[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files
Hello Jerrey, Thank you for taking out time to file a bug and making the Ubuntu server better. It's a bit upsetting that you're hitting this bug. Can you share your entire conf, please? This would help me better analyze the problem and help me reproduce it. While at it, could you also help me provide steps to reproduce this easily? I can make out the issue but having straightforward steps written will help me debug this fast enough. That said, I found a link to stack exchange that might help: https://unix.stackexchange.com/questions/218034/disabling-ssh-password-authentication-does-not-work-on-my-debian-vps Let me know if it helps? Also, does restarting sshd help? I am marking this bug as "Incomplete" for now. Once you provide the necessary details, please mark it back to "New" and then we can take a look and help debug further. Thanks! :) ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1922212 Title: SSHD does not honor configuration files Status in openssh package in Ubuntu: Incomplete Bug description: I'm working on Ubuntu 20, x86_64, fully patched. # lsb_release -a Distributor ID:Ubuntu Description: Ubuntu 20.04.2 LTS ... We are seeing reports of failed password-based logins using root: jounralctl -xe ... Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 ... There are three attempts every second or two (literally): # journalctl -xe | grep -i -c 'Failed password for root' 324 Our OpenSSH server is configured with both no-password based logins and no-root logins. # ls /etc/ssh/sshd_config.d/ 10_pubkey_auth.conf 20_disable_root_login.conf # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf PermitRootLogin no The config files are included last in our /etc/ssh/sshd_config file: # tail -n 3 /etc/ssh/sshd_config # For some reason OpenSSH does not include additional conf files by default. Include /etc/ssh/sshd_config.d/*.conf I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success. It really annoys me that we can't secure this service. Something looks very broken here. - # apt-cache show openssh-server Package: openssh-server Architecture: amd64 Version: 1:8.2p1-4ubuntu0.2 Multi-Arch: foreign Priority: optional Section: net Source: openssh Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian OpenSSH Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files
Hello Jeffrey, this reminds me a little of https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320 -- but it's also something that should have been addressed last year. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1922212 Title: SSHD does not honor configuration files Status in openssh package in Ubuntu: New Bug description: I'm working on Ubuntu 20, x86_64, fully patched. # lsb_release -a Distributor ID:Ubuntu Description: Ubuntu 20.04.2 LTS ... We are seeing reports of failed password-based logins using root: jounralctl -xe ... Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 ... There are three attempts every second or two (literally): # journalctl -xe | grep -i -c 'Failed password for root' 324 Our OpenSSH server is configured with both no-password based logins and no-root logins. # ls /etc/ssh/sshd_config.d/ 10_pubkey_auth.conf 20_disable_root_login.conf # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf PermitRootLogin no The config files are included last in our /etc/ssh/sshd_config file: # tail -n 3 /etc/ssh/sshd_config # For some reason OpenSSH does not include additional conf files by default. Include /etc/ssh/sshd_config.d/*.conf I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success. It really annoys me that we can't secure this service. Something looks very broken here. - # apt-cache show openssh-server Package: openssh-server Architecture: amd64 Version: 1:8.2p1-4ubuntu0.2 Multi-Arch: foreign Priority: optional Section: net Source: openssh Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian OpenSSH Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files
Something is really sideways here: # sshd -T | grep -i -E 'password|pam|authentication|publickey' usepam yes hostbasedauthentication no pubkeyauthentication yes kerberosauthentication no gssapiauthentication no passwordauthentication yes kbdinteractiveauthentication yes challengeresponseauthentication yes permitemptypasswords no authenticationmethods any -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1922212 Title: SSHD does not honor configuration files Status in openssh package in Ubuntu: New Bug description: I'm working on Ubuntu 20, x86_64, fully patched. # lsb_release -a Distributor ID:Ubuntu Description: Ubuntu 20.04.2 LTS ... We are seeing reports of failed password-based logins using root: jounralctl -xe ... Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 ... There are three attempts every second or two (literally): # journalctl -xe | grep -i -c 'Failed password for root' 324 Our OpenSSH server is configured with both no-password based logins and no-root logins. # ls /etc/ssh/sshd_config.d/ 10_pubkey_auth.conf 20_disable_root_login.conf # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf PermitRootLogin no The config files are included last in our /etc/ssh/sshd_config file: # tail -n 3 /etc/ssh/sshd_config # For some reason OpenSSH does not include additional conf files by default. Include /etc/ssh/sshd_config.d/*.conf I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success. It really annoys me that we can't secure this service. Something looks very broken here. - # apt-cache show openssh-server Package: openssh-server Architecture: amd64 Version: 1:8.2p1-4ubuntu0.2 Multi-Arch: foreign Priority: optional Section: net Source: openssh Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian OpenSSH Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files
Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=109846. It is an old bug report (from 2001), but it says this is what we need: PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no ** Bug watch added: Debian Bug tracker #109846 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=109846 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1922212 Title: SSHD does not honor configuration files Status in openssh package in Ubuntu: New Bug description: I'm working on Ubuntu 20, x86_64, fully patched. # lsb_release -a Distributor ID:Ubuntu Description: Ubuntu 20.04.2 LTS ... We are seeing reports of failed password-based logins using root: jounralctl -xe ... Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 ... There are three attempts every second or two (literally): # journalctl -xe | grep -i -c 'Failed password for root' 324 Our OpenSSH server is configured with both no-password based logins and no-root logins. # ls /etc/ssh/sshd_config.d/ 10_pubkey_auth.conf 20_disable_root_login.conf # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf PermitRootLogin no The config files are included last in our /etc/ssh/sshd_config file: # tail -n 3 /etc/ssh/sshd_config # For some reason OpenSSH does not include additional conf files by default. Include /etc/ssh/sshd_config.d/*.conf I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success. It really annoys me that we can't secure this service. Something looks very broken here. - # apt-cache show openssh-server Package: openssh-server Architecture: amd64 Version: 1:8.2p1-4ubuntu0.2 Multi-Arch: foreign Priority: optional Section: net Source: openssh Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian OpenSSH Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files
This gets worse. Adding the following to the tail of /etc/ssh/sshd_config does not configure the service properly. PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no PubkeyAuthentication yes PermitRootLogin no The login attempts are still allowed: Apr 01 09:31:10 localhost sshd[239597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root Apr 01 09:31:13 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2 Apr 01 09:31:16 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2 Apr 01 09:31:19 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2 Apr 01 09:31:20 localhost sshd[239597]: Received disconnect from 49.88.112.77 port 50368:11: [preauth] Apr 01 09:31:20 localhost sshd[239597]: Disconnected from authenticating user root 49.88.112.77 port 50368 [preauth] Apr 01 09:31:20 localhost sshd[239597]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1922212 Title: SSHD does not honor configuration files Status in openssh package in Ubuntu: New Bug description: I'm working on Ubuntu 20, x86_64, fully patched. # lsb_release -a Distributor ID:Ubuntu Description: Ubuntu 20.04.2 LTS ... We are seeing reports of failed password-based logins using root: jounralctl -xe ... Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2 ... There are three attempts every second or two (literally): # journalctl -xe | grep -i -c 'Failed password for root' 324 Our OpenSSH server is configured with both no-password based logins and no-root logins. # ls /etc/ssh/sshd_config.d/ 10_pubkey_auth.conf 20_disable_root_login.conf # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf PermitRootLogin no The config files are included last in our /etc/ssh/sshd_config file: # tail -n 3 /etc/ssh/sshd_config # For some reason OpenSSH does not include additional conf files by default. Include /etc/ssh/sshd_config.d/*.conf I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success. It really annoys me that we can't secure this service. Something looks very broken here. - # apt-cache show openssh-server Package: openssh-server Architecture: amd64 Version: 1:8.2p1-4ubuntu0.2 Multi-Arch: foreign Priority: optional Section: net Source: openssh Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian OpenSSH Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp