yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94874
[Bug 2088207] Re: cloud-init enables ssh password auth in an unexpected config file
> the most technically advantageous and correct way to configure ssh
Agreed
> How is cloud-init making sure another file in sshd_config.d isn't
superseding its config?
It isn't. I just filed an upstream bug to track this as an issue - and
linked it above.
> sshd -T should be consulted, instead of trying to mimic what sshd -T
does
Agreed, however ssh -G is more robust since -T is more likely to have
failing tests.
> I'm adding the openssh package to this bug
Thanks! That approach sounds good to me.
Since the cloud-init (ubuntu) project exists to track issues in cloud-
init on Ubuntu, I'm going to mark it as invalid for now. Feel free to
change that back if you believe this to still be an issue with cloud-
init.
** Bug watch added: github.com/canonical/cloud-init/issues #5879
https://github.com/canonical/cloud-init/issues/5879
** Also affects: cloud-init via
https://github.com/canonical/cloud-init/issues/5879
Importance: Unknown
Status: Unknown
** Changed in: cloud-init (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2088207
Title:
cloud-init enables ssh password auth in an unexpected config file
Status in cloud-init:
Unknown
Status in cloud-init package in Ubuntu:
Invalid
Status in openssh package in Ubuntu:
New
Bug description:
Last night security@xxxxxxxxxx received a security report about cloud-init:
```
Hello
Most server admins are familiar with disabling password auth in /etc/ssh/sshd_config.
However Ubuntu Server 24.04 when installed from the ISO (https://ubuntu.com/download/server)
includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`.
This means that disabling password auth in `/etc/ssh/sshd_config` does
nothing:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
^ Setting it to "no" does nothing
Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud-
init.conf` which contains a single line:
PasswordAuthentication yes
There is no documentation for server admins that this is necessary in
/etc/ssh/sshd_config nor is this expected and will cause massive
security problems as upgrade in the future. People are just
discovering this behaviour now:
[0] https://www.mikeberggren.com/deb-ssh-auth
[1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created
[2] https://askubuntu.com/a/435620
Recommendation:
1. Don't include this file by default
2. OR update sshd_config documentation so people know to check /etc/ssh/ssd_config.d/
lllf
```
@falcojr from cloud-init added that:
> this happens due to the subiquity installer setting passwordauthentication yes by default
> cloud-init writes any explicit configuration about ssh into sshd_config.d
To summarize:
Often `PasswordAuthentication` is disabled in `/etc/ssh/sshd_config`. When cloud-init is used, this value is set in `/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override `/etc/ssh/sshd_config`. If an admin is not aware of this additional config file or how sshd loads configs, they may unintentionally allow PasswordAuthentication.
My inclination is to opt for lllf's second recommendation and clearly document the additional config file. Possibly the header of /etc/ssh/sshd_config could include:
```
# Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf
# configurations in sshd_config.d may override settings in this file
# such as overriding PasswordAuthentication to yes
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2088207/+subscriptions
