Comment 0 for bug 1675021

cc_set_passwords.py interprets the ssh_pwauth boolean configuration option, and depending on its setting will either enable, disable, or not touch the PasswordAuthentication option in sshd_config.

This neglects to also set ChallengeResponseAuthentication. It defaults to Yes upstream, but many distributions, including Ubuntu, ship a default sshd_config that sets this to No. On a system with "ChallengeResponseAuthentication Yes" however, "ssh_pwauth: false" has no real effect — and this poses a security problem for users of those systems, as they will most likely inadvertently leave password authentication enabled.

How to best address this is tricky. Obviously, "ssh_pwauth: false" should disable both PasswordAuthentication and ChallengeResponseAuthentication. What "ssh_pwauth: true" should do is debatable.

What complicates matters still is that one of the affected systems that ship with "ChallengeResponseAuthentication Yes" is SLES, including the official JeOS OpenStack image, and SLES ships its own fork of cloud-init. So even if this does gets fixed in upstream cloud-init, someone still has to remind the SUSE folks to merge this patch.