I set LogLevel=DEBUG in /etc/ssh/sshd_config, systemctl restart sshd, and I'm none the wiser:
debug1: Forked child 1652. debug1: Set /proc/self/oom_score_adj to 0 debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 debug1: inetd sockets after dupping: 4, 4 Connection from 127.0.0.1 port 45396 on 127.0.0.1 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Ubuntu-1 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0p1 Ubuntu-1 debug1: compat_banner: match: OpenSSH_9.0p1 Ubuntu-1 pat OpenSSH* compat 0x04000000 debug1: permanently_set_uid: 109/65534 [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: sntrup761x25519-sha...@openssh.com [preauth] debug1: kex: host key algorithm: rsa-sha2-512 [preauth] debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug1: rekey out after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey in after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user user1 service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "user1" debug1: PAM: setting PAM_RHOST to "127.0.0.1" debug1: PAM: setting PAM_TTY to "ssh" Connection closed by authenticating user user1 127.0.0.1 port 45396 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 1653 debug1: audit_event: unhandled event 12 again, no trace of password/keyboard authentication. Note that this is the same openssh package version that we've had in Debian testing for three months, and that works just fine. So possibly some broken PAM config? ** Description changed: I am in the process of updating our CI for Cockpit to kinetic [1]. I get a lot of test failures because SSH password login is broken. This can be replicated with a clean cloud instance, so it's not something that our VM build scripts do: - curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img - # nothing fancy, just admin:foobar and root:foobar - curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso + curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img + # nothing fancy, just admin:foobar and root:foobar + curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso Boot the image: - qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22 + qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22 For some reason that doesn't create an "admin" user. So log into VT as root:foobar and create a user: - adduser test1 + adduser test1 Now, inside the VM VT: - root@ubuntu:~# ssh user1@localhost - user1@localhost: Permission denied (publickey). + root@ubuntu:~# ssh user1@localhost + user1@localhost: Permission denied (publickey). The same happens when trying to ssh from outside: - ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost - user1@localhost: Permission denied (publickey). + ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost + user1@localhost: Permission denied (publickey). It does not seem to even *attempt* password auth: - ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost 2>&1|grep -i method - debug1: Next authentication method: publickey - debug2: we did not send a packet, disable method - debug1: No more authentication methods to try. + ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost 2>&1|grep -i method + debug1: Next authentication method: publickey + debug2: we did not send a packet, disable method + debug1: No more authentication methods to try. ... like it would to other OSes: - debug1: Next authentication method: keyboard-interactive + debug1: Next authentication method: keyboard-interactive Password authentication is enabled by default: - $ grep -i password /etc/ssh/sshd_config + $ grep -i password /etc/ssh/sshd_config - #PermitRootLogin prohibit-password - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no - # Change to yes to enable challenge-response passwords (beware issues with - # PasswordAuthentication. Depending on your PAM configuration, - # the setting of "PermitRootLogin without-password". - # PAM authentication, then enable this but set PasswordAuthentication - PasswordAuthentication yes + #PermitRootLogin prohibit-password + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no + # Change to yes to enable challenge-response passwords (beware issues with + # PasswordAuthentication. Depending on your PAM configuration, + # the setting of "PermitRootLogin without-password". + # PAM authentication, then enable this but set PasswordAuthentication + PasswordAuthentication yes + + [1] https://github.com/cockpit-project/bots/pull/3641 and + https://github.com/cockpit-project/cockpit/pull/17582 - - [1] https://github.com/cockpit-project/bots/pull/3641 and https://github.com/cockpit-project/cockpit/pull/17582 + ProblemType: Bug + DistroRelease: Ubuntu 22.10 + Package: openssh-server 1:9.0p1-1 ** Also affects: openssh (Ubuntu Kinetic) Importance: High Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1982482 Title: SSH password login not attempted/denied Status in openssh package in Ubuntu: New Status in openssh source package in Kinetic: New Bug description: I am in the process of updating our CI for Cockpit to kinetic [1]. I get a lot of test failures because SSH password login is broken. This can be replicated with a clean cloud instance, so it's not something that our VM build scripts do: curl -L -O https://cloud-images.ubuntu.com/daily/server/kinetic/current/kinetic-server-cloudimg-amd64.img # nothing fancy, just admin:foobar and root:foobar curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso Boot the image: qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=kinetic-server-cloudimg-amd64.img,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::22001-:22 For some reason that doesn't create an "admin" user. So log into VT as root:foobar and create a user: adduser test1 Now, inside the VM VT: root@ubuntu:~# ssh user1@localhost user1@localhost: Permission denied (publickey). The same happens when trying to ssh from outside: ❱❱❱ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost user1@localhost: Permission denied (publickey). It does not seem to even *attempt* password auth: ❱❱❱ ssh -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 22001 user1@localhost 2>&1|grep -i method debug1: Next authentication method: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. ... like it would to other OSes: debug1: Next authentication method: keyboard-interactive Password authentication is enabled by default: $ grep -i password /etc/ssh/sshd_config #PermitRootLogin prohibit-password # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # PasswordAuthentication. Depending on your PAM configuration, # the setting of "PermitRootLogin without-password". # PAM authentication, then enable this but set PasswordAuthentication PasswordAuthentication yes [1] https://github.com/cockpit-project/bots/pull/3641 and https://github.com/cockpit-project/cockpit/pull/17582 ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: openssh-server 1:9.0p1-1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1982482/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
