Important: Action Required to Fix SSH Misconfiguration

Posted 5 months ago by Jake Yip

J
Jake Yip Admin

Dear User,


We are writing to inform you of a potential SSH misconfiguration in specific older Nectar images. These images were replaced to prevent further issues as soon as we were aware of this misconfiguration. However, you will need to fix any virtual machines that have been created using these images.


How it impacts you

This misconfiguration in Nectar images by itself does not cause a security vulnerability. The affected Nectar images still include security measures that protect your instances. These include:

  • no default passwords, and

  • the use of fail2ban to limit brute force attempts.


However, you may be vulnerable if you have done one or more of the following:

  • set a password for default users,

  • created new users with passwords, or

  • disabled fail2ban.


To check if your virtual machine is affected, please check if it is using one of the following images:


Image IDName
bd174643-c406-4581-b334-cb62dc62c886NeCTAR Ubuntu 20.04 LTS (Focal) amd64 [v18]
eb7cb14b-c7c7-4f37-9bb9-bb0c8496973dNeCTAR Ubuntu 20.04 LTS (Focal) amd64 (NVIDIA vGPU) [v22]
50b9e3d6-7c4c-4571-8c0c-9966a765bd73NeCTAR Ubuntu 22.04 LTS (Jammy) amd64
b95c0ef8-9358-4bc7-b8fc-15500234794eNeCTAR Ubuntu 22.04 LTS (Jammy) amd64 [v19]
105cb1fe-52a4-4f43-ba1e-a9e0ec02e425NeCTAR Ubuntu 22.04 LTS (Jammy) amd64 [v20]
6d3f97ed-e302-4d5b-a315-5a65192955a8NeCTAR Ubuntu 22.04 LTS (Jammy) amd64 (NVIDIA vGPU) [v20]
456aacc0-c98e-467e-97ba-06f37ccf7ef9NeCTAR Ubuntu 22.04 LTS (Jammy) amd64 (NVIDIA vGPU) [v21]
b85d37ba-28ae-4679-b051-4ba05f3524f6NeCTAR Ubuntu 24.04 LTS (Noble) amd64 [v23]
be9d0f8c-3f6c-4f68-a985-db27232719d4NeCTAR Microsoft Windows Server 2022 Datacenter x86_64 [v10]



If you are affected, please either:

  1. Recreate the virtual machine (preferred solution), or

  2. Edit the SSH configuration (as a workaround).

A. Recreate the virtual machine

Build a new virtual machine using one of the newer official Nectar images containing the fix. The listed Nectar images with an SSH misconfiguration have been replaced to prevent future issues, so any new instances will not be affected. Recreating your virtual machine is the best way to resolve this issue, as it ensures you are starting off with a clean image.


B. Edit the SSH configuration

This will fix the vulnerability; however, you must remember to reapply this fix every time you rebuild your virtual machine.


1. Run the following command in a terminal:


sudo sshd -T | grep passwordauthentication


The output should be `passwordauthentication no`. If it says `passwordauthentication yes`, your virtual machine is affected.


2. Fix the offending file:


sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config.d/50-cloud-init.conf


3. Restart the SSH service:


sudo systemctl restart ssh


4. Check if this fixes the ssh issue:


sudo sshd -T | grep passwordauthentication


The output should be passwordauthentication no. 



If you have any questions or need further assistance, please do not hesitate to contact our support team by replying to support email you were sent.


We apologise for any inconvenience, and appreciate your understanding and cooperation.


0 Votes


0 Comments

Login or Sign up to post a comment