufacturer for servers still consider it a great idea to have various checks been done during boot, prior to the OS being loaded) c/ Similarly to b, when I am installing a virtual machine, the less time I spend in the server screen emulation the better, as this is generally much slower and often much clumsier (think keyboard mapping for example) than accessing the same server over SSH. d/ If the version of sshd that is provided on a CD becomes compromised, we have seen in the past that it does not matter much whether it is installed by default or not, since most people will have installed it. It did not prevent us from re-spinning ISOs and it won't prevent people from not applying security updates if they are not used to do so. e/ The biggest risk seems to be for people that would deploy a server that have a direct connection to the Internet with a CD containing a version of sshd that is compromised. In this very case, we do however have the mean to pull from security.ubuntu.com during the install, as the machine is connected to the net, right? Because of the above points, and given our history and our wish
Re: SSH and the Ubuntu Server
On 18 November 2010 08:38, Dustin Kirkland wrote: > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision For what it's worth, I think at least 1&2 would be worthwhile; we don't want to ask about every possible question but adding an SSH server is extremely common. One observation: doing this at install time would present an easy opportunity to insist fairly firmly that the default user password is not easily guessable. Although this proposal has certain risks and costs, it may also reduce the number of machines that are broken into with a password of 'ubuntu' or similar. (Or perhaps we already do that, or should consider it regardless of ssh.) Perhaps the autogenerated motd could mention the listening service, though that would probably be the type of information that's quickly ignored.. -- Martin -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
I inadvertently left ubuntu-server@ off of the original distribution. Sorry about that. CC'ing now. There are a few responses already in the thread: * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html Thanks, Dustin On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland wrote: > Ubuntu has long maintained a "no open ports by default" policy. This > conservative approach arguably yields a more secure default > installation. Several exceptions have been granted to this policy, > which install services on the target system without the user's > explicit consent, but in the calculated interest and support of a > vastly more usable Ubuntu. > > Let me be clear: I am NOT requesting that sort of an exception. > > I am asking for ubuntu-devel's consensus, and an eventual Ubuntu > Technical Board approval of a new prompt in the Ubuntu Server ISO's > text-based installer, which would read something like the following: > > -- > | If you need a secure connection to this > | server remotely, you may wish to install > | the openssh-server package. Note that > | this service will open TCP port 22 on > | your system, and you should use a very > | strong password. > | > | Do you want to install the SSH service? > | > | [[YES]] [no] > -- > > Rest assured that the exact text will be word-smithed by an > appropriate committee to hash out an optimum verbiage. > > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision > > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu > - SSH is more fundamental to a server than the higher level > profile selections for: > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > 2) users of the installation ISO will have the option to not install > SSH, as they so desire > - it is quite well understood that some users may not want SSH > installed on their server > 3) highlighting the "YES" option on this page is absolutely essential > to addressing this usability issue > - and that selection is easily overridden by hitting , > or by experienced admins in preseed configurations > > Please consider that the very definition of a "server" implies that > the system is running a "service". Moreover, our official Ubuntu > Server images as published for the Amazon EC2 cloud are, in fact, > running SSH by default listening on port 22 on the unrestricted > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > Cloud installation by the very same ISO installs SSH on every every > UEC system deployed. This is not unprecedented. > > Having discussed the proposal with a subset of this audience (at UDS > and in IRC), here are some known FAQs: > > Q: WTF?!? Ubuntu has no open ports by default! > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > importantly, this is not a "run by default" proposal. We have already > compromised on that subject, culminating in this proposal, which is > simply about providing Server users with an obvious way to install the > typically essential SSH service. > > Q: Why not default the cursor on that question to "No", instead of "Yes"? > A: That totally bypasses the value of this proposal, and is only > microscopically better than what we currently have, where Ubuntu > Server users must go out of their way to add one of the most > fundamental packages to almost any server installation. The proposal, > as it stands, is already a compromise from the original suggestion at > UDS; which was, "if you're installing a server, you're expecting to > run a service, so let's just install SSH by default". That idea is > entirely out of scope now. We are proposing this installer question > as a reasonable compromise. > > Q: What if the openssh-server package is compromised on the ISO? > A: Although this has happened before, it is relatively rare over the > history of Ubuntu. If/when this happens again, we would need to: > a) recommend that people choose "no" when prompted, and install > SSH post-installation from the security archive (same as we would do > now, actually) > b) and probably respin the ISOs (also been done before) > > Q: Why don't we disable password authentication? > A: We could do this, and ask users to provide a public SSH key (or > even just a simple Launchpad userid whose public key we could securely > import). This would probably involve adding another page to the > installer, publi
Re: SSH and the Ubuntu Server
Clint Byrum wrote: > +1 for adding this prompt > -1 for having it default to Yes. I tend to agree with Clint. The prompt gives exposure to the choice, makes a statement that you should really consider this essential package, and sidesteps the issue of experienced people coming from other distros and expecting it by default (those people read the install screens). Defaulting to "no" avoids the security policy issue, protects unsuspecting users (those who don't read the install screens), and it's not the only question you have to consciously change to get a good install ("ready to wipe your disks ?" comes to mind). If you want to default to "yes", this ends up being a "Security policy" vs. "What a minimal Ubuntu Server should contain" discussion, which should be pushed to the Technical Board for decision. The current situation is not the result of "maintaining the way it's always been done 'round here" (like your Gorilla plug seems to imply), but the result of conscious security policy choices that made Ubuntu arguably the most secure Linux distribution (like Kees explained). Those can be changed, but that implies the Technical Board. That said, I don't feel very strongly either way :) -- Thierry Carrez Ubuntu core developer -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
Hi Dustin, On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > Ubuntu has long maintained a "no open ports by default" policy. This > conservative approach arguably yields a more secure default > installation. Several exceptions have been granted to this policy, > which install services on the target system without the user's > explicit consent, but in the calculated interest and support of a > vastly more usable Ubuntu. > > Let me be clear: I am NOT requesting that sort of an exception. > > I am asking for ubuntu-devel's consensus, and an eventual Ubuntu > Technical Board approval of a new prompt in the Ubuntu Server ISO's > text-based installer, which would read something like the following: > > -- > | If you need a secure connection to this > | server remotely, you may wish to install > | the openssh-server package. Note that > | this service will open TCP port 22 on > | your system, and you should use a very > | strong password. > | > | Do you want to install the SSH service? > | > |[[YES]][no] > -- > > Rest assured that the exact text will be word-smithed by an > appropriate committee to hash out an optimum verbiage. If such a message would be displayed during alternative setup from CD, it would give me a shock. It's just like "If you need a UI for this Desktop you may wish to install GNOME. Note that this choice will install hundreds of other packages which can or can not harm/destroy/pollute your system, and you should reconsider your choice. Do you want to install GNOME on your System? [[YES]] [no] " First of all, I think for Ubuntu Server the SSHD service should be enabled by default, eventually having a question on what IP interface the service should be listening and eventually giving a possibility to push a ssh public key to the box (please not via Launchpad or other web based services). SSHD is (for me) an essential server service. Having SSHD not enabled by default on Servers is a bit of a strange behaviour, regarding other enterprised based Distros. On Ubuntu Desktop this is different. The Desktop doesn't need an sshd server, and there ist shouldn' be installed or when installed, it shouldn't be enabled. A newly introduced service which opens a port could be documented in the release notes and other prominent places. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server +1 for adding this prompt > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision > -1 for having it default to Yes. > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu > - SSH is more fundamental to a server than the higher level > profile selections for: > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed completely. > 2) users of the installation ISO will have the option to not install > SSH, as they so desire > - it is quite well understood that some users may not want SSH > installed on their server I'd rather assume that those who do want SSH will be looking for the option to enable it, and those who do not, won't be accidentally exposed to any problems that it includes. > 3) highlighting the "YES" option on this page is absolutely essential > to addressing this usability issue Side stepping the issue of "what is a default install", I would like to delve into the usage of the term 'usability' in the above sentence. I think setting it to No by default in the first iteration of this prompt may be a little less controversial. If users are still complaining that "I always have to stop at that point and hit tab,enter to enable ssh" then I could see making a usability argument. However, its also annoying that sudo times out and asks for the admin password after a while, one could even argue it is less usable, but it is *far* more secure as a default setting. Any more secure and it would be unbearable. Any less, and it wouldn't help users much. > - and that selection is easily overridden by hitting , > or by experienced admins in preseed configurations > The same is true if it is No, and can be changed to Yes. This is precisely why I think this particular selection (default to yes, or default to no) isn't really a usability issue, but a secure default issue. The usability issue arises when one says no. Then its not totally clear after the install finishes how to enable SSH access so you can leave the server room/closet/etc and go back to your desk to admin the darn thing. However, I think its fair to also add this to the "first boot" motd, something like "Looking for SSH? Install it with sudo aptitude install openssh-server". > Please consider that the very definition of a "server" implies that > the system is running a "service". Moreover, our official Ubuntu > Server images as published for the Amazon EC2 cloud are, in fact, > running SSH by default listening on port 22 on the unrestricted > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > Cloud installation by the very same ISO installs SSH on every every > UEC system deployed. This is not unprecedented. > The default Amazon security group allows nothing from the internet: "Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block)."[1] I recall being puzzled the first time I spawned an EC2 node and not being able to SSH to it, but soon finding it comforting that I could only SSH to my instances from the class C that my home connection sits on after adding that explicitly to the security group. I don't know how Euca/UEC security zones are setup by default. Also consider that there are plenty of servers built to do data collection only, without ever being remotely managed. Yes, this is probably less than 1% of installed servers, but I think its unfair to characterize these systems as "not servers" because they do not allow incoming connections or remote management. In the context of this discussion though, this actually suggests that for these few "weird" systems, stopping to switch to "No", would seem natural. > Having discussed the proposal with a subset of this audience (at UDS > and in IRC), here are some known FAQs: > > Q: WTF?!? Ubuntu has no open ports by default! > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > importantly, this is not a "run by default" proposal. We have already > compromised on that subject, culminating in this proposal, which is > simply about providing Server users with an obvious way to install the > typically essential SSH service. > I agree with Kees, that settling the choice on Yes is, in fact, a default. However, settlin
Re: SSH and the Ubuntu Server
Hi, Firstly, I think it's great that our default experience and policy is questioned on a regular basis. However, on this particular issue I'm not passionate either way. For my usage, when it's not preseeded, i'm now conditioned into installing sshd via the tasksel provided within d-i. This proposal might make sense to improve discoverability. On 17/11/10 22:43, Kees Cook wrote: > On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: >> Ubuntu has long maintained a "no open ports by default" policy. > https://wiki.ubuntu.com/SecurityTeam/Policies#No%20Open%20Ports > "Default installations of Ubuntu must have no listening network services > after initial install." > > One point of these policies is to provide users with a clear set of > guarantees they can depend on when planning their use of Ubuntu. It does make good sense to have this published policy, although it does seem that this policy should undergo a review to ensure we are providing the best default user experience, coupled with good level of security. When our Linux ecosphere peers, such as the other server distro's mentioned all seem to be installing this as default - we should probably ask ourselves if separating ourselves from the others on this aspect is really advantageous? It doesn't seem that this suggestion is to make it the default, just increasing discoverability. This should mean that it is still in-line with the current policy. >> Several exceptions have been granted to this policy, > To clarify, it is actually a "class" of services that have a standing > exception: those that are required become a member of the network itself > ("network infrastructure services"), so far: DHCP, IPv4LL, and mDNS. > >> Let me be clear: I am NOT requesting that sort of an exception. > Then it will be the language of the first sentence that matters. > >> These key points map to the following considerations: >> 1) the current option to install SSH on Ubuntu servers is buried in >> the tasksel menu >> - SSH is more fundamental to a server than the higher level >> profile selections for: >>DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > Agreed, this makes perfect sense to me -- there is a large number of Ubuntu > Server users that immediately install openssh-server after the install is > finished. > >> 3) highlighting the "YES" option on this page is absolutely essential >> to addressing this usability issue >> - and that selection is easily overridden by hitting, >> or by experienced admins in preseed configurations > I suspect this will be the core of the argument, and how it relates to > the definition of "default installation". I would argue that hitting > enter on all questions without reading them would result in a "default > installation". Taking this approach means highlighting "no" by default > would be policy-safe way to add this prompt. I would need to check, but it seems familiar that you cannot overwrite a disk partition without manually moving from No -> Yes. This seems somewhat similar, but perhaps slightly different fields as one is considering data loss - and the ssh default highlight to "No" is regarding security. However, I would suggest that as the vast majority of server users seem to require SSH - it is a 'de-facto default'... which perhaps highlights why many Hardy CD's became coasters purely because the CD had a vulnerable sshd bundled on their pool even though following a normal upgrade from the public archives would have resolved this issue. The Hardy situation seemed to me that we reacted in a similar way, that we would have - if it was installed by default. >> Please consider that the very definition of a "server" implies that >> the system is running a "service". > Well, I think this point is less clear-cut. There are people genuinely > interested in not running SSH. But, if it goes this way, then the argument > is centered around "installations of Ubuntu" for the definition of > "Ubuntu". Does that mean only "Desktop"? I would argue that it has meant > Desktop and Server, since security policy and features apply to both > equally. It seems to me, that as the Server edition is raising popularity; there clearly needs to be overlap policy - however, how often is Server considered in the general platform discussions? It seems clear to me that Desktop and Server are two very different models, and should perhaps be considered slightly separately. > It was argued to me that "Ubuntu Enterprise Cloud" and "Ubuntu EC2 AMIs" > are not "default installations of Ubuntu", again centering around what > "Ubuntu" in the policy means. If this holds, then the language around > the policy should be clarified to handle these existing situations at the > same time as solving the "Server with SSH" situation. > > -Kees This is something that clearly needs to be documented, as whilst the rational makes sense; I certainly didn't know that from a policy perspec
Re: SSH and the Ubuntu Server
On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: > Ubuntu has long maintained a "no open ports by default" policy. https://wiki.ubuntu.com/SecurityTeam/Policies#No%20Open%20Ports "Default installations of Ubuntu must have no listening network services after initial install." One point of these policies is to provide users with a clear set of guarantees they can depend on when planning their use of Ubuntu. > Several exceptions have been granted to this policy, To clarify, it is actually a "class" of services that have a standing exception: those that are required become a member of the network itself ("network infrastructure services"), so far: DHCP, IPv4LL, and mDNS. > Let me be clear: I am NOT requesting that sort of an exception. Then it will be the language of the first sentence that matters. > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu > - SSH is more fundamental to a server than the higher level > profile selections for: > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed, this makes perfect sense to me -- there is a large number of Ubuntu Server users that immediately install openssh-server after the install is finished. > 3) highlighting the "YES" option on this page is absolutely essential > to addressing this usability issue > - and that selection is easily overridden by hitting , > or by experienced admins in preseed configurations I suspect this will be the core of the argument, and how it relates to the definition of "default installation". I would argue that hitting enter on all questions without reading them would result in a "default installation". Taking this approach means highlighting "no" by default would be policy-safe way to add this prompt. > Please consider that the very definition of a "server" implies that > the system is running a "service". Well, I think this point is less clear-cut. There are people genuinely interested in not running SSH. But, if it goes this way, then the argument is centered around "installations of Ubuntu" for the definition of "Ubuntu". Does that mean only "Desktop"? I would argue that it has meant Desktop and Server, since security policy and features apply to both equally. > Moreover, our official Ubuntu > Server images as published for the Amazon EC2 cloud are, in fact, > running SSH by default listening on port 22 on the unrestricted > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > Cloud installation by the very same ISO installs SSH on every every > UEC system deployed. This is not unprecedented. It was argued to me that "Ubuntu Enterprise Cloud" and "Ubuntu EC2 AMIs" are not "default installations of Ubuntu", again centering around what "Ubuntu" in the policy means. If this holds, then the language around the policy should be clarified to handle these existing situations at the same time as solving the "Server with SSH" situation. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
SSH and the Ubuntu Server
Ubuntu has long maintained a "no open ports by default" policy. This conservative approach arguably yields a more secure default installation. Several exceptions have been granted to this policy, which install services on the target system without the user's explicit consent, but in the calculated interest and support of a vastly more usable Ubuntu. Let me be clear: I am NOT requesting that sort of an exception. I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | |[[YES]][no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server 3) highlighting the "YES" option on this page is absolutely essential to addressing this usability issue - and that selection is easily overridden by hitting , or by experienced admins in preseed configurations Please consider that the very definition of a "server" implies that the system is running a "service". Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a "run by default" proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. Q: Why not default the cursor on that question to "No", instead of "Yes"? A: That totally bypasses the value of this proposal, and is only microscopically better than what we currently have, where Ubuntu Server users must go out of their way to add one of the most fundamental packages to almost any server installation. The proposal, as it stands, is already a compromise from the original suggestion at UDS; which was, "if you're installing a server, you're expecting to run a service, so let's just install SSH by default". That idea is entirely out of scope now. We are proposing this installer question as a reasonable compromise. Q: What if the openssh-server package is compromised on the ISO? A: Although this has happened before, it is relatively rare over the history of Ubuntu. If/when this happens again, we would need to: a) recommend that people choose "no" when prompted, and install SSH post-installation from the security archive (same as we would do now, actually) b) and probably respin the ISOs (also been done before) Q: Why don't we disable password authentication? A: We could do this, and ask users to provide a public SSH key (or even just a simple Launchpad userid whose public key we could securely import). This would probably involve adding another page to the installer, public SSH keys are hard to memorize, while others will almost certainly object to even optionally tying their Launchpad ID to Ubuntu installations. Most importantly, Ubuntu does not set a root password, so an attacker would need to guess BOTH the username AND password. Q: What if I want a different sshd configuration than what's shipped by default in Ubuntu, before running sshd? A: You sound like an advanced user; please preseed your installation, or add SSH after the i