Tracked in Github Issues as https://github.com/canonical/cloud- init/issues/2837
** Bug watch added: github.com/canonical/cloud-init/issues #2837 https://github.com/canonical/cloud-init/issues/2837 ** Changed in: cloud-init Status: Confirmed => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1675021 Title: ssh_pwauth: false fails to disable challenge/response authentication Status in cloud-init: Expired Bug description: cc_set_passwords.py interprets the ssh_pwauth boolean configuration option, and depending on its setting will either enable, disable, or not touch the PasswordAuthentication option in sshd_config. This neglects to also set ChallengeResponseAuthentication. It defaults to yes upstream, but many distributions, including Ubuntu, ship a default sshd_config that sets this to no. On a system with "ChallengeResponseAuthentication yes" however, "ssh_pwauth: false" has no real effect — and this poses a security problem for users of those systems, as they will most likely inadvertently leave password authentication enabled. How to best address this is tricky. Obviously, "ssh_pwauth: false" should disable both PasswordAuthentication and ChallengeResponseAuthentication. What "ssh_pwauth: true" should do is debatable. What complicates matters still is that one of the affected systems that ship with "ChallengeResponseAuthentication yes" is SLES, including the official JeOS OpenStack image, and SLES ships its own fork of cloud-init. So even if this does gets fixed in upstream cloud- init, someone still has to remind the SUSE folks to merge the patch (or update their default image). To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1675021/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp