Bug#1135881: openssh-server: Password authentication stopped working with openssh 10.3

[Marcel Partap]

Package: openssh-server
Version: 1:10.3p1-2
Severity: normal
X-Debbugs-Cc: mpar...@gmx.net

Couple of weeks ago I noticed I couldn't login to my system from on the go, so
now finally got to drill a bit further down, entering the password reproducibly
with a script. The versions in stable (1:10.0p1-7+deb13u1) and stable-backports
(1:10.2p1-6~bpo13+1) work while those in testing (1:10.3p1-1) and unstable
(1:10.3p1-2) reject the correct password (with unchanged sshd_config) with
"Permission denied (publickey,password)".

I know password auth is frowned upon and probably has few users, but I guess
this is a bug and possibly might hit others. I wasn't sure how to just run the
password.sh from the regression tests, so just reporting for now. Can anyone
reproduce?


-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (510, 'unstable'), (509, 'experimental'), (500, 
'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 
'oldstable-security'), (500, 'oldoldstable-updates'), (500, 
'oldoldstable-security'), (500, 'oldoldstable'), (500, 'testing'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.19.14-1-liquorix-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  debconf [debconf-2.0]       1.5.92
ii  libaudit1                   1:4.1.2-1+b1
ii  libc6                       2.43-2
ii  libcom-err2                 1.47.4-1
ii  libgssapi-krb5-2            1.22.1-2+b1
ii  libkrb5-3                   1.22.1-2+b1
ii  libpam-modules              1.7.0-5+b1
ii  libpam-runtime              1.7.0-5
ii  libpam0g                    1.7.0-5+b1
ii  libselinux1                 3.10-1
ii  libssl3t64                  3.6.2-1
ii  libwrap0                    7.6.q-37
ii  libwtmpdb0                  0.75.0-5
ii  openssh-client              1:10.2p1-6~bpo13+1
ii  openssh-sftp-server         1:10.2p1-6~bpo13+1
ii  procps                      2:4.0.4-9+b2
ii  runit-helper                2.16.6
ii  systemd [systemd-sysusers]  260.1-1
ii  ucf                         3.0053
ii  zlib1g                      1:1.3.dfsg+really1.3.2-3

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  260.1-1
ii  ncurses-term             6.6+20251231-1
ii  passwd                   1:4.19.3-2
ii  xauth                    1:1.1.2-1.1

Versions of packages openssh-server suggests:
ii  ksshaskpass [ssh-askpass]  4:6.6.3-2
ii  kwalletcli [ssh-askpass]   3.03-1+b1
pn  molly-guard                <none>
pn  monkeysphere               <none>
ii  ssh-askpass                1:1.2.4.1-16+b1
pn  ufw                        <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]

-- debconf-show failed