[Bug 1922212] Re: SSHD does not honor configuration files

Utkarsh Gupta 1922212 at bugs.launchpad.net
Fri Apr 2 22:32:29 UTC 2021 

Hello Jerrey,

Thank you for taking out time to file a bug and making the Ubuntu server
better.

It's a bit upsetting that you're hitting this bug. Can you share your
entire conf, please? This would help me better analyze the problem and
help me reproduce it.

While at it, could you also help me provide steps to reproduce this
easily? I can make out the issue but having straightforward steps
written will help me debug this fast enough.

That said, I found a link to stack exchange that might help: https://unix.stackexchange.com/questions/218034/disabling-ssh-password-authentication-does-not-work-on-my-debian-vps
Let me know if it helps? Also, does restarting sshd help?

I am marking this bug as "Incomplete" for now. Once you provide the
necessary details, please mark it back to "New" and then we can take a
look and help debug further. Thanks! :)

** Changed in: openssh (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

     # lsb_release -a
     Distributor ID:	Ubuntu
     Description:	Ubuntu 20.04.2 LTS
     ...

  We are seeing reports of failed password-based logins using root:

     jounralctl -xe
     ...
     Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
     Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
     ...

  There are three attempts every second or two (literally):

     # journalctl -xe | grep -i -c 'Failed password for root'
     324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

     # ls /etc/ssh/sshd_config.d/
     10_pubkey_auth.conf  20_disable_root_login.conf

     # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
     # Disable passwords
     PasswordAuthentication no
     ChallengeResponseAuthentication no
     UsePAM no
     # Enable public key
     PubkeyAuthentication yes

     # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
     PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

     # tail -n 3 /etc/ssh/sshd_config

     # For some reason OpenSSH does not include additional conf files by default.
     Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -----

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
  Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

More information about the foundations-bugs mailing list