[Bug 1922212] Re: SSHD does not honor configuration files
Jeffrey Walton
1922212 at bugs.launchpad.net
Thu Apr 1 09:31:58 UTC 2021
This gets worse. Adding the following to the tail of
/etc/ssh/sshd_config does not configure the service properly.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
PermitRootLogin no
The login attempts are still allowed:
Apr 01 09:31:10 localhost sshd[239597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root
Apr 01 09:31:13 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:16 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:19 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:20 localhost sshd[239597]: Received disconnect from 49.88.112.77 port 50368:11: [preauth]
Apr 01 09:31:20 localhost sshd[239597]: Disconnected from authenticating user root 49.88.112.77 port 50368 [preauth]
Apr 01 09:31:20 localhost sshd[239597]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212
Title:
SSHD does not honor configuration files
Status in openssh package in Ubuntu:
New
Bug description:
I'm working on Ubuntu 20, x86_64, fully patched.
# lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
...
We are seeing reports of failed password-based logins using root:
jounralctl -xe
...
Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
...
There are three attempts every second or two (literally):
# journalctl -xe | grep -i -c 'Failed password for root'
324
Our OpenSSH server is configured with both no-password based logins
and no-root logins.
# ls /etc/ssh/sshd_config.d/
10_pubkey_auth.conf 20_disable_root_login.conf
# cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf
# Disable passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
# Enable public key
PubkeyAuthentication yes
# cat /etc/ssh/sshd_config.d/20_disable_root_login.conf
PermitRootLogin no
The config files are included last in our /etc/ssh/sshd_config file:
# tail -n 3 /etc/ssh/sshd_config
# For some reason OpenSSH does not include additional conf files by default.
Include /etc/ssh/sshd_config.d/*.conf
I dislike modifying /etc/ssh/sshd_config since it will be overwritten
by the distro. With that said, I modified it without success.
It really annoys me that we can't secure this service. Something looks
very broken here.
-----
# apt-cache show openssh-server
Package: openssh-server
Architecture: amd64
Version: 1:8.2p1-4ubuntu0.2
Multi-Arch: foreign
Priority: optional
Section: net
Source: openssh
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions
More information about the foundations-bugs
mailing list