Ubuntu
openssh package

SSHD does not honor configuration files

Bug #1922212 reported by Jeffrey Walton
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

I'm working on Ubuntu 20, x86_64, fully patched.

   # lsb_release -a
   Distributor ID: Ubuntu
   Description: Ubuntu 20.04.2 LTS
   ...

We are seeing reports of failed password-based logins using root:

   jounralctl -xe
   ...
   Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
   Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 49.88.112.77 port 36206 ssh2
   ...

There are three attempts every second or two (literally):

   # journalctl -xe | grep -i -c 'Failed password for root'
   324

Our OpenSSH server is configured with both no-password based logins and no-root logins.

   # ls /etc/ssh/sshd_config.d/
   10_pubkey_auth.conf 20_disable_root_login.conf

   # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf
   # Disable passwords
   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no
   # Enable public key
   PubkeyAuthentication yes

   # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf
   PermitRootLogin no

The config files are included last in our /etc/ssh/sshd_config file:

   # tail -n 3 /etc/ssh/sshd_config

   # For some reason OpenSSH does not include additional conf files by default.
   Include /etc/ssh/sshd_config.d/*.conf

I dislike modifying /etc/ssh/sshd_config since it will be overwritten by the distro. With that said, I modified it without success.

It really annoys me that we can't secure this service. Something looks very broken here.

-----

# apt-cache show openssh-server
Package: openssh-server
Architecture: amd64
Version: 1:8.2p1-4ubuntu0.2
Multi-Arch: foreign
Priority: optional
Section: net
Source: openssh
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian OpenSSH Maintainers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug

Revision history for this message
Jeffrey Walton (noloader) wrote :

This gets worse. Adding the following to the tail of /etc/ssh/sshd_config does not configure the service properly.

   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no
   PubkeyAuthentication yes
   PermitRootLogin no

The login attempts are still allowed:

Apr 01 09:31:10 localhost sshd[239597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root
Apr 01 09:31:13 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:16 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:19 localhost sshd[239597]: Failed password for root from 49.88.112.77 port 50368 ssh2
Apr 01 09:31:20 localhost sshd[239597]: Received disconnect from 49.88.112.77 port 50368:11: [preauth]
Apr 01 09:31:20 localhost sshd[239597]: Disconnected from authenticating user root 49.88.112.77 port 50368 [preauth]
Apr 01 09:31:20 localhost sshd[239597]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.77 user=root

Revision history for this message
Jeffrey Walton (noloader) wrote :

Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=109846. It is an old bug report (from 2001), but it says this is what we need:

   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no

Revision history for this message
Jeffrey Walton (noloader) wrote :

Something is really sideways here:

# sshd -T | grep -i -E 'password|pam|authentication|publickey'
usepam yes
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication no
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
permitemptypasswords no
authenticationmethods any

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Jeffrey, this reminds me a little of https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320 -- but it's also something that should have been addressed last year.

Thanks

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello Jerrey,

Thank you for taking out time to file a bug and making the Ubuntu server better.

It's a bit upsetting that you're hitting this bug. Can you share your entire conf, please? This would help me better analyze the problem and help me reproduce it.

While at it, could you also help me provide steps to reproduce this easily? I can make out the issue but having straightforward steps written will help me debug this fast enough.

That said, I found a link to stack exchange that might help: https://unix.stackexchange.com/questions/218034/disabling-ssh-password-authentication-does-not-work-on-my-debian-vps
Let me know if it helps? Also, does restarting sshd help?

I am marking this bug as "Incomplete" for now. Once you provide the necessary details, please mark it back to "New" and then we can take a look and help debug further. Thanks! :)

Changed in openssh (Ubuntu):
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.