Re: SSH and the Ubuntu Server
On Fri, Nov 19, 2010 at 4:50 PM, Dustin Kirkland wrote: > I'm going to redraft the proposal, note that there was no general > consensus on the matter in the ubuntu-devel@ mailing list, and ask the > Tech Board for guidance. Thanks everyone for the lively discussion. Thank you for the discussions at UDS, in IRC, and in this thread. Colin's changes to the server tasksel (moving SSH to the top of the list, albeit "unchecked") is a reasonable step towards improving the usability of the server installer. Let's just roll with this for now and evaluate its effectiveness next cycle. Thanks again! :-) :-Dustin Dustin Kirkland Ubuntu Core Developer -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Good Morning Dustin, On Fri, 2010-11-19 at 16:50 -0600, Dustin Kirkland wrote: > Stephan Hermann wrote: > > Hi Scott, > > > > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: > >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > >> > different modes (minimal, default, developer workstation), all of > >> > which a) were running sshd, b) had a root user with a password. > >> > >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack > >> surface for a default RHEL6 install is rather more limited. > > > > To be honest, there is no difference in installing RHEL6 with a static > > ip address or Ubuntu Server with DHCP enabled. > > > > I think we need to find out first, what user base we want to point at. > > > > The SysAdmin of a Company with Enterprise Classed Datacenter > > or the guy/gal from around the corner who is testing ubuntu server? > > > > The SysAdmin will have network security in place (if not..oh well), and > > mostly is he/she not using public IP addresses, and/or they setup their > > DHCPd to match the MACs of the NICs inside their servers. > > > > I am now wondering if we really should change something. As long as I'm > > thinking about the topic, I'm coming to my conclusion, that we just > > should tick sshd by default during tasksel in the installer, and that's > > it. For most of the admins out there, it really doesn't matter, because > > they have other ways to deploy ubuntu server on their servers. > > I agree, Stephan. > > The installer complexity can be avoided by just ticking the "OpenSSH > Server" in the top of the tasksel page as you suggest; document that > change thoroughly and publish it far and wide; note the stronger > sshd.conf configurations from Marc and the security team in the SSH > help page. Yes. We can harden sshd a bit more and document the changes in d-i tasksel via ReleaseNotes and some public announcement on blogs/p.u.c. > > Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. > > I'm going to redraft the proposal, note that there was no general > consensus on the matter in the ubuntu-devel@ mailing list, and ask the > Tech Board for guidance. Thanks everyone for the lively discussion. This is something we need to do anyhow. TB has the final say. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Stephan Hermann wrote: > Hi Scott, > > On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: >> On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: >> > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple >> > different modes (minimal, default, developer workstation), all of >> > which a) were running sshd, b) had a root user with a password. >> >> Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack >> surface for a default RHEL6 install is rather more limited. > > To be honest, there is no difference in installing RHEL6 with a static > ip address or Ubuntu Server with DHCP enabled. > > I think we need to find out first, what user base we want to point at. > > The SysAdmin of a Company with Enterprise Classed Datacenter > or the guy/gal from around the corner who is testing ubuntu server? > > The SysAdmin will have network security in place (if not..oh well), and > mostly is he/she not using public IP addresses, and/or they setup their > DHCPd to match the MACs of the NICs inside their servers. > > I am now wondering if we really should change something. As long as I'm > thinking about the topic, I'm coming to my conclusion, that we just > should tick sshd by default during tasksel in the installer, and that's > it. For most of the admins out there, it really doesn't matter, because > they have other ways to deploy ubuntu server on their servers. I agree, Stephan. The installer complexity can be avoided by just ticking the "OpenSSH Server" in the top of the tasksel page as you suggest; document that change thoroughly and publish it far and wide; note the stronger sshd.conf configurations from Marc and the security team in the SSH help page. Unfortunately, I don't think we're reaching a consensus here on ubuntu-de...@. I'm going to redraft the proposal, note that there was no general consensus on the matter in the ubuntu-devel@ mailing list, and ask the Tech Board for guidance. Thanks everyone for the lively discussion. :-Dustin -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Hi Scott, On Fri, 2010-11-19 at 13:18 -0500, Scott Kitterman wrote: > On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > > different modes (minimal, default, developer workstation), all of > > which a) were running sshd, b) had a root user with a password. > > Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack > surface for a default RHEL6 install is rather more limited. To be honest, there is no difference in installing RHEL6 with a static ip address or Ubuntu Server with DHCP enabled. I think we need to find out first, what user base we want to point at. The SysAdmin of a Company with Enterprise Classed Datacenter or the guy/gal from around the corner who is testing ubuntu server? The SysAdmin will have network security in place (if not..oh well), and mostly is he/she not using public IP addresses, and/or they setup their DHCPd to match the MACs of the NICs inside their servers. I am now wondering if we really should change something. As long as I'm thinking about the topic, I'm coming to my conclusion, that we just should tick sshd by default during tasksel in the installer, and that's it. For most of the admins out there, it really doesn't matter, because they have other ways to deploy ubuntu server on their servers. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 13:06 -0500, Scott Kitterman wrote: > On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > > I want the person installing the server to actually make the choice > > > > to install ssh in order to realize that doing so may have > > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > > server from the network and configure ssh properly before hooking it > > > > back up..." > > > > > > What does "configure ssh properly" usually entail? Are these some > > > defaults we can change or offer as follow-on questions if people answer > > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > > in a net loss in usability on account of more questions asked, just > > > trying to get something constructive out of this thread) > > > > I think this highly depends on the environment the server is set up in, > > and is beyond the scope of the installer, but typically one or more of > > the following: > > > > - Limit ssh to a specific network interface > > - Disable password authentication and copy over keys > > - Configure AllowUsers and/or AllowGroups > > - Disable DebianBanner > > - Configure a firewall to limit connections from specific IPs and enable > > rate limiting > > - Configure tcpwrappers to limit connections from specific IPs > > - Install fail2ban or denyhosts > > - Add server to corporate IPS ssh-monitored host group > > - etc. > > > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > > list for the past 10 years or so. > > Where do we document this for our users so they can take appropriate actions? Same place we document everything else: in our wiki and on help.ubuntu.com. https://help.ubuntu.com/community/SSH https://help.ubuntu.com/community/SSH/OpenSSH/Configuring Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Friday, November 19, 2010 12:02:33 pm Dustin Kirkland wrote: > Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple > different modes (minimal, default, developer workstation), all of > which a) were running sshd, b) had a root user with a password. Yes, but RHEL6 doesn't dhcp by default and Ubuntu Server does so the attack surface for a default RHEL6 install is rather more limited. Scott K -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > I want the person installing the server to actually make the choice > > > to install ssh in order to realize that doing so may have > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > server from the network and configure ssh properly before hooking it > > > back up..." > > > > What does "configure ssh properly" usually entail? Are these some > > defaults we can change or offer as follow-on questions if people answer > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > in a net loss in usability on account of more questions asked, just > > trying to get something constructive out of this thread) > > I think this highly depends on the environment the server is set up in, > and is beyond the scope of the installer, but typically one or more of > the following: > > - Limit ssh to a specific network interface > - Disable password authentication and copy over keys > - Configure AllowUsers and/or AllowGroups > - Disable DebianBanner > - Configure a firewall to limit connections from specific IPs and enable > rate limiting > - Configure tcpwrappers to limit connections from specific IPs > - Install fail2ban or denyhosts > - Add server to corporate IPS ssh-monitored host group > - etc. > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > list for the past 10 years or so. Where do we document this for our users so they can take appropriate actions? Scott K -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > On 18-11-2010 16:49, Marc Deslauriers wrote: > > I want the person installing the server to actually make the choice > > to install ssh in order to realize that doing so may have > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > server from the network and configure ssh properly before hooking it > > back up..." > > What does "configure ssh properly" usually entail? Are these some > defaults we can change or offer as follow-on questions if people answer > "Yes" to this dialog? (Yes, I fully realise that will very likely result > in a net loss in usability on account of more questions asked, just > trying to get something constructive out of this thread) > I think this highly depends on the environment the server is set up in, and is beyond the scope of the installer, but typically one or more of the following: - Limit ssh to a specific network interface - Disable password authentication and copy over keys - Configure AllowUsers and/or AllowGroups - Disable DebianBanner - Configure a firewall to limit connections from specific IPs and enable rate limiting - Configure tcpwrappers to limit connections from specific IPs - Install fail2ban or denyhosts - Add server to corporate IPS ssh-monitored host group - etc. SSH password brute-forcing has been on the SANS Top 20 vulnerability list for the past 10 years or so. Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Stephan Hermann wrote: > Moins, > > On Thu, 2010-11-18 at 12:24 -0500, Luke Faraone wrote: >> On 11/18/2010 12:04 PM, Dustin Kirkland wrote: >> > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: >> >> No, it's not. In Maverick it was arguably buried. In Natty, it is the >> >> very top entry on the tasksel menu, and the cursor rests on it when you >> >> reach that screen. >> > [snip] >> > >> > I would gladly revise this proposal to simply: >> > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel >> > screen >> > >> > Which would also sit there and wait for the user to consciously affirm >> > their selection, and would avoid the countless server installations >> > where people forget to install SSH and must make their way back to a >> > console on their newly installed system and add the openssh-server >> > package. >> >> As many people have mentioned, this will cause a surprise for users who >> click through the install dialogs expecting things to not change since >> they last used it. > > Sorry, but this is something which strucks me, really. When we don't > change things over time, we will never have a better user experience. > When we change something it needs to be documented in a public place > where everyone interested can read it first hand. +1 >> Also, since this occurs late in the install process, no dialogs to >> prompt the user to harden their password can be offered, as others have >> suggested. > > Oh well, we can change that inside the installer as well. Not prompting > for a user choice, but choosing a hardened password automatically and > showing it to the user > mkpasswd --chars=20 --crypt-md5 or whatever should be enough. that's > only a technical problem easily to solve. > > >> You say there are "countless" installations. I don't think anybody >> expects SSH to be automatically installed in a new server; it's a >> service that should be enabled carefully after consideration of your >> network environment and security needs. I feel that the potential for >> harm of accidental installation exceeds the increase in convenience from >> not having to explicitly select the task. > > I think we have more installations of RHEL or SLES in the enterprise > server market, and they do have sshd enabled by default. > Even when you install an VMWare ESX host, ssh is enabled by default, > without the questionable root access. Confirmed this on RHEL6 yesterday. I installed RHEL6 in multiple different modes (minimal, default, developer workstation), all of which a) were running sshd, b) had a root user with a password. Simply the fact that Ubuntu does not have an active root password by default means that network attacks via ssh must guess BOTH the username AND the password. Choose both wisely and you should be able to repel attacks between the time that your new Ubuntu Server reboots for the first time and the time it takes for you to login for the first time and configure sshd.conf to your liking. If you're actively working the installation, we're talking less than 5 minutes. If you've automated the deployment via puppet or somesuch, it can be far less than that. :-Dustin -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Nov 18, 2010, at 10:49 AM, Marc Deslauriers wrote: > Hello, > >>> >>> Please consider that the very definition of a "server" implies that >>> the system is running a "service". Moreover, our official Ubuntu >>> Server images as published for the Amazon EC2 cloud are, in fact, >>> running SSH by default listening on port 22 on the unrestricted >>> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise >>> Cloud installation by the very same ISO installs SSH on every every >>> UEC system deployed. This is not unprecedented. > > As far as I recall, EC2 opens the ssh port from your ip address only, > and authenticates using certificates and not passwords. > the default EC2 security group firewalls the machine completely. The user takes explicit action to open port 22 (euca-authorize). the same is true for UEC. > Actually, now that you mention it, we should probably disable SSH > password authentication by default in the EC2 images... Instances of the official images have exactly zero users that have a password set. Password auth is allowed, but useless until the user sets a password. on boot, the public key specified at launch is pulled from the metadata service and inserted into the 'ubuntu' users authorized keys. the corresponding private key is the only way in.-- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Moins, On Thu, 2010-11-18 at 12:24 -0500, Luke Faraone wrote: > On 11/18/2010 12:04 PM, Dustin Kirkland wrote: > > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: > >> No, it's not. In Maverick it was arguably buried. In Natty, it is the > >> very top entry on the tasksel menu, and the cursor rests on it when you > >> reach that screen. > > [snip] > > > > I would gladly revise this proposal to simply: > > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel > > screen > > > > Which would also sit there and wait for the user to consciously affirm > > their selection, and would avoid the countless server installations > > where people forget to install SSH and must make their way back to a > > console on their newly installed system and add the openssh-server > > package. > > As many people have mentioned, this will cause a surprise for users who > click through the install dialogs expecting things to not change since > they last used it. Sorry, but this is something which strucks me, really. When we don't change things over time, we will never have a better user experience. When we change something it needs to be documented in a public place where everyone interested can read it first hand. > > Also, since this occurs late in the install process, no dialogs to > prompt the user to harden their password can be offered, as others have > suggested. Oh well, we can change that inside the installer as well. Not prompting for a user choice, but choosing a hardened password automatically and showing it to the user mkpasswd --chars=20 --crypt-md5 or whatever should be enough. that's only a technical problem easily to solve. > You say there are "countless" installations. I don't think anybody > expects SSH to be automatically installed in a new server; it's a > service that should be enabled carefully after consideration of your > network environment and security needs. I feel that the potential for > harm of accidental installation exceeds the increase in convenience from > not having to explicitly select the task. I think we have more installations of RHEL or SLES in the enterprise server market, and they do have sshd enabled by default. Even when you install an VMWare ESX host, ssh is enabled by default, without the questionable root access. Regards, \sh -- Stephan '\sh' Hermann SysAdmin / Ubuntu Developer xmpp: s...@sourcecode.de -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Nov 18, 2010, at 01:05 PM, C de-Avillez wrote: >On the other hand, having SSH installed by default will help the >majority of corporate users: we go (either physically, or via a >serial console), install, and then happily use SSH to configure the >rest of the system (and get out of the -- usually -- lights-out and >cold environment, or off the bloody serial console). FWIW, installing the ssh server (and editing the sshd_config file to remove password authentication) is almost always the first thing I do on any new Ubuntu install, be it server or desktop. Cheers, -Barry signature.asc Description: PGP signature -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On 18-11-2010 16:49, Marc Deslauriers wrote: > I want the person installing the server to actually make the choice > to install ssh in order to realize that doing so may have > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > server from the network and configure ssh properly before hooking it > back up..." What does "configure ssh properly" usually entail? Are these some defaults we can change or offer as follow-on questions if people answer "Yes" to this dialog? (Yes, I fully realise that will very likely result in a net loss in usability on account of more questions asked, just trying to get something constructive out of this thread) -- Soren Hansen Ubuntu Developerhttp://www.ubuntu.com/ OpenStack Developer http://www.openstack.org/ signature.asc Description: OpenPGP digital signature -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Sorry if anyone gets dupes of the message below. I sent from a phone, and its sitting (i think) in moderator limbo. On Nov 18, 2010, at 10:49 AM, Marc Deslauriers wrote: > Hello, > >>> >>> Please consider that the very definition of a "server" implies that >>> the system is running a "service". Moreover, our official Ubuntu >>> Server images as published for the Amazon EC2 cloud are, in fact, >>> running SSH by default listening on port 22 on the unrestricted >>> Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise >>> Cloud installation by the very same ISO installs SSH on every every >>> UEC system deployed. This is not unprecedented. > > As far as I recall, EC2 opens the ssh port from your ip address only, > and authenticates using certificates and not passwords. > the default EC2 security group firewalls the machine completely. The user takes explicit action to open port 22 (euca-authorize). the same is true for UEC. > Actually, now that you mention it, we should probably disable SSH > password authentication by default in the EC2 images... Instances of the official images have exactly zero users that have a password set. Password auth is allowed, but useless until the user sets a password. on boot, the public key specified at launch is pulled from the metadata service and inserted into the 'ubuntu' users authorized keys. the corresponding private key is the only way in. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On 11/18/2010 03:08 PM, Mathias Gug wrote: > Excerpts from Robbie Williamson's message of Thu Nov 18 13:34:58 -0500 2010: >> On Thu, 2010-11-18 at 16:22 +, Colin Watson wrote: >>> On Thu, Nov 18, 2010 at 10:08:47AM -0600, Robbie Williamson wrote: On Thu, 2010-11-18 at 16:04 +, Colin Watson wrote: > On Thu, Nov 18, 2010 at 10:49:38AM -0500, Marc Deslauriers wrote: >> I think this screen is a good idea if in fact tasksel is moved to after >> the first boot. > We used to have a two-stage installer and it was a nightmare to maintain > for several reasons. Since we moved to a single-stage installer several > years back, we've burned all the necessary code with fire and enjoyed > it. Please don't make me go back to that. What if the Server team maintained the 2nd stage? Then we'd be making life easier for you, right? ;) >>> Er. :-) >>> >>> (In seriousness, any good-quality second stage would require some level >>> of cooperation from the first stage. We tried that and it was awful.) >> So I see the 1st stage as just installing the minimal server, then we >> boot to a login prompt...user logs in and can either do his/her business >> as desired or launch the 2nd stage (which they are told about in a 1st >> boot motd-type message). >> > I'd add that the 2nd stage would just be tasksel. > > I don't know what the 2-stage installer was like back in the old days. > The proposal discussed at UDS was: > > * to have the installer create a minimal-lean install (ie 1st > stage - same thing as of today). It creates a basic working system > which upon reboot can be configured for its final role (either by a > sysadmin via a console or ssh login [1] or a configuration management > system such as puppet, chef, cfengine, shell script, etc...). > > * Remove the tasksel step in the installer and add a note in the > motd pointing to tasksel so that a sysadmin can finish the > configuration of the system after reboot (as outlined in [1] above). > > This would provide a similar user experience to the one provided by > the Ubuntu cloud images on EC2 and UEC. Once an instance is started > the following text is displayed upon login into it via ssh: > > - > At the moment, only the core of the system is installed. To tune the > system to your needs, you can choose to install one or more > predefined collections of software by running the following > command: > > sudo tasksel --section server > - > > A similar message would be displayed when a user logs into the > newly-installed system (either via console or ssh). > Hi, If that what you were thinking of a "second stage installer". Then I think you might want something in between, functionailty wise, d-i and a yast type program. But simpler. chuck -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On 11/18/2010 12:04 PM, Dustin Kirkland wrote: > On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: >> No, it's not. In Maverick it was arguably buried. In Natty, it is the >> very top entry on the tasksel menu, and the cursor rests on it when you >> reach that screen. > [snip] > > I would gladly revise this proposal to simply: > * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen > > Which would also sit there and wait for the user to consciously affirm > their selection, and would avoid the countless server installations > where people forget to install SSH and must make their way back to a > console on their newly installed system and add the openssh-server > package. As many people have mentioned, this will cause a surprise for users who click through the install dialogs expecting things to not change since they last used it. Also, since this occurs late in the install process, no dialogs to prompt the user to harden their password can be offered, as others have suggested. You say there are "countless" installations. I don't think anybody expects SSH to be automatically installed in a new server; it's a service that should be enabled carefully after consideration of your network environment and security needs. I feel that the potential for harm of accidental installation exceeds the increase in convenience from not having to explicitly select the task. -- ╒═╕ │Luke Faraone ╭Debian / Ubuntu Developer╮│ │http://luke.faraone.cc╰Sugar Labs, Systems Admin╯│ │PGP: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506 │ ╘═╛ signature.asc Description: OpenPGP digital signature -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On 11/18/2010 09:49 AM, Marc Deslauriers wrote: >>> Q: What if the openssh-server package is compromised on the ISO? >>> A: Although this has happened before, it is relatively rare over the >>> history of Ubuntu. If/when this happens again, we would need to: >>>a) recommend that people choose "no" when prompted, and install >>> SSH post-installation from the security archive (same as we would do >>> now, actually) >>>b) and probably respin the ISOs (also been done before) > > This isn't the only reason to not have SSH by default. My point was not > having SSH installed by default before the administrator can properly > secure a server, including installing security updates, and configuring > ssh to respond to a particular network interface with password > authentication disabled. I do not see this as a major issue: in corporate environments (where you will usually find multiple network interfaces) a system is installed in a protected area (either physically, or network-wise, or both). It is not just installing the basic system, but all the necessary configuration that needs to be done. Only after this post-install configuration a system will be set in the firewalls/routers. On the other hand, having SSH installed by default will help the majority of corporate users: we go (either physically, or via a serial console), install, and then happily use SSH to configure the rest of the system (and get out of the -- usually -- lights-out and cold environment, or off the bloody serial console). >>> >>> Q: Why don't we disable password authentication? >>> A: We could do this, and ask users to provide a public SSH key (or >>> even just a simple Launchpad userid whose public key we could securely >>> import). This would probably involve adding another page to the >>> installer, public SSH keys are hard to memorize, while others will >>> almost certainly object to even optionally tying their Launchpad ID to >>> Ubuntu installations. Most importantly, Ubuntu does not set a root >>> password, so an attacker would need to guess BOTH the username AND >>> password. > > Password authentication should definitely be disabled when SSH servers > are exposed to untrusted networks. But in a lot of cases though, SSH > password authentication is acceptable, such as on my home network, or in > a corporate environment where the SSH port is restricted behind a > firewall. I respectfully disagree. Password authentication should be disabled by default. Downgrading security -- in corporate environments -- usually requires a formal risk acceptance process. Also, in every audit I participated a system accepting SSH password authentication would be flagged an audit finding, and documentation would be required to justify it. It strikes me as inconsistent that we allow a known risk as default. It should be the other way: if I want to downgrade security, I have to explicitly choose to do so. Of course, in this discussion, having only PK-authentication would require either the person installing to provide an out-of-band public key, or the installer to have this option. > I don't think disabling SSH password authentication is something that > can realistically be done by default for now. > >>> Q: What if I want a different sshd configuration than what's shipped >>> by default in Ubuntu, before running sshd? >>> A: You sound like an advanced user; please preseed your installation, >>> or add SSH after the initial install (as you would do now). > > Securing your ssh installation is mentioned in every single security > checklist I've seen. This isn't something only advanced users need to > do. Making novice users install SSH without knowing the impact of doing > so is not something we should be recommending. Even more reason for us to provide a sensible -- and more secure -- default SSH configuration. Cheers, ..C.. signature.asc Description: OpenPGP digital signature -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Thu, Nov 18, 2010 at 9:30 AM, Colin Watson wrote: > (Please, in future, do not cross-post between the moderated ubuntu-devel > and the unmoderated ubuntu-devel-discuss. Doing so produces time lags > which confuse people.) Dang. Sorry, Colin. Live and learn. > On Wed, Nov 17, 2010 at 03:38:53PM -0600, Dustin Kirkland wrote: >> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu >> Technical Board approval of a new prompt in the Ubuntu Server ISO's >> text-based installer, which would read something like the following: >> >> -- >> | If you need a secure connection to this >> | server remotely, you may wish to install >> | the openssh-server package. Note that >> | this service will open TCP port 22 on >> | your system, and you should use a very >> | strong password. >> | >> | Do you want to install the SSH service? >> | >> | [[YES]] [no] >> -- >> >> Rest assured that the exact text will be word-smithed by an >> appropriate committee to hash out an optimum verbiage. > > Without wishing to express any opinion either way: this is an > excessively painful choice of implementation. If you want to default it > to yes, it would be sufficient, and much easier (take it from me, I'm > the one who gets to deal with the translation merge workload when you > guys add questions ...) to check the "SSH server" entry in tasksel by > default. > >> These key points map to the following considerations: >> 1) the current option to install SSH on Ubuntu servers is buried in >> the tasksel menu > > No, it's not. In Maverick it was arguably buried. In Natty, it is the > very top entry on the tasksel menu, and the cursor rests on it when you > reach that screen. Right, that's a great change. Makes it more obvious. I can concede your point that adding the proposed page to the installer would create work for you, which of course, is not my goal. I would gladly revise this proposal to simply: * Automatically 'tick' OpenSSH Server by default on the Server Tasksel screen Which would also sit there and wait for the user to consciously affirm their selection, and would avoid the countless server installations where people forget to install SSH and must make their way back to a console on their newly installed system and add the openssh-server package. :-Dustin -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer Having gone through the install of RHEL, SLES, CentOS, Debian, and Ubuntu this past week, I don't think adding this is a big deal. I our install will still be one of the shortest (in terms of user required actions). With that said, I think we should definitely re-assess the Server install experience, to determine if we are meeting the needs of both the expert and novice Ubuntu Server user. > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server No problems here to me. > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision No problems here either, however I can see the uneasiness with defaulting to "Yes", as the default install will now be vulnerable to attack. My question is this: What are our obligations in terms of "protecting" users from themselves? We don't enable the firewall by default and other distros do...we prompt installers to setup a non-root user account, while other distros let you log right in as root...we enable the networking adapters by default, while other distros don't. My point is that I don't think there is a right or wrong answer here...it's just opinion. As far as the "No Open Ports" policy, maybe it's time we re-evaluate it...maybe we make a distinction between Ubuntu Desktop and Ubuntu Server...I dunno. Anyway, that's my .02 on the topic. I suspect we'll have to goto the TB on the "Yes" or "No" portion anyway. -Robbie -- Robbie Williamson rob...@ubuntu.com Ubuntu robbiew[irc.freenode.net] "You can't be lucky all the time, but you can be smart everyday" -Mos Def "Arrogance is thinking you are better than everyone else, while Confidence is knowing no one else is better than you." -Me ;) -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On Wednesday, November 17, 2010 04:38:53 pm Dustin Kirkland wrote: > Q: Why not default the cursor on that question to "No", instead of "Yes"? > A: That totally bypasses the value of this proposal, and is only > microscopically better than what we currently have ... Dustin, I think this seriously under values the many benifits of your proposal. The concern I have with defaulting a new question to yes the first time it appears is that if someone has a standard preseed they are using this will change what they get installed and they will never see the question (If I understand how all this works correctly and that's not certain). If we are going to change the no open ports by default policy (and I think your proposal would do that), I think we should not be in a great rush to do that. I would propose that the question should at least exist in an LTS release with a conservative default (no in this case) before defaulting to the less conservative default. My thought would be to do all as you propose, except leave it as default No for now and then consider swtiching to yes in 12.10. I know that's a longer timeline than you'd prefer, but I think it pays to be conservative in how we approach this. BTW, given the number of knocks I see on the door at port 22, this is very much not like the gorrilla thing. Scott K -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
Hello, On Thu, 2010-11-18 at 08:00 -0600, Dustin Kirkland wrote: > > -- > > | If you need a secure connection to this > > | server remotely, you may wish to install > > | the openssh-server package. Note that > > | this service will open TCP port 22 on > > | your system, and you should use a very > > | strong password. > > | > > | Do you want to install the SSH service? > > | > > |[[YES]][no] > > -- > > > > Rest assured that the exact text will be word-smithed by an > > appropriate committee to hash out an optimum verbiage. I think this screen is a good idea if in fact tasksel is moved to after the first boot. We would need to change the wording though as using ssh with password authentication is insecure and should not be something we recommend. A lot of users who come to #ubuntu-hardened trying to figure out why their server was compromised end up discovering that ssh password brute-forcing was the cause. > > > > This proposal requests that: > > 1) a new prompt be added to the Ubuntu Server installer > > 2) this prompt be dedicated to the boolean installation, or > > non-installation, of the SSH service, as an essential facet of a > > typical server > > 3) the cursor highlights the affirmative (yes, please install SSH), > > but awaits the user's conscious decision This is where I disagree. Dangerous actions should not be the default choice. I've seen numerous corporate environments where the default/generic account used during server installation was still enabled when the server went into production. I want the person installing the server to actually make the choice to install ssh in order to realize that doing so may have consequences. ie: "Oh wait, If I install ssh now, I should unplug the server from the network and configure ssh properly before hooking it back up..." Making the cursor default to "yes" means people who install the server and don't know the impact of answering yes will get something dangerous installed that they weren't counting on. > > > > These key points map to the following considerations: > > 1) the current option to install SSH on Ubuntu servers is buried in > > the tasksel menu > >- SSH is more fundamental to a server than the higher level > > profile selections for: > > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > > 2) users of the installation ISO will have the option to not install > > SSH, as they so desire > >- it is quite well understood that some users may not want SSH > > installed on their server Corporate environments don't typically allow ssh access to servers from the main network for security and conformance reasons. Remote management cards and IP KVMs are often used from an isolated administrative network, or SSH is configured to listen only to a specific network interface. Contrary to what some people have suggested, pre-seeding isn't used in a lot of these cases. This is one of the reasons I like having SSH as a choice during install, and not simply installed by default. > > 3) highlighting the "YES" option on this page is absolutely essential > > to addressing this usability issue > >- and that selection is easily overridden by hitting , > > or by experienced admins in preseed configurations SSH can just as easily be enabled by hitting also. > > > > Please consider that the very definition of a "server" implies that > > the system is running a "service". Moreover, our official Ubuntu > > Server images as published for the Amazon EC2 cloud are, in fact, > > running SSH by default listening on port 22 on the unrestricted > > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > > Cloud installation by the very same ISO installs SSH on every every > > UEC system deployed. This is not unprecedented. As far as I recall, EC2 opens the ssh port from your ip address only, and authenticates using certificates and not passwords. Actually, now that you mention it, we should probably disable SSH password authentication by default in the EC2 images... As for UEC, I don't think that's a "default installation" as the person installing is selecting to install a bunch of software that opens a bunch of ports, including SSH. > > > > Having discussed the proposal with a subset of this audience (at UDS > > and in IRC), here are some known FAQs: > > > > Q: WTF?!? Ubuntu has no open ports by default! > > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > > importantly, this is not a "run by default" proposal. We have already > > compromised on that subject, culminating in this proposal, which is > > simply about providing Server users with an obvious way to install the > > typically essential SSH service. > > > > Q: Why not default the cursor on that question to "No", i
Re: SSH and the Ubuntu Server
On Thursday, November 18, 2010 04:21:42 am sam tygier wrote: > On 17/11/10 21:38, Dustin Kirkland wrote: > > This proposal requests that: > > 1) a new prompt be added to the Ubuntu Server installer > > 2) this prompt be dedicated to the boolean installation, or > > > > non-installation, of the SSH service, as an essential facet of a > > typical server > > > > 3) the cursor highlights the affirmative (yes, please install SSH), > > > > but awaits the user's conscious decision > > you could make the ssh server recommend denyhosts or fail2ban (both prevent > brute force attacks by blocking hosts that make to many failed login > attempts) No. This is a bad idea. There are too many different ways to solve this problem (and IMO these are not the most robust) to impose a default on the user. Scott K -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSH and the Ubuntu Server
On 11/18/2010 03:00 PM, Dustin Kirkland wrote: > I inadvertently left ubuntu-server@ off of the original distribution. > > Sorry about that. CC'ing now. > > There are a few responses already in the thread: > * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html And here is a reply I made to it which is currently awaiting moderator approval: Hello Stephan, On 11/18/2010 08:20 AM, Stephan Hermann wrote: > On Wed, 2010-11-17 at 15:38 -0600, Dustin Kirkland wrote: >> Ubuntu has long maintained a "no open ports by default" policy. This >> conservative approach arguably yields a more secure default >> installation. Several exceptions have been granted to this policy, >> which install services on the target system without the user's >> explicit consent, but in the calculated interest and support of a >> vastly more usable Ubuntu. >> >> Let me be clear: I am NOT requesting that sort of an exception. >> >> I am asking for ubuntu-devel's consensus, and an eventual Ubuntu >> Technical Board approval of a new prompt in the Ubuntu Server ISO's >> text-based installer, which would read something like the following: >> >> -- >> | If you need a secure connection to this >> | server remotely, you may wish to install >> | the openssh-server package. Note that >> | this service will open TCP port 22 on >> | your system, and you should use a very >> | strong password. >> | >> | Do you want to install the SSH service? >> | >> |[[YES]][no] >> -- >> >> Rest assured that the exact text will be word-smithed by an >> appropriate committee to hash out an optimum verbiage. > > If such a message would be displayed during alternative setup from CD, > it would give me a shock. > It's just like > > "If you need a UI for this Desktop you may wish to install GNOME. Note > that this choice will install hundreds of other packages which can or > can not harm/destroy/pollute your system, and you should reconsider your > choice. > > Do you want to install GNOME on your System? > > [[YES]] [no] > " > > First of all, I think for Ubuntu Server the SSHD service should be > enabled by default, eventually having a question on what IP interface > the service should be listening and eventually giving a possibility to > push a ssh public key to the box (please not via Launchpad or other web > based services). SSHD is (for me) an essential server service. > > Having SSHD not enabled by default on Servers is a bit of a strange > behaviour, regarding other enterprised based Distros. I think everyone in Corporate Services agrees with your above statement that the default should be to include sshd. However, what we are facing here is a rather major change in default behavior and, as such, justifies that users be properly informed about it. Think about it this way: wouldn't you like to see a warning if at some point the desktop was not to install any graphical interface anymore? > On Ubuntu Desktop this is different. The Desktop doesn't need an sshd > server, and there ist shouldn' be installed or when installed, it > shouldn't be enabled. > > A newly introduced service which opens a port could be documented in the > release notes and other prominent places. If, as Kees mentioned in another email, we are facing users that press next without looking, do you really think that the same users will take the time to read the release notes? I think I fully understand the security team's concerns here, but given that: a/ Based on what I have heard at UDS, we are considering adding a post boot install phase for additional package installation, it would seems reasonable to make it available across the network. b/ Even if I have made my initial install with a CD or a USB stick, I do not know much admins that want to stay in front of their servers more than the strict minimum time. Personally I generally hate myself when I have missed to check the sshd service on the tasksel screen, because it means that I'll have to wait in the noisy and cold server room an additional 5 mins (yes, despite our efforts to improve boot times, hardware manufacturer for servers still consider it a great idea to have various checks been done during boot, prior to the OS being loaded) c/ Similarly to b, when I am installing a virtual machine, the less time I spend in the server screen emulation the better, as this is generally much slower and often much clumsier (think keyboard mapping for example) than accessing the same server over SSH. d/ If the version of sshd that is provided on a CD becomes compromised, we have seen in the past that it does not matter much whether it is installed by default or not, since most people will have installed it. It did not prevent us from re-spinning ISOs and it won't prevent people from not applying security updates if they are not used to do so. e/ The biggest risk seems
Re: SSH and the Ubuntu Server
I inadvertently left ubuntu-server@ off of the original distribution. Sorry about that. CC'ing now. There are a few responses already in the thread: * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html Thanks, Dustin On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland wrote: > Ubuntu has long maintained a "no open ports by default" policy. This > conservative approach arguably yields a more secure default > installation. Several exceptions have been granted to this policy, > which install services on the target system without the user's > explicit consent, but in the calculated interest and support of a > vastly more usable Ubuntu. > > Let me be clear: I am NOT requesting that sort of an exception. > > I am asking for ubuntu-devel's consensus, and an eventual Ubuntu > Technical Board approval of a new prompt in the Ubuntu Server ISO's > text-based installer, which would read something like the following: > > -- > | If you need a secure connection to this > | server remotely, you may wish to install > | the openssh-server package. Note that > | this service will open TCP port 22 on > | your system, and you should use a very > | strong password. > | > | Do you want to install the SSH service? > | > | [[YES]] [no] > -- > > Rest assured that the exact text will be word-smithed by an > appropriate committee to hash out an optimum verbiage. > > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision > > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu > - SSH is more fundamental to a server than the higher level > profile selections for: > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > 2) users of the installation ISO will have the option to not install > SSH, as they so desire > - it is quite well understood that some users may not want SSH > installed on their server > 3) highlighting the "YES" option on this page is absolutely essential > to addressing this usability issue > - and that selection is easily overridden by hitting , > or by experienced admins in preseed configurations > > Please consider that the very definition of a "server" implies that > the system is running a "service". Moreover, our official Ubuntu > Server images as published for the Amazon EC2 cloud are, in fact, > running SSH by default listening on port 22 on the unrestricted > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > Cloud installation by the very same ISO installs SSH on every every > UEC system deployed. This is not unprecedented. > > Having discussed the proposal with a subset of this audience (at UDS > and in IRC), here are some known FAQs: > > Q: WTF?!? Ubuntu has no open ports by default! > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > importantly, this is not a "run by default" proposal. We have already > compromised on that subject, culminating in this proposal, which is > simply about providing Server users with an obvious way to install the > typically essential SSH service. > > Q: Why not default the cursor on that question to "No", instead of "Yes"? > A: That totally bypasses the value of this proposal, and is only > microscopically better than what we currently have, where Ubuntu > Server users must go out of their way to add one of the most > fundamental packages to almost any server installation. The proposal, > as it stands, is already a compromise from the original suggestion at > UDS; which was, "if you're installing a server, you're expecting to > run a service, so let's just install SSH by default". That idea is > entirely out of scope now. We are proposing this installer question > as a reasonable compromise. > > Q: What if the openssh-server package is compromised on the ISO? > A: Although this has happened before, it is relatively rare over the > history of Ubuntu. If/when this happens again, we would need to: > a) recommend that people choose "no" when prompted, and install > SSH post-installation from the security archive (same as we would do > now, actually) > b) and probably respin the ISOs (also been done before) > > Q: Why don't we disable password authentication? > A: We could do this, and ask users to provide a public SSH key (or > even just a simple Launchpad userid whose public key we could securely > import). This would probably involve adding another page to the > installer, publi
