[Bug 2088207] Re: cloud-init enables ssh password auth in an unexpected config file
Marc Deslauriers
2088207 at bugs.launchpad.net
Thu Nov 14 23:37:38 UTC 2024
I'm adding the openssh package to this bug, as the default configuration
file has a Debian/Ubuntu-specific include directory configured and I
think we should add an appropriate comment to inform the user that files
included in the directory may override the configuration items in
ssd_config. This wouldn't be something added by cloud-init, but
something shipped in the openssh package itself.
Perhaps something like:
----
# The files included in the following directory may contain options
# that override the options in the current file. Configuration tools
# such as cloud-init may populate this directory in a default
# installation.
Include /etc/ssh/sshd_config.d/*.conf
----
** Also affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh password auth in an unexpected config file
Status in cloud-init package in Ubuntu:
New
Status in openssh package in Ubuntu:
New
Bug description:
Last night security at ubuntu.com received a security report about cloud-init:
```
Hello
Most server admins are familiar with disabling password auth in /etc/ssh/sshd_config.
However Ubuntu Server 24.04 when installed from the ISO (https://ubuntu.com/download/server)
includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`.
This means that disabling password auth in `/etc/ssh/sshd_config` does
nothing:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
^ Setting it to "no" does nothing
Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud-
init.conf` which contains a single line:
PasswordAuthentication yes
There is no documentation for server admins that this is necessary in
/etc/ssh/sshd_config nor is this expected and will cause massive
security problems as upgrade in the future. People are just
discovering this behaviour now:
[0] https://www.mikeberggren.com/deb-ssh-auth
[1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created
[2] https://askubuntu.com/a/435620
Recommendation:
1. Don't include this file by default
2. OR update sshd_config documentation so people know to check /etc/ssh/ssd_config.d/
lllf
```
@falcojr from cloud-init added that:
> this happens due to the subiquity installer setting passwordauthentication yes by default
> cloud-init writes any explicit configuration about ssh into sshd_config.d
To summarize:
Often `PasswordAuthentication` is disabled in `/etc/ssh/sshd_config`. When cloud-init is used, this value is set in `/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override `/etc/ssh/sshd_config`. If an admin is not aware of this additional config file or how sshd loads configs, they may unintentionally allow PasswordAuthentication.
My inclination is to opt for lllf's second recommendation and clearly document the additional config file. Possibly the header of /etc/ssh/sshd_config could include:
```
# Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf
# configurations in sshd_config.d may override settings in this file
# such as overriding PasswordAuthentication to yes
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2088207/+subscriptions
More information about the foundations-bugs
mailing list