[Bug 2031067] Re: openssh-server installed with password auth despite deselected option

Seth Arnold 2031067 at bugs.launchpad.net
Tue Aug 15 00:20:33 UTC 2023 

Hi Tony, thanks for the report; I thought the default for our server
images was to install openssh server. Could you confirm which
installation media you used? (We've got so many choices, it's best to be
explicit.)

Thanks

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2031067

Title:
  openssh-server installed with password auth despite deselected option

Status in subiquity package in Ubuntu:
  New

Bug description:
  I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
  libvirt/kvm instances.

  Steps to reproduce:
  1. Install Ubuntu Server using the installer
  2. Keep all defaults, including leaving "Install OpenSSH server" deselected.

  What we expect:
  We expect openssh-server to be uninstalled and the sshd service to be inactive/nonexistent, since it was not selected.

  What happened instead:
  Instead, the sshd daemon is active regardless, and the host is accessible by ssh with password authentication by default. This presents a major security risk, since, possibly unbeknownst to the user, it increases the attack surface for intrusion and leaves the server vulnerable to password-based authentication, which is normally considered insecure (namely, compared to key-based authentication). Users may be configuring servers with the expectation that they are only accessible by local login and inadvertently exposing their servers to SSH intrusion. 

  Suggested fix:
  The installer should respect the user's choice to leave openssh-server uninstalled if the option to install is deselected.

  Although this is easy to reproduce and may be obvious to malicious
  actors, because this is a potential security vulnerability, I am
  erring on the side of caution and filing as a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions

More information about the foundations-bugs mailing list