Code review comment for lp:~vorlon/debian-cd/lp.1576353

While I do understand the desire to combine cloud and server images, I don't think this MP is the right approach.

The security team's position has always been that installing openssh should be opt-in, so that it is clear to the person performing the installation that ssh will be active, for the following reasons:

1- It uses password authentication by default, and it may not be obvious to someone installing a test server or a development VM that the weak password they chose at install time would expose it to attackers.
2- The openssh port will be open and vulnerable to any security issues before the proper security updates have been installed (this is part of the reasoning for our no open ports policy).

While enabling openssh by default but with password authentication disabled clearly solves #1, it does not solve #2, and comes with an important drawback: the chicken-and-egg problem of getting an ssh key to the box while a password can't be used. I think that drawback is important enough that changing the default will cause user irritation and affects openssh usability.

There is also the issue that this MP will result in a different behaviour between installing the ssh package on a desktop system and having it installed by default on a server. I believe this will cause confusion and is likely to again result in systems being exposed with insecure configurations. Having openssh installed by default on cloud images is different because it's generally the only way to access clouds, cloud installs are usually pre-configured, and there are IP limitations in place preventing arbitrary connections.

Most of these issues have been mentioned in the previous comments, but there doesn't seem to be an ideal solution that would pave the way forward.

For these reasons the security team wishes to NACK this MP and maintain the status quo of having the openssh package be an opt-in during server installation.