I've looked at the source code. Colin (cjwatson) writes as a comment in openssh-server.postinst:
> # XXX cjwatson 2016-12-24: This debconf template is very confusingly > # named; its description is "Disable SSH password authentication for > # root?", so true -> prohibit-password (the upstream default), > # false -> yes. This is conflict with https://canonical-subiquity.readthedocs- hosted.com/en/latest/reference/autoinstall-reference.html#debconf- selections: > autoinstall: > # Disable SSH root login and start the ufw firewall automatically > debconf-selections: | > openssh-server openssh-server/permit-root-login boolean false > ufw ufw/enable boolean true And is also in conflict with what someone who configures systems using Preseed files or autoinstall.yaml files fed to Subiquity, and who hence _never sees_ the Whiptail screen with the description in it, would expect from an option called "permit-root-login". I also don't foresee a circumstance in which anyone would configure a production system to allow root to login over SSH using a password, so a choice between "prohibit-password" and "no" would be of more practical use. I acknowledge that this would be a breaking change for people who set up their SSH servers really insecurely. The ability to use debconf to set any of "yes", "prohibit-password", "forced-commands-only", or "no" would be even better. I acknowledge that this would be a breaking change for people who use debconf to pre- configure packages because of the change of data type from boolean to something else. One of three things should happen: - Canonical should update the Subiquity docs to reflect the current behaviour of the package, so as not to mislead people. This is the least-desirable option because it doesn't improve the useful options available to people who use debconf to pre-configure packages. However, this is the option that is under Canonical's control. - The package maintainers replace "yes" with "no" in the postinst and update the debconf template description to reflect this. This would require agreement from the Debian project. - The package maintainers enable all of "yes", "prohibit-password", "forced-commands-only", or "no" in debconf. Again, this would require agreement from the Debian project. ** Attachment added: "command-output-installed-os.txt" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2128863/+attachment/5918590/+files/command-output-installed-os.txt -- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2128863 Title: Setting the debconf "openssh-server/permit-root-login" option to false ENABLES root logins when it should disable them Status in openssh package in Ubuntu: New Bug description: Given: the attached autoinstall.yaml file being placed in the root of an Ubuntu Desktop 24.04.3 LTS bootable USB stick. When I: boot the laptop from the USB stick and accept the autoinstall.yaml file as my choices to install Ubuntu. I get: - The laptop reboots into an installed OS and I can login as the test user with password "test", BUT... - The SSH daemon is accepting root logins *with a password*, not even the default key-only logins. The configuration directive has been changed from the default, but to the wrong thing. - After booting into the installed OS, debconf-get-selection shows the debconf-selections from the autoinstall.yaml file. - If I `apt purge openssh-server ; apt install ssh`, the SSH daemon is still misconfigured. - If I manually say `echo "openssh-server openssh-server/permit-root-login boolean false" | debconf-set-selections` and then purge and reinstall the SSH daemon, I get the default config. I expected: - The SSH daemon to disallow root logins. Other information: At first I thought this was a problem with Subiquity, but the problems persist even with manual intervention to the installed system. Therefore I think that the problem is with the packaging of OpenSSH server. When I used Apt to download the openssh-server 1:9.6p1-3ubuntu13.14 package, which is the latest version available in 24.04.03 LTS, I saw in the postinst file the following: 75 db_get openssh-server/permit-root-login 76 permit_root_login="$RET" 77 db_get openssh-server/password-authentication 78 password_authentication="$RET" 79 80 trap cleanup EXIT 81 new_config="$(mktemp)" 82 cp -aZ /usr/share/openssh/sshd_config "$new_config" 83 if [ "$permit_root_login" != true ]; then 84 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ 85 "$new_config" 86 fi I think line 84 is meant to say: sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' \ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2128863/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
