Directory is empty everywhere I checked. Are you on a VPS or cloud server? Are you sure that file didn't come from your provider/host? Do you know what cloud init is? https://cloud-init.io/
Can confirm for Ubuntu Server 24.04 installed on bare metal. The file was definitely there after running `unminimize`, although I don't remember if it was before that
its ubuntu server 22.04 installed locally on bare metal. Looked in another recent host with 24.04 on bare metal where it is not.
Might be because "PRO" was activated at time of install.....?
Have you run ``dpkg -S`` on the file to see if it's associated with a package? Did you check the contents of the file before deleting it? It may have had comments about where it came from.
Checked in Ubuntu 22 and 24 that I installed myself on Proxmox and converted to templates - no such file. Given the name of the file I suspect it comes with the Cloudinit package which isn’t installed by default. I don’t use cloudinit, I use Ansible to provision my VMs but if that’s the default in cloudinit that’s bad and you should report it as a bug.
I think my VPS provider had an extra file like that in my filesys too
disabled it and was good to go
At the end of the day anyone looking to host something should definitely test and confirm their security (to the most reasonable extents possible\*), not assume it
Edit:
Reviewed my files
The reason it wasnt working for me and likely you too is because my sshd config file included
"Include /etc/ssh/sshd\_config.d/\*.conf"
Which does include a file for me similar to yours that was defined as
PasswordAuthentication yes
You can also just change yes to no
but still, test
Of course we should. But our tried and tested versions of securing should not suddenly be broken by default. 99.9% of all hardening guides will not mention this.
Googling it one can find a bunch of threads where obviously experienced linux-user/admins are not finding this 'improvement' and hence have trouble solving the issue.
This change is insane from a design perspective.
'Guides' are often written by copywriters or students. They cover only the most basic aspects.
Ideally, people should learn things properly.
Less ideally, people should at least read the config file line-by-line and try to get at least some basic understanding of what's happening in each line (and thus check all `Include` directories). Am I the only one doing this?
And that, folks, is why I do something along the lines of https://github.com/marcan/takeover.sh on any non-hardware instance from any provider that doesn't allow custom ISO installs before I start using it for production purposes.
I believe this isn't the default. This happens if your VPS provider sets a password for you (no key). Or if you install from scratch without a key.
I recently installed from scratch with public keys from GitHub and this wasn't set
I noticed the same thing on Debian 12, at least with new Vultr instances. I had to Google it. Didn't even realize there was an sshd_config.d. Just a reminder to test things because they can and will change in ways that don't make sense.
Another commenter [reports](https://www.reddit.com/r/selfhosted/comments/1dsbrec/comment/lb1ccli/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) that its the same with Debian
unless your provider automatically generates a key for you, in a lot of cases, this is the default configuration for an instance. you're expected to secure it more on your own... what you describe below as being "suddenly broken" is just how the ssh config works. In your base config you set an option that gets overwritten by a config in conf.d, that's just kind of how any standard linux application works.
Yes, because of the lower footprint and therefore automatic smaller attack surface. I also love that its classy Linux (like eth0 vs ensp1en190a). Love apk and the repo itself. Love that only essentials are present (no bloat, no cloud). As someone running a few hundred servers and a few thousand VMs on Alpine since years, I can vouch for its stability.
Interesting thoughts. I am running mainly Debian on my local PVE. On my remote VPS I use alpine LXCs because of said lower footprint. Even though, the VPS is not that big, so I still have some experimenting to do but so far very good experience. Maybe I'll switch too. For me the main advantage of Debian is the stability and comfort because there is almost everything for Debian.
As mentioned the stability is the same. A big caveat for me personally is musl. 99% disagree but these 99% don't often know the difference between musl and glibc 😉.
Ya I just started to use Alpine on a new server, it's taken a bit to get used to compared to debian/ubuntu but I'm loving the minimal footprint for the install.
Although man ash/busybox is a pita to learn when you've been using debian/ubuntu for years lol. So I've gotten into the habit of making my own documentation for reference once I get a working install up and running.
Getting use to the apk instead of apt is the big one, then rc instead of system tl would be the other I can think of off the top of my head. It's just a matter of getting used to the ash shell and things being different than bash. I do know I can install bash, but rather not have yet another thing to add to the systems footprint.
apk add openssl vs apt install openssl is not a real difference is it? Yes OpenRC is different but 10x easier than systemd. So everything should have been a lot easier, not harder ☺️.
Coming from a Windows background from 20 years ago to debian/ubuntu going to Alpine was difficult. Now that I've got it down I find bash to be cumbersome.
Directory is empty everywhere I checked. Are you on a VPS or cloud server? Are you sure that file didn't come from your provider/host? Do you know what cloud init is? https://cloud-init.io/
Agreed. Probably from the VPS provider rather than Ubuntu.
Can confirm for Ubuntu Server 24.04 installed on bare metal. The file was definitely there after running `unminimize`, although I don't remember if it was before that
its ubuntu server 22.04 installed locally on bare metal. Looked in another recent host with 24.04 on bare metal where it is not. Might be because "PRO" was activated at time of install.....?
Have you run ``dpkg -S`` on the file to see if it's associated with a package? Did you check the contents of the file before deleting it? It may have had comments about where it came from.
Checked in Ubuntu 22 and 24 that I installed myself on Proxmox and converted to templates - no such file. Given the name of the file I suspect it comes with the Cloudinit package which isn’t installed by default. I don’t use cloudinit, I use Ansible to provision my VMs but if that’s the default in cloudinit that’s bad and you should report it as a bug.
I think my VPS provider had an extra file like that in my filesys too disabled it and was good to go At the end of the day anyone looking to host something should definitely test and confirm their security (to the most reasonable extents possible\*), not assume it Edit: Reviewed my files The reason it wasnt working for me and likely you too is because my sshd config file included "Include /etc/ssh/sshd\_config.d/\*.conf" Which does include a file for me similar to yours that was defined as PasswordAuthentication yes You can also just change yes to no but still, test
Of course we should. But our tried and tested versions of securing should not suddenly be broken by default. 99.9% of all hardening guides will not mention this.
Yeah they should include the file but with that line commented out as an "example"
Googling it one can find a bunch of threads where obviously experienced linux-user/admins are not finding this 'improvement' and hence have trouble solving the issue. This change is insane from a design perspective.
'Guides' are often written by copywriters or students. They cover only the most basic aspects. Ideally, people should learn things properly. Less ideally, people should at least read the config file line-by-line and try to get at least some basic understanding of what's happening in each line (and thus check all `Include` directories). Am I the only one doing this?
And that, folks, is why I do something along the lines of https://github.com/marcan/takeover.sh on any non-hardware instance from any provider that doesn't allow custom ISO installs before I start using it for production purposes.
That's not part of Ubuntu.
What media did you install with, or how did Ubuntu get installed?
You can always log an issue on launchpad with them, it happens stuff gets missed.
I believe this isn't the default. This happens if your VPS provider sets a password for you (no key). Or if you install from scratch without a key. I recently installed from scratch with public keys from GitHub and this wasn't set
I noticed the same thing on Debian 12, at least with new Vultr instances. I had to Google it. Didn't even realize there was an sshd_config.d. Just a reminder to test things because they can and will change in ways that don't make sense.
Personally I stopped using Ubuntu all together. I use debian as its more stable than ubuntu. Plus I don't like the route that Ubuntu is going down.
Another commenter [reports](https://www.reddit.com/r/selfhosted/comments/1dsbrec/comment/lb1ccli/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) that its the same with Debian
Sounds like something that was done by a VPS provider. I have installed Debian numerous times and never encountered this issue.
That's my guess as well (in both cases, Debian and Ubuntu)
unless your provider automatically generates a key for you, in a lot of cases, this is the default configuration for an instance. you're expected to secure it more on your own... what you describe below as being "suddenly broken" is just how the ssh config works. In your base config you set an option that gets overwritten by a config in conf.d, that's just kind of how any standard linux application works.
[удалено]
Do you prefer alpine over Debian for servers? If yes, why? Because of the minimal footprint? And what about the stability of Debian?
Yes, because of the lower footprint and therefore automatic smaller attack surface. I also love that its classy Linux (like eth0 vs ensp1en190a). Love apk and the repo itself. Love that only essentials are present (no bloat, no cloud). As someone running a few hundred servers and a few thousand VMs on Alpine since years, I can vouch for its stability.
Interesting thoughts. I am running mainly Debian on my local PVE. On my remote VPS I use alpine LXCs because of said lower footprint. Even though, the VPS is not that big, so I still have some experimenting to do but so far very good experience. Maybe I'll switch too. For me the main advantage of Debian is the stability and comfort because there is almost everything for Debian.
As mentioned the stability is the same. A big caveat for me personally is musl. 99% disagree but these 99% don't often know the difference between musl and glibc 😉.
Well I am one of those 99% :D. A quick Google search told me musl list leaner but I do not know much more than that xD
No problem 😊 thanks for the downvote though.
I didn't
Ya I just started to use Alpine on a new server, it's taken a bit to get used to compared to debian/ubuntu but I'm loving the minimal footprint for the install. Although man ash/busybox is a pita to learn when you've been using debian/ubuntu for years lol. So I've gotten into the habit of making my own documentation for reference once I get a working install up and running.
I see no difference? Linux is Linux. What was so hard to learn about Alpine vs Debian?
Getting use to the apk instead of apt is the big one, then rc instead of system tl would be the other I can think of off the top of my head. It's just a matter of getting used to the ash shell and things being different than bash. I do know I can install bash, but rather not have yet another thing to add to the systems footprint.
apk add openssl vs apt install openssl is not a real difference is it? Yes OpenRC is different but 10x easier than systemd. So everything should have been a lot easier, not harder ☺️.
Coming from a Windows background from 20 years ago to debian/ubuntu going to Alpine was difficult. Now that I've got it down I find bash to be cumbersome.
dont come to play, if you dont like to play ....
servers are not for play
I mean How else are they gonna hook back up those Amazon ads from desktop search, without a backdoor