[Bug 1305228] Re: PasswordAuthentication "no" fails if user account has no password set
Robie Basak
1305228 at bugs.launchpad.net
Thu Apr 10 09:30:41 UTC 2014
** Changed in: openssh (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1305228
Title:
PasswordAuthentication "no" fails if user account has no password set
Status in “openssh” package in Ubuntu:
Incomplete
Bug description:
Adding the following options to the /etc/ssh/sshd_config file:
PasswordAuthentication no
UsePAM no
For the purpose of disallowing logins by users via password (instead
of public key).
Login via public key does work as expected for users that HAVE a
password defined (but will NEVER be requested per the configuration --
as designed).
For users created without a password, these options cause the ssh
connection to fail with the error message:
Permission denied (publickey).
Setting a non-trivial password (of course) for the user causes the
subsequent ssh connection to succeed.
This seems counter to the intent of the sshd options -- to require a
user to have a valid password to never ask the password and only
accept public key authentication.
Description: Ubuntu 12.04.4 LTS
Release: 12.04
openssh-server version 1:5.9p1-5ubuntu1.3
A *very* bad situation can occur if the root account has no valid
password, and instead relies on public key authentication. Setting
these parameters in sshd_config will effectively lock the root user
from logging in directly to the system! Combine with locking out all
the users, and you have a system with no user access!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1305228/+subscriptions
More information about the foundations-bugs
mailing list