[Bug 1576353] Re: install openssh-server by default, prompt for enabling it on server iso install
Colin Watson
cjwatson at canonical.com
Sat Apr 30 10:23:35 UTC 2016
I think I'm OK with adding a low-priority debconf question to disable
password authentication. That's a much lower-maintenance solution from
my point of view than the various things that have been proposed in the
past for disabling the service entirely. The packaged default would be
true (i.e. enable password auth), but the server image could preseed it
to false.
Regarding socket activation, I'd like to draw your attention to this
section from openssh-server's README.Debian file. The bit about
MaxStartups explains why I'm unwilling to make this the default on
servers:
Per-connection sshd instances with systemd
------------------------------------------
If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:
systemctl stop ssh.service
systemctl start ssh.socket
To make this permanent:
systemctl disable ssh.service
systemctl enable ssh.socket
This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see
https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
The provided ssh.socket unit file sets ListenStream=22. If you need to have
it listen on a different address or port, then you will need to do this by
copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
modifying the ListenStream option. See systemd.socket(5) for details.
** Bug watch added: Red Hat Bugzilla #963268
https://bugzilla.redhat.com/show_bug.cgi?id=963268
** Changed in: openssh (Ubuntu)
Importance: Undecided => High
** Changed in: openssh (Ubuntu)
Status: New => Triaged
** Summary changed:
- install openssh-server by default, prompt for enabling it on server iso install
+ Install openssh-server with disabled password auth by default on servers
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1576353
Title:
Install openssh-server with disabled password auth by default on
servers
Status in Ubuntu CD Images:
New
Status in openssh package in Ubuntu:
Triaged
Bug description:
we want to remove 'cloud-image' seed and join it with 'server' seed.
openssh-server is one of the few (3) packages that are in cloud image and not in 'ubuntu-server'.
We'd like to have the server iso install openssh-server by default and
prompt the user if they want to enable it or not.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1576353/+subscriptions
More information about the foundations-bugs
mailing list