[Bug 1576353] Re: install openssh-server by default, prompt for enabling it on server iso install

Colin Watson cjwatson at canonical.com
Sat Apr 30 10:23:35 UTC 2016 

I think I'm OK with adding a low-priority debconf question to disable
password authentication.  That's a much lower-maintenance solution from
my point of view than the various things that have been proposed in the
past for disabling the service entirely.  The packaged default would be
true (i.e. enable password auth), but the server image could preseed it
to false.

Regarding socket activation, I'd like to draw your attention to this
section from openssh-server's README.Debian file.  The bit about
MaxStartups explains why I'm unwilling to make this the default on
servers:

Per-connection sshd instances with systemd
------------------------------------------

If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:

  systemctl stop ssh.service
  systemctl start ssh.socket

To make this permanent:

  systemctl disable ssh.service
  systemctl enable ssh.socket

This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests).  Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see
https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.

The provided ssh.socket unit file sets ListenStream=22.  If you need to have
it listen on a different address or port, then you will need to do this by
copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
modifying the ListenStream option.  See systemd.socket(5) for details.

** Bug watch added: Red Hat Bugzilla #963268
   https://bugzilla.redhat.com/show_bug.cgi?id=963268

** Changed in: openssh (Ubuntu)
   Importance: Undecided => High

** Changed in: openssh (Ubuntu)
       Status: New => Triaged

** Summary changed:

- install openssh-server by default, prompt for enabling it on server iso install
+ Install openssh-server with disabled password auth by default on servers

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1576353

Title:
  Install openssh-server with disabled password auth by default on
  servers

Status in Ubuntu CD Images:
  New
Status in openssh package in Ubuntu:
  Triaged

Bug description:
  we want to remove 'cloud-image' seed and join it with 'server' seed.
  openssh-server is one of the few (3) packages that are in cloud image and not in 'ubuntu-server'.

  We'd like to have the server iso install openssh-server by default and
  prompt the user if they want to enable it or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1576353/+subscriptions

More information about the foundations-bugs mailing list