debcrafters-packages team mailing list archive

Thread
Date

[Bug 2128863] Re: Setting the debconf "openssh-server/permit-root-login" option to false ENABLES root logins when it should disable them

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Simon Poirier <2128863@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Oct 2025 01:46:09 -0000
Reply-to: Bug 2128863 <2128863@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Also affects: subiquity
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2128863

Title:
  Setting the debconf "openssh-server/permit-root-login" option to false
  ENABLES root logins when it should disable them

Status in subiquity:
  New
Status in openssh package in Ubuntu:
  New

Bug description:
  Given: the attached autoinstall.yaml file being placed in the root of
  an Ubuntu Desktop 24.04.3 LTS bootable USB stick.

  When I: boot the laptop from the USB stick and accept the
  autoinstall.yaml file as my choices to install Ubuntu.

  I get:
  - The laptop reboots into an installed OS and I can login as the test user with password "test", BUT...
  - The SSH daemon is accepting root logins *with a password*, not even the default key-only logins.  The configuration directive has been changed from the default, but to the wrong thing.
  - After booting into the installed OS, debconf-get-selection shows the debconf-selections from the autoinstall.yaml file.
  - If I `apt purge openssh-server ; apt install ssh`, the SSH daemon is still misconfigured.
  - If I manually say `echo "openssh-server	openssh-server/permit-root-login	boolean	false" | debconf-set-selections` and then purge and reinstall the SSH daemon, I get the default config.

  I expected:
  - The SSH daemon to disallow root logins.

  Other information:

  At first I thought this was a problem with Subiquity, but the problems
  persist even with manual intervention to the installed system.
  Therefore I think that the problem is with the packaging of OpenSSH
  server.

  When I used Apt to download the openssh-server 1:9.6p1-3ubuntu13.14
  package, which is the latest version available in 24.04.03 LTS, I saw
  in the postinst file the following:

      75         db_get openssh-server/permit-root-login
      76         permit_root_login="$RET"
      77         db_get openssh-server/password-authentication
      78         password_authentication="$RET"
      79 
      80         trap cleanup EXIT
      81         new_config="$(mktemp)"
      82         cp -aZ /usr/share/openssh/sshd_config "$new_config"
      83         if [ "$permit_root_login" != true ]; then
      84                 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
      85                         "$new_config"
      86         fi

  I think line 84 is meant to say:

          sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' \

To manage notifications about this bug go to:
https://bugs.launchpad.net/subiquity/+bug/2128863/+subscriptions

References

[Bug 2128863] [NEW] Setting the debconf "openssh-server/permit-root-login" option to false ENABLES root logins when it should disable them
From: HG, 2025-10-17