debcrafters-packages team mailing list archive

Thread
Date

[Bug 2128863] Re: Setting the debconf "openssh-server/permit-root-login" option to false ENABLES root logins when it should disable them

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: HG <2128863@xxxxxxxxxxxxxxxxxx>
Date: Sat, 18 Oct 2025 01:50:20 -0000
Reply-to: Bug 2128863 <2128863@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I've looked at the source code.

Colin (cjwatson) writes as a comment in openssh-server.postinst:

> # XXX cjwatson 2016-12-24: This debconf template is very confusingly
> # named; its description is "Disable SSH password authentication for
> # root?", so true -> prohibit-password (the upstream default),
> # false -> yes.

This is conflict with https://canonical-subiquity.readthedocs-
hosted.com/en/latest/reference/autoinstall-reference.html#debconf-
selections:

> autoinstall:
>  # Disable SSH root login and start the ufw firewall automatically
>  debconf-selections: |
>    openssh-server openssh-server/permit-root-login boolean false
>    ufw ufw/enable boolean true

And is also in conflict with what someone who configures systems using
Preseed files or autoinstall.yaml files fed to Subiquity, and who hence
_never sees_ the Whiptail screen with the description in it, would
expect from an option called "permit-root-login".

I also don't foresee a circumstance in which anyone would configure a
production system to allow root to login over SSH using a password, so a
choice between "prohibit-password" and "no" would be of more practical
use.  I acknowledge that this would be a breaking change for people who
set up their SSH servers really insecurely.

The ability to use debconf to set any of "yes", "prohibit-password",
"forced-commands-only", or "no" would be even better.  I acknowledge
that this would be a breaking change for people who use debconf to pre-
configure packages because of the change of data type from boolean to
something else.

One of three things should happen:
- Canonical should update the Subiquity docs to reflect the current behaviour of the package, so as not to mislead people.  This is the least-desirable option because it doesn't improve the useful options available to people who use debconf to pre-configure packages.  However, this is the option that is under Canonical's control.
- The package maintainers replace "yes" with "no" in the postinst and update the debconf template description to reflect this.  This would require agreement from the Debian project.
- The package maintainers enable all of "yes", "prohibit-password", "forced-commands-only", or "no" in debconf.  Again, this would require agreement from the Debian project.


** Attachment added: "command-output-installed-os.txt"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2128863/+attachment/5918590/+files/command-output-installed-os.txt

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2128863

Title:
  Setting the debconf "openssh-server/permit-root-login" option to false
  ENABLES root logins when it should disable them

Status in openssh package in Ubuntu:
  New

Bug description:
  Given: the attached autoinstall.yaml file being placed in the root of
  an Ubuntu Desktop 24.04.3 LTS bootable USB stick.

  When I: boot the laptop from the USB stick and accept the
  autoinstall.yaml file as my choices to install Ubuntu.

  I get:
  - The laptop reboots into an installed OS and I can login as the test user with password "test", BUT...
  - The SSH daemon is accepting root logins *with a password*, not even the default key-only logins.  The configuration directive has been changed from the default, but to the wrong thing.
  - After booting into the installed OS, debconf-get-selection shows the debconf-selections from the autoinstall.yaml file.
  - If I `apt purge openssh-server ; apt install ssh`, the SSH daemon is still misconfigured.
  - If I manually say `echo "openssh-server	openssh-server/permit-root-login	boolean	false" | debconf-set-selections` and then purge and reinstall the SSH daemon, I get the default config.

  I expected:
  - The SSH daemon to disallow root logins.

  Other information:

  At first I thought this was a problem with Subiquity, but the problems
  persist even with manual intervention to the installed system.
  Therefore I think that the problem is with the packaging of OpenSSH
  server.

  When I used Apt to download the openssh-server 1:9.6p1-3ubuntu13.14
  package, which is the latest version available in 24.04.03 LTS, I saw
  in the postinst file the following:

      75         db_get openssh-server/permit-root-login
      76         permit_root_login="$RET"
      77         db_get openssh-server/password-authentication
      78         password_authentication="$RET"
      79 
      80         trap cleanup EXIT
      81         new_config="$(mktemp)"
      82         cp -aZ /usr/share/openssh/sshd_config "$new_config"
      83         if [ "$permit_root_login" != true ]; then
      84                 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
      85                         "$new_config"
      86         fi

  I think line 84 is meant to say:

          sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' \

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2128863/+subscriptions

References

[Bug 2128863] [NEW] Setting the debconf "openssh-server/permit-root-login" option to false ENABLES root logins when it should disable them
From: HG, 2025-10-17