This bug was fixed in the package openssh - 1:9.9p1-3ubuntu2
---------------
openssh (1:9.9p1-3ubuntu2) plucky; urgency=medium
* document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP: #2088207)
- d/p/debian-config.patch: expand comment about configuration options
and precedence of configuration snippets
- d/openssh-server.ucf-md5sum: update for new sshd_config comments
- d/p/sshd-socket-generator.patch: refresh for sshd_config comment
* d/t/systemd-socket-activation: add wait while unit is reloading
This avoids a race condition where we sometimes fail the assertion
that ActiveState=active after systemctl reload.
(LP: #2089049)
-- Nick Rosbrook <en...@ubuntu.com> Tue, 19 Nov 2024 12:06:14 -0500
** Changed in: openssh (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh password auth in an unexpected config file
Status in cloud-init:
New
Status in cloud-init package in Ubuntu:
Invalid
Status in openssh package in Ubuntu:
Fix Released
Bug description:
Last night secur...@ubuntu.com received a security report about cloud-init:
```
Hello
Most server admins are familiar with disabling password auth in
/etc/ssh/sshd_config.
However Ubuntu Server 24.04 when installed from the ISO
(https://ubuntu.com/download/server)
includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`.
This means that disabling password auth in `/etc/ssh/sshd_config` does
nothing:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
^ Setting it to "no" does nothing
Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud-
init.conf` which contains a single line:
PasswordAuthentication yes
There is no documentation for server admins that this is necessary in
/etc/ssh/sshd_config nor is this expected and will cause massive
security problems as upgrade in the future. People are just
discovering this behaviour now:
[0] https://www.mikeberggren.com/deb-ssh-auth
[1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created
[2] https://askubuntu.com/a/435620
Recommendation:
1. Don't include this file by default
2. OR update sshd_config documentation so people know to check
/etc/ssh/ssd_config.d/
lllf
```
@falcojr from cloud-init added that:
> this happens due to the subiquity installer setting passwordauthentication
yes by default
> cloud-init writes any explicit configuration about ssh into sshd_config.d
To summarize:
Often `PasswordAuthentication` is disabled in `/etc/ssh/sshd_config`. When
cloud-init is used, this value is set in
`/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override
`/etc/ssh/sshd_config`. If an admin is not aware of this additional config file
or how sshd loads configs, they may unintentionally allow
PasswordAuthentication.
My inclination is to opt for lllf's second recommendation and clearly
document the additional config file. Possibly the header of
/etc/ssh/sshd_config could include:
```
# Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf
# configurations in sshd_config.d may override settings in this file
# such as overriding PasswordAuthentication to yes
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2088207/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
