[Bug 2031067] Re: openssh-server installed with password auth despite deselected option
Tony Phan
2031067 at bugs.launchpad.net
Tue Aug 15 03:22:41 UTC 2023
Dear Mx. Seth Arnold,
Thank you for your help with this. I have tested again, and the default (at
least visually) for the "Install OpenSSH server" checkbox is indeed
deselected (an empty checkbox “[ ]”). The installers are
ubuntu-22.04.3-live-server-amd64.iso at “Download Ubuntu Server 22.04.3
LTS” and ubuntu-23.04-live-server-amd64.iso at “Download Ubuntu Server
23.04” on the page https://ubuntu.com/download/server. It is possible that
this is intended to be the default, but it is not apparent from a
user-facing perspective.
I tested on Ubuntu 17.04 (ubuntu-17.04-server-amd64.iso on
http://old-releases.ubuntu.com/releases/17.04/), and the sshd service does
not appear to be installed nor active by default (`which sshd` is empty and
attempting a loopback ssh returns “ssh: connect to host localhost port 22:
Connection refused”). It therefore appears to be a relatively recent change.
Thank you very much for your attention to this matter.
Sincerely,
Tony Phan
On Mon, Aug 14, 2023 at 7:30 PM Seth Arnold <2031067 at bugs.launchpad.net>
wrote:
> Hi Tony, thanks for the report; I thought the default for our server
> images was to install openssh server. Could you confirm which
> installation media you used? (We've got so many choices, it's best to be
> explicit.)
>
> Thanks
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2031067
>
> Title:
> openssh-server installed with password auth despite deselected option
>
> Status in subiquity package in Ubuntu:
> New
>
> Bug description:
> I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
> libvirt/kvm instances.
>
> Steps to reproduce:
> 1. Install Ubuntu Server using the installer
> 2. Keep all defaults, including leaving "Install OpenSSH server"
> deselected.
>
> What we expect:
> We expect openssh-server to be uninstalled and the sshd service to be
> inactive/nonexistent, since it was not selected.
>
> What happened instead:
> Instead, the sshd daemon is active regardless, and the host is
> accessible by ssh with password authentication by default. This presents a
> major security risk, since, possibly unbeknownst to the user, it increases
> the attack surface for intrusion and leaves the server vulnerable to
> password-based authentication, which is normally considered insecure
> (namely, compared to key-based authentication). Users may be configuring
> servers with the expectation that they are only accessible by local login
> and inadvertently exposing their servers to SSH intrusion.
>
> Suggested fix:
> The installer should respect the user's choice to leave openssh-server
> uninstalled if the option to install is deselected.
>
> Although this is easy to reproduce and may be obvious to malicious
> actors, because this is a potential security vulnerability, I am
> erring on the side of caution and filing as a security vulnerability.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions
>
>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2031067
Title:
openssh-server installed with password auth despite deselected option
Status in subiquity package in Ubuntu:
New
Bug description:
I tested on Ubuntu 22.04.3 LTS and Ubuntu 23.04, generated as
libvirt/kvm instances.
Steps to reproduce:
1. Install Ubuntu Server using the installer
2. Keep all defaults, including leaving "Install OpenSSH server" deselected.
What we expect:
We expect openssh-server to be uninstalled and the sshd service to be inactive/nonexistent, since it was not selected.
What happened instead:
Instead, the sshd daemon is active regardless, and the host is accessible by ssh with password authentication by default. This presents a major security risk, since, possibly unbeknownst to the user, it increases the attack surface for intrusion and leaves the server vulnerable to password-based authentication, which is normally considered insecure (namely, compared to key-based authentication). Users may be configuring servers with the expectation that they are only accessible by local login and inadvertently exposing their servers to SSH intrusion.
Suggested fix:
The installer should respect the user's choice to leave openssh-server uninstalled if the option to install is deselected.
Although this is easy to reproduce and may be obvious to malicious
actors, because this is a potential security vulnerability, I am
erring on the side of caution and filing as a security vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2031067/+subscriptions
More information about the foundations-bugs
mailing list