[Bug 1982482] Re: SSH password login not attempted/denied

Martin Pitt 1982482 at bugs.launchpad.net
Thu Jul 21 11:38:36 UTC 2022 

I set LogLevel=DEBUG in /etc/ssh/sshd_config, systemctl restart sshd,
and I'm none the wiser:

debug1: Forked child 1652.
debug1: Set /proc/self/oom_score_adj to 0
debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
debug1: inetd sockets after dupping: 4, 4
Connection from 127.0.0.1 port 45396 on 127.0.0.1 port 22 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Ubuntu-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0p1 Ubuntu-1
debug1: compat_banner: match: OpenSSH_9.0p1 Ubuntu-1 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 109/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: sntrup761x25519-sha512 at openssh.com [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user user1 service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "user1"
debug1: PAM: setting PAM_RHOST to "127.0.0.1"
debug1: PAM: setting PAM_TTY to "ssh"
Connection closed by authenticating user user1 127.0.0.1 port 45396 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 1653
debug1: audit_event: unhandled event 12


again, no trace of password/keyboard authentication.

Note that this is the same openssh package version that we've had in
Debian testing for three months, and that works just fine. So possibly
some broken PAM config?

** Description changed:

  I am in the process of updating our CI for Cockpit to kinetic [1]. I get
  a lot of test failures because SSH password login is broken.
  
  This can be replicated with a clean cloud instance, so it's not
  something that our VM build scripts do:
  
-   curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img
-   # nothing fancy, just admin:foobar and root:foobar
-   curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso
+   curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img
+   # nothing fancy, just admin:foobar and root:foobar
+   curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso
  
  Boot the image:
-   qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22
+   qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22
  
  For some reason that doesn't create an "admin" user. So log into VT as
  root:foobar and create a user:
  
-   adduser test1
+   adduser test1
  
  Now, inside the VM VT:
  
-   root at ubuntu:~# ssh  user1 at localhost
-   user1 at localhost: Permission denied (publickey).
+   root at ubuntu:~# ssh  user1 at localhost
+   user1 at localhost: Permission denied (publickey).
  
  The same happens when trying to ssh from outside:
  
-   ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost
-   user1 at localhost: Permission denied (publickey).
+   ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost
+   user1 at localhost: Permission denied (publickey).
  
  It does not seem to even *attempt* password auth:
  
-   ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost 2>&1|grep -i method
-   debug1: Next authentication method: publickey
-   debug2: we did not send a packet, disable method
-   debug1: No more authentication methods to try.
+   ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost 2>&1|grep -i method
+   debug1: Next authentication method: publickey
+   debug2: we did not send a packet, disable method
+   debug1: No more authentication methods to try.
  
  ... like it would to other OSes:
  
-   debug1: Next authentication method: keyboard-interactive
+   debug1: Next authentication method: keyboard-interactive
  
  Password authentication is enabled by default:
  
-   $ grep -i password /etc/ssh/sshd_config
+   $ grep -i password /etc/ssh/sshd_config
  
-   #PermitRootLogin prohibit-password
-   # To disable tunneled clear text passwords, change to no here!
-   #PasswordAuthentication yes
-   #PermitEmptyPasswords no
-   # Change to yes to enable challenge-response passwords (beware issues with
-   # PasswordAuthentication.  Depending on your PAM configuration,
-   # the setting of "PermitRootLogin without-password".
-   # PAM authentication, then enable this but set PasswordAuthentication
-   PasswordAuthentication yes
+   #PermitRootLogin prohibit-password
+   # To disable tunneled clear text passwords, change to no here!
+   #PasswordAuthentication yes
+   #PermitEmptyPasswords no
+   # Change to yes to enable challenge-response passwords (beware issues with
+   # PasswordAuthentication.  Depending on your PAM configuration,
+   # the setting of "PermitRootLogin without-password".
+   # PAM authentication, then enable this but set PasswordAuthentication
+   PasswordAuthentication yes
+ 
+ [1] https://github.com/cockpit-project/bots/pull/3641 and
+ https://github.com/cockpit-project/cockpit/pull/17582
  
  
- 
- [1] https://github.com/cockpit-project/bots/pull/3641 and https://github.com/cockpit-project/cockpit/pull/17582
+ ProblemType: Bug
+ DistroRelease: Ubuntu 22.10
+ Package: openssh-server 1:9.0p1-1

** Also affects: openssh (Ubuntu Kinetic)
   Importance: High
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1982482

Title:
  SSH password login not attempted/denied

Status in openssh package in Ubuntu:
  New
Status in openssh source package in Kinetic:
  New

Bug description:
  I am in the process of updating our CI for Cockpit to kinetic [1]. I
  get a lot of test failures because SSH password login is broken.

  This can be replicated with a clean cloud instance, so it's not
  something that our VM build scripts do:

    curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img
    # nothing fancy, just admin:foobar and root:foobar
    curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso

  Boot the image:
    qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22

  For some reason that doesn't create an "admin" user. So log into VT as
  root:foobar and create a user:

    adduser test1

  Now, inside the VM VT:

    root at ubuntu:~# ssh  user1 at localhost
    user1 at localhost: Permission denied (publickey).

  The same happens when trying to ssh from outside:

    ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost
    user1 at localhost: Permission denied (publickey).

  It does not seem to even *attempt* password auth:

    ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1 at localhost 2>&1|grep -i method
    debug1: Next authentication method: publickey
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.

  ... like it would to other OSes:

    debug1: Next authentication method: keyboard-interactive

  Password authentication is enabled by default:

    $ grep -i password /etc/ssh/sshd_config

    #PermitRootLogin prohibit-password
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    # Change to yes to enable challenge-response passwords (beware issues with
    # PasswordAuthentication.  Depending on your PAM configuration,
    # the setting of "PermitRootLogin without-password".
    # PAM authentication, then enable this but set PasswordAuthentication
    PasswordAuthentication yes

  [1] https://github.com/cockpit-project/bots/pull/3641 and
  https://github.com/cockpit-project/cockpit/pull/17582

  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: openssh-server 1:9.0p1-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1982482/+subscriptions

More information about the foundations-bugs mailing list