PasswordAuthenticaion in sshd_config.d
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
When using the "Match" phrase in sshd_config.d files, the configuration does not apply. This leads to failures in user-specific configurations such as with PasswordAuthent
The fix for this issue should be added to Focal to allow users to use Match as expected.
The bug is fixed by backporting an upstream commit that includes custom config files then runs all matches provided. It updates the function for reading in config files with checks for matches, and, if the correct flags are marked, the match will then be handled accordingly.
[Test Plan]
$ lxc launch images:ubuntu/focal test-ssh-focal
$ lxc exec test-ssh-focal bash
# apt update && apt upgrade -y
# apt install openssh-server
# adduser user
> ssh into container from another terminal to show pw auth is available by default. You can get the ip through 'ip addr' in the container or 'lxc list' outside.
$ ssh user@<container-ip>
user@<container
# cat <<EOF >/etc/ssh/
Match User user
PasswordAuthe
Match All
EOF
# systemctl restart sshd
> Check again in other terminal
$ ssh user@<container-ip>
> Before the fix, it will show:
user@<container
> After, it will show
user@<container
[Where problems could occur]
If problems were to occur, they would be in the interpretation of configuration files. All changes from this fix exist in servconf.c. The largest part of this change is a move from the inc_flags variable being an integer to an integer pointer, so problems could show up through changes to the flags in the pass by reference. Going over the change to pointer usage visually, all instances within the process_
[Other Info]
This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4.
To use the PPA containing this fix, you can run:
$ sudo apt install -y software-
$ sudo add-apt-repository -y ppa:lvoytek/
$ sudo apt update
$ sudo apt upgrade -y
$ sudo systemctl restart sshd
[Original Description]
The stanza
Match User <username>
PasswordAuthen
in /etc/ssh/
The same stanza in /etc/ssh/
The Include in /etc/ssh/
/usr/sbin/sshd -D -ddd
shows the username.config file being parsed.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openssh-server 1:8.2p1-4ubuntu0.5
ProcVersionSign
Uname: Linux 5.4.0-131-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
Date: Mon Mar 20 13:34:14 2023
InstallationDate: Installed on 2022-11-04 (136 days ago)
InstallationMedia:
SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 137 lines (+115/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp2012298-upstream-fix-match-in-d-config.patch (+106/-0)
debian/patches/series (+1/-0)
description: | updated |
description: | updated |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done removed: verification-needed |
Thanks for taking the time to report this bug and trying to make Ubuntu better.
Could you please share your config files (anonymizing any necessary data)? The config file might be loaded but depending on the ordering and the content inside the config files the option you are setting can be overriden.
I am setting this bug to Incomplete until you provided the requested information. Once that's done please set the bug status back to New.