> the most technically advantageous and correct way to configure ssh Agreed
> How is cloud-init making sure another file in sshd_config.d isn't superseding its config? It isn't. I just filed an upstream bug to track this as an issue - and linked it above. > sshd -T should be consulted, instead of trying to mimic what sshd -T does Agreed, however ssh -G is more robust since -T is more likely to have failing tests. > I'm adding the openssh package to this bug Thanks! That approach sounds good to me. Since the cloud-init (ubuntu) project exists to track issues in cloud- init on Ubuntu, I'm going to mark it as invalid for now. Feel free to change that back if you believe this to still be an issue with cloud- init. ** Bug watch added: github.com/canonical/cloud-init/issues #5879 https://github.com/canonical/cloud-init/issues/5879 ** Also affects: cloud-init via https://github.com/canonical/cloud-init/issues/5879 Importance: Unknown Status: Unknown ** Changed in: cloud-init (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2088207 Title: cloud-init enables ssh password auth in an unexpected config file Status in cloud-init: Unknown Status in cloud-init package in Ubuntu: Invalid Status in openssh package in Ubuntu: New Bug description: Last night secur...@ubuntu.com received a security report about cloud-init: ``` Hello Most server admins are familiar with disabling password auth in /etc/ssh/sshd_config. However Ubuntu Server 24.04 when installed from the ISO (https://ubuntu.com/download/server) includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`. This means that disabling password auth in `/etc/ssh/sshd_config` does nothing: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no ^ Setting it to "no" does nothing Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud- init.conf` which contains a single line: PasswordAuthentication yes There is no documentation for server admins that this is necessary in /etc/ssh/sshd_config nor is this expected and will cause massive security problems as upgrade in the future. People are just discovering this behaviour now: [0] https://www.mikeberggren.com/deb-ssh-auth [1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created [2] https://askubuntu.com/a/435620 Recommendation: 1. Don't include this file by default 2. OR update sshd_config documentation so people know to check /etc/ssh/ssd_config.d/ lllf ``` @falcojr from cloud-init added that: > this happens due to the subiquity installer setting passwordauthentication yes by default > cloud-init writes any explicit configuration about ssh into sshd_config.d To summarize: Often `PasswordAuthentication` is disabled in `/etc/ssh/sshd_config`. When cloud-init is used, this value is set in `/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override `/etc/ssh/sshd_config`. If an admin is not aware of this additional config file or how sshd loads configs, they may unintentionally allow PasswordAuthentication. My inclination is to opt for lllf's second recommendation and clearly document the additional config file. Possibly the header of /etc/ssh/sshd_config could include: ``` # Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf # configurations in sshd_config.d may override settings in this file # such as overriding PasswordAuthentication to yes ``` To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/2088207/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
