yahoo-eng-team team mailing list archive

[James Falcon <1675021@xxxxxxxxxxxxxxxxxx>]

Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/2837

** Bug watch added: github.com/canonical/cloud-init/issues #2837
   https://github.com/canonical/cloud-init/issues/2837

** Changed in: cloud-init
       Status: Confirmed => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1675021

Title:
  ssh_pwauth: false fails to disable challenge/response authentication

Status in cloud-init:
  Expired

Bug description:
  cc_set_passwords.py interprets the ssh_pwauth boolean configuration
  option, and depending on its setting will either enable, disable, or
  not touch the PasswordAuthentication option in sshd_config.

  This neglects to also set ChallengeResponseAuthentication. It defaults
  to yes upstream, but many distributions, including Ubuntu, ship a
  default sshd_config that sets this to no. On a system with
  "ChallengeResponseAuthentication yes" however, "ssh_pwauth: false" has
  no real effect — and this poses a security problem for users of those
  systems, as they will most likely inadvertently leave password
  authentication enabled.

  How to best address this is tricky. Obviously, "ssh_pwauth: false"
  should disable both PasswordAuthentication and
  ChallengeResponseAuthentication. What "ssh_pwauth: true" should do is
  debatable.

  What complicates matters still is that one of the affected systems
  that ship with "ChallengeResponseAuthentication yes" is SLES,
  including the official JeOS OpenStack image, and SLES ships its own
  fork of cloud-init. So even if this does gets fixed in upstream cloud-
  init, someone still has to remind the SUSE folks to merge the patch
  (or update their default image).

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1675021/+subscriptions