Summarizing yesterday's discussion with the Security Team:
- we would like password auth disabled by default on installation of openssh-server via the server image, just as via the cloud image
- the admin can set up password auth post-install
- (optional) this can be a debconf question, so that the admin can pre-seed enabling of password auth at install time.
- with the above requirements met, the Security Team is ok with having openssh-server installed by default, and listening on port 22, on a server install as well as on a cloud image.
- no requirements were expressed on the behavior of openssh-server if manually installed by the admin post installation.
- (optional) ideally, the openssh-server systemd units would be adjusted for lazy socket-based activation, so that this is not an additional server process running (and taking up swap space / process table space) until asked for.
Summarizing yesterday's discussion with the Security Team:
- we would like password auth disabled by default on installation of openssh-server via the server image, just as via the cloud image
- the admin can set up password auth post-install
- (optional) this can be a debconf question, so that the admin can pre-seed enabling of password auth at install time.
- with the above requirements met, the Security Team is ok with having openssh-server installed by default, and listening on port 22, on a server install as well as on a cloud image.
- no requirements were expressed on the behavior of openssh-server if manually installed by the admin post installation.
- (optional) ideally, the openssh-server systemd units would be adjusted for lazy socket-based activation, so that this is not an additional server process running (and taking up swap space / process table space) until asked for.
Opening a task on the openssh package.