Forward-port from HEAD:

  * If PasswordAuthentication is disabled, then offer to disable
    ChallengeResponseAuthentication too. The current PAM code will attempt
    password-style authentication if ChallengeResponseAuthentication is
    enabled (closes: #250369).
  * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or
    later and then upgraded. Sorry about that ... for this reason, the
    default answer is to leave ChallengeResponseAuthentication enabled.

1 files changed, 25 insertions, 0 deletions

diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index b40e8afd7..0cd0a4b8d 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -7,6 +7,18 @@ version=$2
 . /usr/share/debconf/confmodule
 db_version 2.0
 
+
+get_config_option() {
+        option="$1"
+
+        [ -f /etc/ssh/sshd_config ] || return
+
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config 2>/dev/null
+}
+
+
 if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
 then
   db_fset ssh/use_old_init_script seen false
@@ -35,6 +47,19 @@ then
         then db_input medium ssh/protocol2_only ||true
         fi
     fi
+
+    # An empty version means we're upgrading from before the package split,
+    # so check.
+    if dpkg --compare-versions "$version" lt 1:3.8.1p1-11
+    then
+        passwordauth="$(get_config_option PasswordAuthentication)"
+        crauth="$(get_config_option ChallengeResponseAuthentication)"
+        if [ "$passwordauth" = no ] && \
+           ([ -z "$crauth" ] || [ "$crauth" = yes ])
+        then
+            db_input critical ssh/disable_cr_auth || true
+        fi
+    fi
 fi 
 
 if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf