Ubuntu
openssh package

Openssh default config has two PasswordAuthentication params

Bug #1887016 reported by Rulon Oboev
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end.

It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value.

But if the user uncomments this string and set in to "no", it will be overriden by the last line of config.

See original description
Rulon Oboev (rulon-oboev)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Rulon, can you please double-check where your openssh-server package came from? I don't have this "PasswordAuthentication yes" in any of my 20.04 systems, and a very quick look at the current package doesn't show this:

$ apt-get download openssh-server
Get:1 http://wopr.domain/ubuntu focal-updates/main amd64 openssh-server amd64 1:8.2p1-4ubuntu0.1 [377 kB]
Fetched 377 kB in 0s (1,097 kB/s)
$ mkdir openssh-server
$ cd openssh-server
$ ar x ../openssh-server_1%3a8.2p1-4ubuntu0.1_amd64.deb
$ tar xf control.tar.xz
$ tar xf data.tar.xz
$ grep -r "PasswordAuthentication yes"
usr/share/openssh/sshd_config:#PasswordAuthentication yes

Of the versions of openssh that are on my local archive mirror, none of the sshd_config files had this line uncommented:

$ rg "PasswordAuthentication yes" -g '**/sshd_config'
openssh_5.9p1-5ubuntu1.10/sshd_config
64:#PasswordAuthentication yes

openssh_7.2p2-4ubuntu2.9/sshd_config
72:#PasswordAuthentication yes

openssh_7.2p2-4ubuntu2.10/sshd_config
72:#PasswordAuthentication yes

openssh_6.6p1-2ubuntu1/sshd_config
73:#PasswordAuthentication yes

openssh_5.9p1-5ubuntu1/sshd_config
64:#PasswordAuthentication yes

openssh_8.0p1-4/sshd_config
56:#PasswordAuthentication yes

openssh_8.0p1-6ubuntu0.1/sshd_config
56:#PasswordAuthentication yes

openssh_6.6p1-2ubuntu2.13/sshd_config
73:#PasswordAuthentication yes

openssh_7.7p1-4ubuntu0.3/sshd_config
56:#PasswordAuthentication yes

openssh_7.7p1-4/sshd_config
56:#PasswordAuthentication yes

openssh_8.2p1-4ubuntu0.1/sshd_config
58:#PasswordAuthentication yes

openssh_7.6p1-4ubuntu0.3/sshd_config
56:#PasswordAuthentication yes

openssh_7.6p1-4/sshd_config
56:#PasswordAuthentication yes

openssh_7.2p2-4ubuntu2.8/sshd_config
72:#PasswordAuthentication yes

openssh_8.3p1-1/sshd_config
58:#PasswordAuthentication yes

openssh_8.1p1-5/sshd_config
56:#PasswordAuthentication yes

openssh_7.6p1-4ubuntu0.4/sshd_config
56:#PasswordAuthentication yes

openssh_7.9p1-10/sshd_config
56:#PasswordAuthentication yes

openssh_7.2p2-4/sshd_config
72:#PasswordAuthentication yes

openssh_8.0p1-4build1/sshd_config
56:#PasswordAuthentication yes

openssh_8.0p1-6build1/sshd_config
56:#PasswordAuthentication yes

openssh_8.2p1-4ubuntu1/sshd_config
58:#PasswordAuthentication yes

openssh_8.1p1-1/sshd_config
56:#PasswordAuthentication yes

openssh_8.2p1-4/sshd_config
58:#PasswordAuthentication yes

How was this system installed? Was it customized by an ISP or cloud provider? Were any programs installed outside of the Ubuntu Archive that might have such a configuration change as part of an install script?

Thanks

Changed in openssh (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Rulon Oboev (rulon-oboev) wrote :

I've made clean installation on my desktop from .iso downloaded from ubuntu.com (also re-checked on virtualbox). No additional packages or updates were installed.

Ubuntu Desktop config is OK though.

Maybe the problem is not in openssh package, but in some postinstall or cloudinit scripts, that change the config file after OS installation?

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I launched a VM locally and I also was not able to find what you mentioned. Not sure what might have happened to make you get to this state.

Revision history for this message
Rulon Oboev (rulon-oboev) wrote :

What image are you using?

I've got the same problem with 20.04-live-server-amd64.iso (https://releases.ubuntu.com/20.04/ubuntu-20.04-live-server-amd64.iso)

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.