[Bug 1970585] Re: Logic for PermitRootLogin in config script is flipped
Dominik Zäuner
1970585 at bugs.launchpad.net
Wed Apr 27 10:29:38 UTC 2022
** Information type changed from Private Security to Public Security
** Description changed:
In the config script of openssh-server, the debconf database is updated
with the values that are read from sshd_config.
But if I'm not mistaken the yes/no logic is flipped:
if [ "$permit_root_login" = yes ]; then
- db_set openssh-server/permit-root-login false
+ db_set openssh-server/permit-root-login false
else
- db_set openssh-server/permit-root-login true
+ db_set openssh-server/permit-root-login true
fi
Discovered this in openssh-server 7.6p1-4ubuntu0.5 on Ubuntu 18.04.5
LTS. Checked that this still unchcanged in 8.9p1-3 on jammy.
- I marked this a vulnerability as this might lead to unintend flipped
+ I marked this a vulnerability as this might lead to unintended flipped
settings of permitting root to log in.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1970585
Title:
Logic for PermitRootLogin in config script is flipped
Status in openssh package in Ubuntu:
New
Bug description:
In the config script of openssh-server, the debconf database is
updated with the values that are read from sshd_config.
But if I'm not mistaken the yes/no logic is flipped:
if [ "$permit_root_login" = yes ]; then
db_set openssh-server/permit-root-login false
else
db_set openssh-server/permit-root-login true
fi
Discovered this in openssh-server 7.6p1-4ubuntu0.5 on Ubuntu 18.04.5
LTS. Checked that this still unchcanged in 8.9p1-3 on jammy.
I marked this a vulnerability as this might lead to unintended flipped
settings of permitting root to log in.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1970585/+subscriptions
More information about the foundations-bugs
mailing list