*** This bug is a security vulnerability *** Public security bug reported:
Last night secur...@ubuntu.com received a security report about cloud-init: ``` Hello Most server admins are familiar with disabling password auth in /etc/ssh/sshd_config. However Ubuntu Server 24.04 when installed from the ISO (https://ubuntu.com/download/server) includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`. This means that disabling password auth in `/etc/ssh/sshd_config` does nothing: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no ^ Setting it to "no" does nothing Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud- init.conf` which contains a single line: PasswordAuthentication yes There is no documentation for server admins that this is necessary in /etc/ssh/sshd_config nor is this expected and will cause massive security problems as upgrade in the future. People are just discovering this behaviour now: [0] https://www.mikeberggren.com/deb-ssh-auth [1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created [2] https://askubuntu.com/a/435620 Recommendation: 1. Don't include this file by default 2. OR update sshd_config documentation so people know to check /etc/ssh/ssd_config.d/ lllf ``` @falcojr from cloud-init added that: > this happens due to the subiquity installer setting passwordauthentication > yes by default > cloud-init writes any explicit configuration about ssh into sshd_config.d To summarize: Usually disabling `PasswordAuthentication` is set in `/etc/ssh/sshd_config`. When cloud-init is used, this value is set in `/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override `/etc/ssh/sshd_config`. If an admin is not aware of this additional config file, they may unintentionally allow PasswordAuthentication. My inclination is to opt for lllf's second recommendation and clearly document the additional config file. Possibly the header of /etc/ssh/sshd_config could include: ``` # Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf # configurations in sshd_config.d may override settings in this file # such as overriding PasswordAuthentication to yes ``` ** Affects: cloud-init (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2088207 Title: cloud-init enables ssh password auth in an unexpected config file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2088207/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
