I inadvertently left ubuntu-server@ off of the original distribution. Sorry about that. CC'ing now.
There are a few responses already in the thread: * https://lists.ubuntu.com/archives/ubuntu-devel/2010-November/thread.html Thanks, Dustin On Wed, Nov 17, 2010 at 3:38 PM, Dustin Kirkland <kirkl...@ubuntu.com> wrote: > Ubuntu has long maintained a "no open ports by default" policy. This > conservative approach arguably yields a more secure default > installation. Several exceptions have been granted to this policy, > which install services on the target system without the user's > explicit consent, but in the calculated interest and support of a > vastly more usable Ubuntu. > > Let me be clear: I am NOT requesting that sort of an exception. > > I am asking for ubuntu-devel's consensus, and an eventual Ubuntu > Technical Board approval of a new prompt in the Ubuntu Server ISO's > text-based installer, which would read something like the following: > > ---------------------------------------------------------- > | If you need a secure connection to this > | server remotely, you may wish to install > | the openssh-server package. Note that > | this service will open TCP port 22 on > | your system, and you should use a very > | strong password. > | > | Do you want to install the SSH service? > | > | [[YES]] [no] > ---------------------------------------------------------- > > Rest assured that the exact text will be word-smithed by an > appropriate committee to hash out an optimum verbiage. > > This proposal requests that: > 1) a new prompt be added to the Ubuntu Server installer > 2) this prompt be dedicated to the boolean installation, or > non-installation, of the SSH service, as an essential facet of a > typical server > 3) the cursor highlights the affirmative (yes, please install SSH), > but awaits the user's conscious decision > > These key points map to the following considerations: > 1) the current option to install SSH on Ubuntu servers is buried in > the tasksel menu > - SSH is more fundamental to a server than the higher level > profile selections for: > DNS Server, Mail Server, LAMP Stack, Virtualization Host, etc. > 2) users of the installation ISO will have the option to not install > SSH, as they so desire > - it is quite well understood that some users may not want SSH > installed on their server > 3) highlighting the "YES" option on this page is absolutely essential > to addressing this usability issue > - and that selection is easily overridden by hitting <tab><enter>, > or by experienced admins in preseed configurations > > Please consider that the very definition of a "server" implies that > the system is running a "service". Moreover, our official Ubuntu > Server images as published for the Amazon EC2 cloud are, in fact, > running SSH by default listening on port 22 on the unrestricted > Internet (the 'ubuntu' has no password), and the Ubuntu Enterprise > Cloud installation by the very same ISO installs SSH on every every > UEC system deployed. This is not unprecedented. > > Having discussed the proposal with a subset of this audience (at UDS > and in IRC), here are some known FAQs: > > Q: WTF?!? Ubuntu has no open ports by default! > A: That depends on which "Ubuntu" you mean. Ubuntu-in-the-cloud runs > SSH. Ubuntu-as-the-cloud runs SSH. Ubuntu desktops run avahi. Most > importantly, this is not a "run by default" proposal. We have already > compromised on that subject, culminating in this proposal, which is > simply about providing Server users with an obvious way to install the > typically essential SSH service. > > Q: Why not default the cursor on that question to "No", instead of "Yes"? > A: That totally bypasses the value of this proposal, and is only > microscopically better than what we currently have, where Ubuntu > Server users must go out of their way to add one of the most > fundamental packages to almost any server installation. The proposal, > as it stands, is already a compromise from the original suggestion at > UDS; which was, "if you're installing a server, you're expecting to > run a service, so let's just install SSH by default". That idea is > entirely out of scope now. We are proposing this installer question > as a reasonable compromise. > > Q: What if the openssh-server package is compromised on the ISO? > A: Although this has happened before, it is relatively rare over the > history of Ubuntu. If/when this happens again, we would need to: > a) recommend that people choose "no" when prompted, and install > SSH post-installation from the security archive (same as we would do > now, actually) > b) and probably respin the ISOs (also been done before) > > Q: Why don't we disable password authentication? > A: We could do this, and ask users to provide a public SSH key (or > even just a simple Launchpad userid whose public key we could securely > import). This would probably involve adding another page to the > installer, public SSH keys are hard to memorize, while others will > almost certainly object to even optionally tying their Launchpad ID to > Ubuntu installations. Most importantly, Ubuntu does not set a root > password, so an attacker would need to guess BOTH the username AND > password. > > Q: What if I want a different sshd configuration than what's shipped > by default in Ubuntu, before running sshd? > A: You sound like an advanced user; please preseed your installation, > or add SSH after the initial install (as you would do now). > > Q: Do we have to add another question to the Server installer to > accomplish this? > A: Actually, we don't. We could possibly simplify or remove a couple > of other questions. That discussion belongs in another thread, > though. > > > Sincerely, > Dustin Kirkland > Ubuntu Core Developer | Server Team | Guarded Gorilla > http://bit.ly/5-gorillas > -- :-Dustin -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
