[Bug 1982482] [NEW] SSH password login not attempted/denied

Martin Pitt 1982482 at bugs.launchpad.net
Thu Jul 21 11:35:52 UTC 2022 

Public bug reported:

I am in the process of updating our CI for Cockpit to kinetic [1]. I get
a lot of test failures because SSH password login is broken.

This can be replicated with a clean cloud instance, so it's not
something that our VM build scripts do:

  curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img
  # nothing fancy, just admin:foobar and root:foobar
  curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso

Boot the image:
  qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22

For some reason that doesn't create an "admin" user. So log into VT as
root:foobar and create a user:

  adduser test1

Now, inside the VM VT:

  root at ubuntu:~# ssh  user1 at localhost
  user1 at localhost: Permission denied (publickey).

The same happens when trying to ssh from outside:

  ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost
  user1 at localhost: Permission denied (publickey).

It does not seem to even *attempt* password auth:

  ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost 2>&1|grep -i method
  debug1: Next authentication method: publickey
  debug2: we did not send a packet, disable method
  debug1: No more authentication methods to try.

... like it would to other OSes:

  debug1: Next authentication method: keyboard-interactive

Password authentication is enabled by default:

  $ grep -i password /etc/ssh/sshd_config

  #PermitRootLogin prohibit-password
  # To disable tunneled clear text passwords, change to no here!
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
  # Change to yes to enable challenge-response passwords (beware issues with
  # PasswordAuthentication.  Depending on your PAM configuration,
  # the setting of "PermitRootLogin without-password".
  # PAM authentication, then enable this but set PasswordAuthentication
  PasswordAuthentication yes

[1] https://github.com/cockpit-project/bots/pull/3641 and
https://github.com/cockpit-project/cockpit/pull/17582


ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: openssh-server 1:9.0p1-1

** Affects: openssh (Ubuntu)
     Importance: High
         Status: New

** Affects: openssh (Ubuntu Kinetic)
     Importance: High
         Status: New


** Tags: kinetic regression-release

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1982482

Title:
  SSH password login not attempted/denied

Status in openssh package in Ubuntu:
  New
Status in openssh source package in Kinetic:
  New

Bug description:
  I am in the process of updating our CI for Cockpit to kinetic [1]. I
  get a lot of test failures because SSH password login is broken.

  This can be replicated with a clean cloud instance, so it's not
  something that our VM build scripts do:

    curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img
    # nothing fancy, just admin:foobar and root:foobar
    curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso

  Boot the image:
    qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22

  For some reason that doesn't create an "admin" user. So log into VT as
  root:foobar and create a user:

    adduser test1

  Now, inside the VM VT:

    root at ubuntu:~# ssh  user1 at localhost
    user1 at localhost: Permission denied (publickey).

  The same happens when trying to ssh from outside:

    ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost
    user1 at localhost: Permission denied (publickey).

  It does not seem to even *attempt* password auth:

    ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost 2>&1|grep -i method
    debug1: Next authentication method: publickey
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.

  ... like it would to other OSes:

    debug1: Next authentication method: keyboard-interactive

  Password authentication is enabled by default:

    $ grep -i password /etc/ssh/sshd_config

    #PermitRootLogin prohibit-password
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    # Change to yes to enable challenge-response passwords (beware issues with
    # PasswordAuthentication.  Depending on your PAM configuration,
    # the setting of "PermitRootLogin without-password".
    # PAM authentication, then enable this but set PasswordAuthentication
    PasswordAuthentication yes

  [1] https://github.com/cockpit-project/bots/pull/3641 and
  https://github.com/cockpit-project/cockpit/pull/17582

  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: openssh-server 1:9.0p1-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1982482/+subscriptions

More information about the foundations-bugs mailing list