This bug was fixed in the package openssh - 1:9.9p1-3ubuntu2
---
openssh (1:9.9p1-3ubuntu2) plucky; urgency=medium
* document /etc/ssh/sshd_config.d/*.conf better in sshd_config
(LP: #2088207)
- d/p/debian-config.patch: expand comment about configuration options
and pr
** Changed in: openssh (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh password auth in an unexpected config file
** Merge proposal linked:
https://code.launchpad.net/~enr0n/ubuntu/+source/openssh/+git/openssh/+merge/476801
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh
** Changed in: cloud-init
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh password auth in an unexpected config file
To manage noti
** Changed in: openssh (Ubuntu)
Status: New => Triaged
** Changed in: openssh (Ubuntu)
Importance: Undecided => Medium
** Changed in: openssh (Ubuntu)
Assignee: (unassigned) => Nick Rosbrook (enr0n)
** Tags added: foundations-tidi
** Tags removed: foundations-tidi
** Tags added:
> the most technically advantageous and correct way to configure ssh
Agreed
> How is cloud-init making sure another file in sshd_config.d isn't
superseding its config?
It isn't. I just filed an upstream bug to track this as an issue - and
linked it above.
> sshd -T should be consulted, instead
I'm adding the openssh package to this bug, as the default configuration
file has a Debian/Ubuntu-specific include directory configured and I
think we should add an appropriate comment to inform the user that files
included in the directory may override the configuration items in
ssd_config. This w
Brett, I think Marc's 'only if cloud-init needs to overwrite the value
to "no"' was less about the existing sshd configuration (afterall, if
cloud-init is running, did the configuration have meaningful values ten
seconds earlier?) and more about the user-data being explicit that
passwords should be
If you google "how to disable ssh password authentication", there are
pages and pages of instructions that instruct to modify sshd_config. I'm
not sure how to correct user expectations. Maybe adding more explicit
comments to sshd_config could be okay.
How is cloud-init making sure another file in
> Perhaps an acceptable solution could be to write the file only if
cloud-init needs to overwrite the value to "no", but if the value is
"yes", the openssh default, it shouldn't create the file.
This would require cloud-init to implement a parser which correctly
parses all of sshd's configuration
> > avoiding sshd_config.d all together
> Why?
You have convinced me that sshd_config.d is the most technically
advantageous and correct way to configure ssh. It is not intuitive
though. That is why I am for lllf's second recommendation.
I like Marc's suggestion in addition to lllf's. We could i
Perhaps an acceptable solution could be to write the file only if cloud-
init needs to overwrite the value to "no", but if the value is "yes",
the openssh default, it shouldn't create the file. This would allow
continuing to use the .d directory, but would prevent confusion which
results in passwor
> avoiding sshd_config.d all together
Why? Isn't this the entire point of the .d directory? The package
provides a default configuration. If another package or service (like
cloud-init) wants to change it, they should be dropping in an override
file. If cloud-init changes the config file it's less
When using the latest 24.04 server installer, it will ask if you want to
opt in to ssh. On opt in, the installer selects "Allow password
authentication over SSH" automatically, and can only be turned off if
the user provides a key.
So, between sshd_config (5) and subiquity's documentation, I no lo
While the override directory is documented, it is quite unexpected that
a default installation will make use of it, which is why this bug exists
in the first place.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
Cheers to @jchittum for pointing out that ssh clearly documents
sshd_config.d
https://manpages.ubuntu.com/manpages/noble/en/man5/sshd_config.5.html
> /etc/ssh/sshd_config.d/*.conf files are included at the start of the
> configuration file, so
> options set there will override those in /etc/ssh/
** Description changed:
Last night secur...@ubuntu.com received a security report about cloud-init:
```
Hello
Most server admins are familiar with disabling password auth in
/etc/ssh/sshd_config.
However Ubuntu Server 24.04 when installed from the ISO
(https://ubuntu.com/download/se
Is there a reason cloud-init needs to create an override in the first
place, rather than changing the setting in the main file?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-ini
18 matches
Mail list logo
