Good Morning Dustin, On Fri, 2010-11-19 at 16:50 -0600, Dustin Kirkland wrote: > Stephan Hermann <s...@sourcecode.de> wrote: > > Hi Scott, > > > > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: > >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > >> > different modes (minimal, default, developer workstation), all of > >> > which a) were running sshd, b) had a root user with a password. > >> > >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack > >> surface for a default RHEL6 install is rather more limited. > > > > To be honest, there is no difference in installing RHEL6 with a static > > ip address or Ubuntu Server with DHCP enabled. > > > > I think we need to find out first, what user base we want to point at. > > > > The SysAdmin of a Company with Enterprise Classed Datacenter > > or the guy/gal from around the corner who is testing ubuntu server? > > > > The SysAdmin will have network security in place (if not..oh well), and > > mostly is he/she not using public IP addresses, and/or they setup their > > DHCPd to match the MACs of the NICs inside their servers. > > > > I am now wondering if we really should change something. As long as I'm > > thinking about the topic, I'm coming to my conclusion, that we just > > should tick sshd by default during tasksel in the installer, and that's > > it. For most of the admins out there, it really doesn't matter, because > > they have other ways to deploy ubuntu server on their servers. > > I agree, Stephan. > > The installer complexity can be avoided by just ticking the "OpenSSH > Server" in the top of the tasksel page as you suggest; document that > change thoroughly and publish it far and wide; note the stronger > sshd.conf configurations from Marc and the security team in the SSH > help page.
Yes. We can harden sshd a bit more and document the changes in d-i tasksel via ReleaseNotes and some public announcement on blogs/p.u.c. > > Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. > > I'm going to redraft the proposal, note that there was no general > consensus on the matter in the ubuntu-devel@ mailing list, and ask the > Tech Board for guidance. Thanks everyone for the lively discussion. This is something we need to do anyhow. TB has the final say. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam