debcrafters-packages team mailing list archive

Thread
Date

[Bug 2128868] Re: Incorrect documentation about debconf options for openssh-server

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: HG <2128868@xxxxxxxxxxxxxxxxxx>
Date: Sat, 18 Oct 2025 03:06:21 -0000
Reply-to: Bug 2128868 <2128868@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Attachment added: "autoinstall.yaml used to install Ubuntu Desktop 24.04.3 LTS"
   https://bugs.launchpad.net/subiquity/+bug/2128868/+attachment/5918591/+files/bugreport.yaml

** Also affects: openssh (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: openssh (Ubuntu)

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2128868

Title:
  Incorrect documentation about debconf options for openssh-server

Status in subiquity:
  New

Bug description:
  Given: the attached autoinstall.yaml file being placed in the root of
  an Ubuntu Desktop 24.04.3 LTS bootable USB stick.

  When I: boot the laptop from the USB stick and accept the
  autoinstall.yaml file as my choices to install Ubuntu.

  I get:
  - The laptop reboots into an installed OS and I can login as the test user with password "test", BUT...
  - The SSH daemon is accepting root logins *with a password*, not even the default key-only logins.  The configuration directive has been changed from the default, but to the wrong thing.
  - After booting into the installed OS, debconf-get-selection shows the debconf-selections from the autoinstall.yaml file.
  - If I `apt purge openssh-server ; apt install ssh`, the SSH daemon is still misconfigured.
  - If I manually say `echo "openssh-server	openssh-server/permit-root-login	boolean	false" | debconf-set-selections` and then purge and reinstall the SSH daemon, I get the default config.

  I expected:
  - The SSH daemon to disallow root logins.

  Other information:

  My initial diagnostic work for this issue is documented at
  https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2128863

  When I looked at the source code for the package, I saw that Colin
  (cjwatson), one of the upstream package maintainers at Debian, writes
  as a comment in openssh-server.postinst:

  > # XXX cjwatson 2016-12-24: This debconf template is very confusingly
  > # named; its description is "Disable SSH password authentication for
  > # root?", so true -> prohibit-password (the upstream default),
  > # false -> yes.

  This is conflict with https://canonical-subiquity.readthedocs-
  hosted.com/en/latest/reference/autoinstall-reference.html#debconf-
  selections:

  > autoinstall:
  > # Disable SSH root login and start the ufw firewall automatically
  >   debconf-selections: |
  >     openssh-server openssh-server/permit-root-login boolean false
  >     ufw ufw/enable boolean true

  "Disable SSH root login" is _not_ what happens, so the Subiquity
  documentation doesn't reflect the facts on the ground.  As long as the
  package enables password-based logins for root when this debconf
  selection is used, the documentation should reflect the installed
  reality.

  A workaround that you could add to the Subiquity docs is:

  autoinstall:
    late-commands:
    - sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /target/etc/ssh/sshd_config

To manage notifications about this bug go to:
https://bugs.launchpad.net/subiquity/+bug/2128868/+subscriptions