ssh_pwauth: false fails to disable challenge/response authentication

Bug #1675021 reported by Florian Haas on 2017-03-22
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Medium
Unassigned

Bug Description

cc_set_passwords.py interprets the ssh_pwauth boolean configuration option, and depending on its setting will either enable, disable, or not touch the PasswordAuthentication option in sshd_config.

This neglects to also set ChallengeResponseAuthentication. It defaults to yes upstream, but many distributions, including Ubuntu, ship a default sshd_config that sets this to no. On a system with "ChallengeResponseAuthentication yes" however, "ssh_pwauth: false" has no real effect — and this poses a security problem for users of those systems, as they will most likely inadvertently leave password authentication enabled.

How to best address this is tricky. Obviously, "ssh_pwauth: false" should disable both PasswordAuthentication and ChallengeResponseAuthentication. What "ssh_pwauth: true" should do is debatable.

What complicates matters still is that one of the affected systems that ship with "ChallengeResponseAuthentication yes" is SLES, including the official JeOS OpenStack image, and SLES ships its own fork of cloud-init. So even if this does gets fixed in upstream cloud-init, someone still has to remind the SUSE folks to merge the patch (or update their default image).

Florian Haas (fghaas) on 2017-03-22
description: updated
description: updated
Scott Moser (smoser) on 2017-03-29
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Low
importance: Low → Medium
Guilherme Moro (gmoro) on 2017-06-01
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers