[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-02 Thread Utkarsh Gupta
Hello Jerrey,

Thank you for taking out time to file a bug and making the Ubuntu server
better.

It's a bit upsetting that you're hitting this bug. Can you share your
entire conf, please? This would help me better analyze the problem and
help me reproduce it.

While at it, could you also help me provide steps to reproduce this
easily? I can make out the issue but having straightforward steps
written will help me debug this fast enough.

That said, I found a link to stack exchange that might help: 
https://unix.stackexchange.com/questions/218034/disabling-ssh-password-authentication-does-not-work-on-my-debian-vps
Let me know if it helps? Also, does restarting sshd help?

I am marking this bug as "Incomplete" for now. Once you provide the
necessary details, please mark it back to "New" and then we can take a
look and help debug further. Thanks! :)

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-01 Thread Seth Arnold
Hello Jeffrey, this reminds me a little of
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320 -- but
it's also something that should have been addressed last year.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-01 Thread Jeffrey Walton
Something is really sideways here:

# sshd -T | grep -i -E 'password|pam|authentication|publickey'
usepam yes
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication no
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
permitemptypasswords no
authenticationmethods any

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-01 Thread Jeffrey Walton
Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=109846. It is
an old bug report (from 2001), but it says this is what we need:

   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no

** Bug watch added: Debian Bug tracker #109846
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=109846

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-01 Thread Jeffrey Walton
This gets worse. Adding the following to the tail of
/etc/ssh/sshd_config does not configure the service properly.

   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no
   PubkeyAuthentication yes
   PermitRootLogin no

The login attempts are still allowed:

Apr 01 09:31:10 localhost sshd[239597]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77  user=root
Apr 01 09:31:13 localhost sshd[239597]: Failed password for root from 
49.88.112.77 port 50368 ssh2
Apr 01 09:31:16 localhost sshd[239597]: Failed password for root from 
49.88.112.77 port 50368 ssh2
Apr 01 09:31:19 localhost sshd[239597]: Failed password for root from 
49.88.112.77 port 50368 ssh2
Apr 01 09:31:20 localhost sshd[239597]: Received disconnect from 49.88.112.77 
port 50368:11:  [preauth]
Apr 01 09:31:20 localhost sshd[239597]: Disconnected from authenticating user 
root 49.88.112.77 port 50368 [preauth]
Apr 01 09:31:20 localhost sshd[239597]: PAM 2 more authentication failures; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77  user=root

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp