Add debconf template to disable password auth

The new template is called openssh-server/password-authentication, and
is preseeding-only (at least for now).

Closes: #878945

5 files changed, 25 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index b8e2d9a65..ac07964fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:7.6p1-4) UNRELEASED; urgency=medium
 
   * Move VCS to salsa.debian.org.
+  * Add a preseeding-only openssh-server/password-authentication debconf
+    template that can be used to disable password authentication (closes:
+    #878945).
 
  -- Colin Watson <cjwatson@debian.org>  Mon, 22 Jan 2018 01:24:57 +0000
 
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index 1cad01cff..4a66a35e9 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -17,6 +17,7 @@ get_config_option() {
 }
 
 permit_root_login="$(get_config_option PermitRootLogin)" || true
+password_authentication="$(get_config_option PasswordAuthentication)" || true
 if [ -f /etc/ssh/sshd_config ]; then
         # Make sure the debconf database is in sync with the current state
         # of the system.
@@ -25,6 +26,11 @@ if [ -f /etc/ssh/sshd_config ]; then
         else
                 db_set openssh-server/permit-root-login true
         fi
+        if [ "$password_authentication" = no ]; then
+                db_set openssh-server/password-authentication false
+        else
+                db_set openssh-server/password-authentication true
+        fi
 fi
 
 if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 94a47da20..ae273e9c8 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -88,6 +88,8 @@ create_sshdconfig() {
         # false -> yes.
         db_get openssh-server/permit-root-login
         permit_root_login="$RET"
+        db_get openssh-server/password-authentication
+        password_authentication="$RET"
 
         trap cleanup EXIT
         new_config="$(tempfile)"
@@ -96,6 +98,10 @@ create_sshdconfig() {
                 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
                         "$new_config"
         fi
+        if [ "$password_authentication" != true ]; then
+                sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+                        "$new_config"
+        fi
         mkdir -p /etc/ssh
         ucf --three-way --debconf-ok \
                 --sum-file /usr/share/openssh/sshd_config.md5sum \
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
index 27907f25d..e071fe3b8 100644
--- a/debian/openssh-server.templates
+++ b/debian/openssh-server.templates
@@ -13,3 +13,11 @@ _Description: Disable SSH password authentication for root?
  attacks). However, it may break systems that are set up with the
  expectation of being able to SSH as root using password authentication. You
  should only make this change if you do not need to do that.
+
+Template: openssh-server/password-authentication
+Type: boolean
+Default: true
+Description: Allow password authentication?
+ By default, the SSH server will allow authenticating using a password.
+ You may want to change this if all users on this system authenticate using
+ a stronger authentication method, such as public keys.
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 000000000..1a0c77d41
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# openssh-server/password-authentication is preseeding-only, at least for now.
+openssh source: untranslatable-debconf-templates openssh-server.templates: 20