[Bug 1968873] Re: Regression: images ship with modified configuration file

Thu Jul 7 16:09:07 UTC 2022

Please don't SRU! It breaks the way cloud-init sets password auth:

At least on Azure: if someone sets --authentication-type password,
cloud-init does the following:

2022-07-07 15:40:54,037 - util.py[DEBUG]: Read 3254 bytes from /etc/ssh/sshd_config
2022-07-07 15:40:54,037 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes

And this option is overwritten by this new file
"/etc/ssh/sshd_config.d/10-cloudimg-settings.conf", so users can't SSH
into their VM!

I think we need this bug to get fixed in cloud-init before adding this
to cloud-images.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1968873

Title:
  Regression: images ship with modified configuration file

Status in livecd-rootfs:
  In Progress
Status in livecd-rootfs package in Ubuntu:
  Fix Released
Status in livecd-rootfs source package in Focal:
  New
Status in livecd-rootfs source package in Impish:
  New
Status in livecd-rootfs source package in Jammy:
  Fix Committed

Bug description:
  This cloud image:

  build_name: server
  serial: 20220411.2

  ...ships with a "user-modified" /etc/ssh/sshd_config. This results in
  a confusing ucf prompt when upgrading from Focal to Jammy.

  It looks like this is being done here:
  https://git.launchpad.net/ubuntu/+source/livecd-rootfs/tree/live-
  build/ubuntu-cpc/hooks.d/chroot/052-ssh_authentication.chroot

  User impact: this messes up automation; it is a common use of cloud
  images for users to automate their server deployments which generally
  involves running a dist-upgrade and then bootstrapping some kind of
  configuration management system.

  As well as during an upgrade between releases, this will happen if
  openssh-server needs to change its /etc/ssh/sshd_config in an SRU or
  security update. Even users who have not touched /etc/ssh/sshd_config
  will be told that they have and the default is to keep the user
  "modified" version, so the change will not be applied.

  Workaround: users can use something like: apt-get update &&
  UCF_FORCE_CONFOLD=1 apt-get -y dist-upgrade. Note that to avoid
  prompts in various other cases users should also set
  DEBIAN_FRONTEND=noninteractive, run apt-get with -o Dpkg::Options::="
  --force-confdef" -o Dpkg::Options::="--force-confold" and consider
  redirecting stdin from /dev/null.

  Background:

  This has happened multiple times before. Please put CI in place to
  avoid this regressing again. See bug 1485685, bug 1581044, bug
  1581046, bug 1323772, bug 1747464.

  This needs to be backported to >= Focal so upgrades from Focal to
  Jammy do not result in the ucf prompt.

  [Test Plan]
  1) build image (eg. with ubuntu-old-fashioned) with the changes from here
  2) check that there is no modification for /etc/ssh/sshd_config via:
    $ ucfq openssh-server
  3) check that the new configuration file under /etc/ssh/sshd_config.d/10-cloudimg-settings.conf is there and contains the correct setting

  [Where problems could occur]
  Password authentication could be enabled after that change because sshd does not read the new configuration for whatever reason. This can be checked with "sudo sshd -T|grep passwordauthentication"

To manage notifications about this bug go to:
https://bugs.launchpad.net/livecd-rootfs/+bug/1968873/+subscriptions