yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2088207] Re: cloud-init enables ssh password auth in an unexpected config file

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2088207@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Nov 2024 23:16:15 -0000
Reply-to: Bug 2088207 <2088207@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package openssh - 1:9.9p1-3ubuntu2

---------------
openssh (1:9.9p1-3ubuntu2) plucky; urgency=medium

  * document /etc/ssh/sshd_config.d/*.conf better in sshd_config
    (LP: #2088207)
    - d/p/debian-config.patch: expand comment about configuration options
      and precedence of configuration snippets
    - d/openssh-server.ucf-md5sum: update for new sshd_config comments
    - d/p/sshd-socket-generator.patch: refresh for sshd_config comment
  * d/t/systemd-socket-activation: add wait while unit is reloading
    This avoids a race condition where we sometimes fail the assertion
    that ActiveState=active after systemctl reload.
    (LP: #2089049)

 -- Nick Rosbrook <enr0n@xxxxxxxxxx>  Tue, 19 Nov 2024 12:06:14 -0500

** Changed in: openssh (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2088207

Title:
  cloud-init enables ssh password auth in an unexpected config file

Status in cloud-init:
  New
Status in cloud-init package in Ubuntu:
  Invalid
Status in openssh package in Ubuntu:
  Fix Released

Bug description:
  Last night security@xxxxxxxxxx received a security report about cloud-init:
  ```
  Hello

  Most server admins are familiar with disabling password auth in /etc/ssh/sshd_config.
  However Ubuntu Server 24.04 when installed from the ISO (https://ubuntu.com/download/server)
   includes a new file `/etc/ssh/sshd_config.d/50-cloud-init.conf`.

  This means that disabling password auth in `/etc/ssh/sshd_config` does
  nothing:

      # To disable tunneled clear text passwords, change to no here!
      PasswordAuthentication no
      ^ Setting it to "no" does nothing

  Server admins also need to delete `/etc/ssh/sshd_config.d/50-cloud-
  init.conf` which contains a single line:

          PasswordAuthentication yes

  There is no documentation for server admins that this is necessary in
  /etc/ssh/sshd_config nor is this expected and will cause massive
  security problems as upgrade in the future. People are just
  discovering this behaviour now:

  [0] https://www.mikeberggren.com/deb-ssh-auth
  [1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created
  [2] https://askubuntu.com/a/435620

  Recommendation:
  1. Don't include this file by default
  2. OR update sshd_config documentation so people know to check /etc/ssh/ssd_config.d/

  lllf
  ```

  @falcojr from cloud-init added that:
  > this happens due to the subiquity installer setting passwordauthentication yes by default
  > cloud-init writes any explicit configuration about ssh into sshd_config.d

  To summarize:
  Often `PasswordAuthentication` is disabled in `/etc/ssh/sshd_config`. When cloud-init is used, this value is set in `/etc/ssh/sshd_config.d/50-cloud-init.conf` and will override `/etc/ssh/sshd_config`. If an admin is not aware of this additional config file or how sshd loads configs, they may unintentionally allow PasswordAuthentication.

  My inclination is to opt for lllf's second recommendation and clearly document the additional config file. Possibly the header of /etc/ssh/sshd_config could include:
  ```
  # Note that cloud-init has generated /etc/ssh/sshd_config.d/50-cloud-init.conf
  # configurations in sshd_config.d may override settings in this file
  # such as overriding PasswordAuthentication to yes
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2088207/+subscriptions