[Bug 2012298] Re: PasswordAuthenticaion in sshd_config.d

Gerard Weatherby 2012298 at bugs.launchpad.net
Sat Apr 15 01:05:15 UTC 2023 

Tested openssh-server/focal-proposed,now 1:8.2p1-4ubuntu0.7 amd64
[installed]

creating /etc/ssh/sshd_config.d/<username>.conf:

Match User <username>
  PasswordAuthentication No

worked as expected: prohibited password login while allow publickey
authentication

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2012298

Title:
  PasswordAuthenticaion in sshd_config.d

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Focal:
  Fix Committed

Bug description:
  [Impact]

  When using the "Match" phrase in sshd_config.d files, the
  configuration does not apply. This leads to failures in user-specific
  configurations such as with PasswordAuthentication.

  The fix for this issue should be added to Focal to allow users to use
  Match as expected.

  The bug is fixed by backporting an upstream commit that includes
  custom config files then runs all matches provided. It updates the
  function for reading in config files with checks for matches, and, if
  the correct flags are marked, the match will then be handled
  accordingly.

  [Test Plan]

  $ lxc launch images:ubuntu/focal test-ssh-focal
  $ lxc exec test-ssh-focal bash

  # apt update && apt upgrade -y
  # apt install openssh-server
  # adduser user

  > ssh into container from another terminal to show pw auth is
  available by default. You can get the ip through 'ip addr' in the
  container or 'lxc list' outside.

  $ ssh user@<container-ip>
  user@<container-ip>'s password:

  # cat <<EOF >/etc/ssh/sshd_config.d/user.conf
  Match User user
    PasswordAuthentication No
  Match All
  EOF

  # systemctl restart sshd

  > Check again in other terminal

  $ ssh user@<container-ip>

  > Before the fix, it will show:
  user@<container-ip>'s password:

  > After, it will show
  user@<container-ip>: Permission denied (publickey).

  [Where problems could occur]

  If problems were to occur, they would be in the interpretation of
  configuration files. All changes from this fix exist in servconf.c.
  The largest part of this change is a move from the inc_flags variable
  being an integer to an integer pointer, so problems could show up
  through changes to the flags in the pass by reference. Going over the
  change to pointer usage visually, all instances within the
  process_server_config_line_depth function are modified properly, along
  with the two calls to the function.

  [Other Info]

  This issue has already been fixed in Jammy and later, as it was fixed
  in upstream version 8.4.

  To use the PPA containing this fix, you can run:

  $ sudo apt install -y software-properties-common
  $ sudo add-apt-repository -y ppa:lvoytek/openssh-fix-passwordauthentication-config
  $ sudo apt update
  $ sudo apt upgrade -y
  $ sudo systemctl restart sshd

  [Original Description]

  The stanza
  Match User <username>
   PasswordAuthentication no

  in /etc/ssh/sshd_config works as expected.

  The same stanza in /etc/ssh/sshd_config.d/username.conf does not work.

  The Include in /etc/ssh/sshd_config is not commented out, and

  /usr/sbin/sshd -D -ddd

  shows the username.config file being parsed.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: openssh-server 1:8.2p1-4ubuntu0.5
  ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210
  Uname: Linux 5.4.0-131-generic x86_64
  NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713
  ApportVersion: 2.20.11-0ubuntu27.25
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Mon Mar 20 13:34:14 2023
  InstallationDate: Installed on 2022-11-04 (136 days ago)
  InstallationMedia:

  SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/2012298/+subscriptions

More information about the foundations-bugs mailing list