SSH and the Ubuntu Server
Ubuntu has long maintained a no open ports by default policy. This conservative approach arguably yields a more secure default installation. Several exceptions have been granted to this policy, which install services on the target system without the user's explicit consent, but in the calculated interest and support of a vastly more usable Ubuntu. Let me be clear: I am NOT requesting that sort of an exception. I am asking for ubuntu-devel's consensus, and an eventual Ubuntu Technical Board approval of a new prompt in the Ubuntu Server ISO's text-based installer, which would read something like the following: -- | If you need a secure connection to this | server remotely, you may wish to install | the openssh-server package. Note that | this service will open TCP port 22 on | your system, and you should use a very | strong password. | | Do you want to install the SSH service? | |[[YES]][no] -- Rest assured that the exact text will be word-smithed by an appropriate committee to hash out an optimum verbiage. This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which Ubuntu you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a run by default proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. Q: Why not default the cursor on that question to No, instead of Yes? A: That totally bypasses the value of this proposal, and is only microscopically better than what we currently have, where Ubuntu Server users must go out of their way to add one of the most fundamental packages to almost any server installation. The proposal, as it stands, is already a compromise from the original suggestion at UDS; which was, if you're installing a server, you're expecting to run a service, so let's just install SSH by default. That idea is entirely out of scope now. We are proposing this installer question as a reasonable compromise. Q: What if the openssh-server package is compromised on the ISO? A: Although this has happened before, it is relatively rare over the history of Ubuntu. If/when this happens again, we would need to: a) recommend that people choose no when prompted, and install SSH post-installation from the security archive (same as we would do now, actually) b) and probably respin the ISOs (also been done before) Q: Why don't we disable password authentication? A: We could do this, and ask users to provide a public SSH key (or even just a simple Launchpad userid whose public key we could securely import). This would probably involve adding another page to the installer, public SSH keys are hard to memorize, while others will almost certainly object to even optionally tying their Launchpad ID to Ubuntu installations. Most importantly, Ubuntu does not set a root password, so an attacker would need to guess BOTH the username AND password. Q: What if I want a different sshd configuration than what's shipped by default in Ubuntu, before running sshd? A: You sound like an advanced user; please preseed your installation, or add SSH after the initial
Fwd: Re: FOSDEM - Distribution Miniconf
Original Message Subject:Re: FOSDEM - Distribution Miniconf Date: Wed, 17 Nov 2010 23:19:54 +0100 From: Manuel de la Pena manuel.delap...@canonical.com To: Laura Czajkowski la...@lczajkowski.com On 15/11/2010 21:34, Laura Czajkowski wrote: Aloha, I was wondering if Ubuntu plans to have a presence at FOSDEM this year. It is one of the largest open source events in europe and in the past we haven't really taken part in this event apart from having a community presence at it and running a stall at it. There have been some individuals at it, however I think we should be there in a greater sense like many other distributions. This year following on from last years success FOSDEM is running a Distribution Miniconf and I think we should if possible try and have a few talks/sessions over the two day event.http://fosdem.org/2011/distrominiconf The reasons for this is that over the last two years I've noticed many people commenting on our lack of attendance at this event given its history (now 11th year) size of participates 6000-6500 and over 300 talks, we really should be there. Laura +1 to that. The Ubuntu Belgian Loco Team is great and I'm sure they would give a hand. I'd try to be there this year. Kr, Manuel -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: This proposal requests that: 1) a new prompt be added to the Ubuntu Server installer 2) this prompt be dedicated to the boolean installation, or non-installation, of the SSH service, as an essential facet of a typical server +1 for adding this prompt 3) the cursor highlights the affirmative (yes, please install SSH), but awaits the user's conscious decision -1 for having it default to Yes. These key points map to the following considerations: 1) the current option to install SSH on Ubuntu servers is buried in the tasksel menu - SSH is more fundamental to a server than the higher level profile selections for: DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. Agreed completely. 2) users of the installation ISO will have the option to not install SSH, as they so desire - it is quite well understood that some users may not want SSH installed on their server I'd rather assume that those who do want SSH will be looking for the option to enable it, and those who do not, won't be accidentally exposed to any problems that it includes. 3) highlighting the YES option on this page is absolutely essential to addressing this usability issue Side stepping the issue of what is a default install, I would like to delve into the usage of the term 'usability' in the above sentence. I think setting it to No by default in the first iteration of this prompt may be a little less controversial. If users are still complaining that I always have to stop at that point and hit tab,enter to enable ssh then I could see making a usability argument. However, its also annoying that sudo times out and asks for the admin password after a while, one could even argue it is less usable, but it is *far* more secure as a default setting. Any more secure and it would be unbearable. Any less, and it wouldn't help users much. - and that selection is easily overridden by hitting tabenter, or by experienced admins in preseed configurations The same is true if it is No, and can be changed to Yes. This is precisely why I think this particular selection (default to yes, or default to no) isn't really a usability issue, but a secure default issue. The usability issue arises when one says no. Then its not totally clear after the install finishes how to enable SSH access so you can leave the server room/closet/etc and go back to your desk to admin the darn thing. However, I think its fair to also add this to the first boot motd, something like Looking for SSH? Install it with sudo aptitude install openssh-server. Please consider that the very definition of a server implies that the system is running a service. Moreover, our official Ubuntu Server images as published for the Amazon EC2 cloud are, in fact, running SSH by default listening on port 22 on the unrestricted Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise Cloud installation by the very same ISO installs SSH on every every UEC system deployed. This is not unprecedented. The default Amazon security group allows nothing from the internet: Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).[1] I recall being puzzled the first time I spawned an EC2 node and not being able to SSH to it, but soon finding it comforting that I could only SSH to my instances from the class C that my home connection sits on after adding that explicitly to the security group. I don't know how Euca/UEC security zones are setup by default. Also consider that there are plenty of servers built to do data collection only, without ever being remotely managed. Yes, this is probably less than 1% of installed servers, but I think its unfair to characterize these systems as not servers because they do not allow incoming connections or remote management. In the context of this discussion though, this actually suggests that for these few weird systems, stopping to switch to No, would seem natural. Having discussed the proposal with a subset of this audience (at UDS and in IRC), here are some known FAQs: Q: WTF?!? Ubuntu has no open ports by default! A: That depends on which Ubuntu you mean. Ubuntu-in-the-cloud runs SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most importantly, this is not a run by default proposal. We have already compromised on that subject, culminating in this proposal, which is simply about providing Server users with an obvious way to install the typically essential SSH service. I agree with Kees, that settling the choice on Yes is, in fact, a default. However, settling it on No is a fantastic idea and doesn't in any way incite
