I think I'm OK with adding a low-priority debconf question to disable password authentication. That's a much lower-maintenance solution from my point of view than the various things that have been proposed in the past for disabling the service entirely. The packaged default would be true (i.e. enable password auth), but the server image could preseed it to false.
Regarding socket activation, I'd like to draw your attention to this section from openssh-server's README.Debian file. The bit about MaxStartups explains why I'm unwilling to make this the default on servers: Per-connection sshd instances with systemd ------------------------------------------ If you want to reconfigure systemd to listen on port 22 itself and launch an instance of sshd for each connection (inetd-style socket activation), then you can run: systemctl stop ssh.service systemctl start ssh.socket To make this permanent: systemctl disable ssh.service systemctl enable ssh.socket This may be appropriate in environments where minimal footprint is critical (e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's MaxConnections cannot quite replace this as it cannot distinguish between authenticated and unauthenticated connections; see https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion. The provided ssh.socket unit file sets ListenStream=22. If you need to have it listen on a different address or port, then you will need to do this by copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and modifying the ListenStream option. See systemd.socket(5) for details. ** Bug watch added: Red Hat Bugzilla #963268 https://bugzilla.redhat.com/show_bug.cgi?id=963268 ** Changed in: openssh (Ubuntu) Importance: Undecided => High ** Changed in: openssh (Ubuntu) Status: New => Triaged ** Summary changed: - install openssh-server by default, prompt for enabling it on server iso install + Install openssh-server with disabled password auth by default on servers -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1576353 Title: Install openssh-server with disabled password auth by default on servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-cdimage/+bug/1576353/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
