[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
[Expired for openssh (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openssh (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Expired Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
What image are you using? I've got the same problem with 20.04-live-server-amd64.iso (https://releases.ubuntu.com/20.04/ubuntu-20.04-live-server-amd64.iso) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Incomplete Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
I launched a VM locally and I also was not able to find what you mentioned. Not sure what might have happened to make you get to this state. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Incomplete Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
I've made clean installation on my desktop from .iso downloaded from ubuntu.com (also re-checked on virtualbox). No additional packages or updates were installed. Ubuntu Desktop config is OK though. Maybe the problem is not in openssh package, but in some postinstall or cloudinit scripts, that change the config file after OS installation? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Incomplete Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
Hello Rulon, can you please double-check where your openssh-server package came from? I don't have this "PasswordAuthentication yes" in any of my 20.04 systems, and a very quick look at the current package doesn't show this: $ apt-get download openssh-server Get:1 http://wopr.domain/ubuntu focal-updates/main amd64 openssh-server amd64 1:8.2p1-4ubuntu0.1 [377 kB] Fetched 377 kB in 0s (1,097 kB/s) $ mkdir openssh-server $ cd openssh-server $ ar x ../openssh-server_1%3a8.2p1-4ubuntu0.1_amd64.deb $ tar xf control.tar.xz $ tar xf data.tar.xz $ grep -r "PasswordAuthentication yes" usr/share/openssh/sshd_config:#PasswordAuthentication yes Of the versions of openssh that are on my local archive mirror, none of the sshd_config files had this line uncommented: $ rg "PasswordAuthentication yes" -g '**/sshd_config' openssh_5.9p1-5ubuntu1.10/sshd_config 64:#PasswordAuthentication yes openssh_7.2p2-4ubuntu2.9/sshd_config 72:#PasswordAuthentication yes openssh_7.2p2-4ubuntu2.10/sshd_config 72:#PasswordAuthentication yes openssh_6.6p1-2ubuntu1/sshd_config 73:#PasswordAuthentication yes openssh_5.9p1-5ubuntu1/sshd_config 64:#PasswordAuthentication yes openssh_8.0p1-4/sshd_config 56:#PasswordAuthentication yes openssh_8.0p1-6ubuntu0.1/sshd_config 56:#PasswordAuthentication yes openssh_6.6p1-2ubuntu2.13/sshd_config 73:#PasswordAuthentication yes openssh_7.7p1-4ubuntu0.3/sshd_config 56:#PasswordAuthentication yes openssh_7.7p1-4/sshd_config 56:#PasswordAuthentication yes openssh_8.2p1-4ubuntu0.1/sshd_config 58:#PasswordAuthentication yes openssh_7.6p1-4ubuntu0.3/sshd_config 56:#PasswordAuthentication yes openssh_7.6p1-4/sshd_config 56:#PasswordAuthentication yes openssh_7.2p2-4ubuntu2.8/sshd_config 72:#PasswordAuthentication yes openssh_8.3p1-1/sshd_config 58:#PasswordAuthentication yes openssh_8.1p1-5/sshd_config 56:#PasswordAuthentication yes openssh_7.6p1-4ubuntu0.4/sshd_config 56:#PasswordAuthentication yes openssh_7.9p1-10/sshd_config 56:#PasswordAuthentication yes openssh_7.2p2-4/sshd_config 72:#PasswordAuthentication yes openssh_8.0p1-4build1/sshd_config 56:#PasswordAuthentication yes openssh_8.0p1-6build1/sshd_config 56:#PasswordAuthentication yes openssh_8.2p1-4ubuntu1/sshd_config 58:#PasswordAuthentication yes openssh_8.1p1-1/sshd_config 56:#PasswordAuthentication yes openssh_8.2p1-4/sshd_config 58:#PasswordAuthentication yes How was this system installed? Was it customized by an ISP or cloud provider? Were any programs installed outside of the Ubuntu Archive that might have such a configuration change as part of an install script? Thanks ** Changed in: openssh (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Incomplete Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
