** Description changed: + [Impact] + + When using the "Match" phrase in sshd_config.d files, the configuration + does not apply. This leads to failures in user-specific configurations + such as with PasswordAuthentication. + + The fix for this issue should be added to Focal to allow users to use + Match as expected. + + The bug is fixed by backporting an upstream commit that includes custom + config files then runs all matches provided. + + [Test Plan] + + $ lxc launch images:ubuntu/focal test-ssh-focal + $ lxc exec test-ssh-focal bash + + # apt update && apt upgrade -y + # apt install openssh-server + # adduser user + + > ssh into container from another terminal to show pw auth is available + by default: + + $ ssh user@<container-ip> + user@<container-ip>'s password: + + # cat <<EOF >/etc/ssh/sshd_config.d/user.conf + Match User user + PasswordAuthentication No + Match All + EOF + + # systemctl restart sshd + + > Check again in other terminal + + $ ssh user@<container-ip> + + > Before the fix, it will show: + user@<container-ip>'s password: + + > After, it will show + user@<container-ip>: Permission denied (publickey). + + + [Where problems could occur] + + If problems were to occour, they would be in the interpretation of + configuration files. All changes from this fix exist in servconf.c. The + largest part of this change is a move from the inc_flags variable being + an integer to an integer pointer, so problems could show up through + changes to the flags in the pass by reference. + + [Other Info] + + This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4. + + [Original Description] + The stanza Match User <username> - PasswordAuthentication no + PasswordAuthentication no in /etc/ssh/sshd_config works as expected. The same stanza in /etc/ssh/sshd_config.d/username.conf does not work. The Include in /etc/ssh/sshd_config is not commented out, and /usr/sbin/sshd -D -ddd shows the username.config file being parsed. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210 Uname: Linux 5.4.0-131-generic x86_64 NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713 ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Mar 20 13:34:14 2023 InstallationDate: Installed on 2022-11-04 (136 days ago) InstallationMedia: - + SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2012298 Title: PasswordAuthenticaion in sshd_config.d Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: In Progress Bug description: [Impact] When using the "Match" phrase in sshd_config.d files, the configuration does not apply. This leads to failures in user-specific configurations such as with PasswordAuthentication. The fix for this issue should be added to Focal to allow users to use Match as expected. The bug is fixed by backporting an upstream commit that includes custom config files then runs all matches provided. [Test Plan] $ lxc launch images:ubuntu/focal test-ssh-focal $ lxc exec test-ssh-focal bash # apt update && apt upgrade -y # apt install openssh-server # adduser user > ssh into container from another terminal to show pw auth is available by default: $ ssh user@<container-ip> user@<container-ip>'s password: # cat <<EOF >/etc/ssh/sshd_config.d/user.conf Match User user PasswordAuthentication No Match All EOF # systemctl restart sshd > Check again in other terminal $ ssh user@<container-ip> > Before the fix, it will show: user@<container-ip>'s password: > After, it will show user@<container-ip>: Permission denied (publickey). [Where problems could occur] If problems were to occour, they would be in the interpretation of configuration files. All changes from this fix exist in servconf.c. The largest part of this change is a move from the inc_flags variable being an integer to an integer pointer, so problems could show up through changes to the flags in the pass by reference. [Other Info] This issue has already been fixed in Jammy and later, as it was fixed in upstream version 8.4. [Original Description] The stanza Match User <username> PasswordAuthentication no in /etc/ssh/sshd_config works as expected. The same stanza in /etc/ssh/sshd_config.d/username.conf does not work. The Include in /etc/ssh/sshd_config is not commented out, and /usr/sbin/sshd -D -ddd shows the username.config file being parsed. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210 Uname: Linux 5.4.0-131-generic x86_64 NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713 ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Mar 20 13:34:14 2023 InstallationDate: Installed on 2022-11-04 (136 days ago) InstallationMedia: SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/2012298/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
