[Bug 2031067] Re: openssh-server installed with password auth despite deselected option

Tony Phan 2031067 at bugs.launchpad.net
Tue Aug 15 03:22:41 UTC 2023 

Dear Mx. Seth Arnold,

Thank you for your help with this. I have tested again, and the default (at
least visually) for the "Install OpenSSH server" checkbox is indeed
deselected (an empty checkbox “[ ]”). The installers are
ubuntu-22.04.3-live-server-amd64.iso at “Download Ubuntu Server 22.04.3
LTS” and ubuntu-23.04-live-server-amd64.iso at “Download Ubuntu Server
23.04” on the page https://ubuntu.com/download/server. It is possible that
this is intended to be the default, but it is not apparent from a
user-facing perspective.

I tested on Ubuntu 17.04 (ubuntu-17.04-server-amd64.iso on
http://old-releases.ubuntu.com/releases/17.04/), and the sshd service does
not appear to be installed nor active by default (`which sshd` is empty and
attempting a loopback ssh returns “ssh: connect to host localhost port 22:
Connection refused”). It therefore appears to be a relatively recent change.

Thank you very much for your attention to this matter.

Sincerely,
Tony Phan

On Mon, Aug 14, 2023 at 7:30 PM Seth Arnold <2031067 at bugs.launchpad.net>
wrote:

> Hi Tony, thanks for the report; I thought the default for our server
> images was to install openssh server. Could you confirm which
> installation media you used? (We've got so many choices, it's best to be
> explicit.)
>
> Thanks
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2031067
>
> Title:
>   openssh-server installed with password auth despite deselected option
>
> Status in subiquity package in Ubuntu:
>   New
>
> Bug description:
>   I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
>   libvirt/kvm instances.
>
>   Steps to reproduce:
>   1. Install Ubuntu Server using the installer
>   2. Keep all defaults, including leaving "Install OpenSSH server"
> deselected.
>
>   What we expect:
>   We expect openssh-server to be uninstalled and the sshd service to be
> inactive/nonexistent, since it was not selected.
>
>   What happened instead:
>   Instead, the sshd daemon is active regardless, and the host is
> accessible by ssh with password authentication by default. This presents a
> major security risk, since, possibly unbeknownst to the user, it increases
> the attack surface for intrusion and leaves the server vulnerable to
> password-based authentication, which is normally considered insecure
> (namely, compared to key-based authentication). Users may be configuring
> servers with the expectation that they are only accessible by local login
> and inadvertently exposing their servers to SSH intrusion.
>
>   Suggested fix:
>   The installer should respect the user's choice to leave openssh-server
> uninstalled if the option to install is deselected.
>
>   Although this is easy to reproduce and may be obvious to malicious
>   actors, because this is a potential security vulnerability, I am
>   erring on the side of caution and filing as a security vulnerability.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions
>
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2031067

Title:
  openssh-server installed with password auth despite deselected option

Status in subiquity package in Ubuntu:
  New

Bug description:
  I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
  libvirt/kvm instances.

  Steps to reproduce:
  1. Install Ubuntu Server using the installer
  2. Keep all defaults, including leaving "Install OpenSSH server" deselected.

  What we expect:
  We expect openssh-server to be uninstalled and the sshd service to be inactive/nonexistent, since it was not selected.

  What happened instead:
  Instead, the sshd daemon is active regardless, and the host is accessible by ssh with password authentication by default. This presents a major security risk, since, possibly unbeknownst to the user, it increases the attack surface for intrusion and leaves the server vulnerable to password-based authentication, which is normally considered insecure (namely, compared to key-based authentication). Users may be configuring servers with the expectation that they are only accessible by local login and inadvertently exposing their servers to SSH intrusion. 

  Suggested fix:
  The installer should respect the user's choice to leave openssh-server uninstalled if the option to install is deselected.

  Although this is easy to reproduce and may be obvious to malicious
  actors, because this is a potential security vulnerability, I am
  erring on the side of caution and filing as a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions

More information about the foundations-bugs mailing list