Refer to sshd_config(5) rather than sshd(8) in postinst-written

/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).

1 files changed, 10 insertions, 1 deletions

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 9dfc68a5a..557bf2b23 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -294,7 +294,7 @@ create_sshdconfig() {
 
         cat <<EOF > /etc/ssh/sshd_config
 # Package generated configuration file
-# See the sshd(8) manpage for details
+# See the sshd_config(5) manpage for details
 
 # What ports, IPs and protocols we listen for
 Port 22
@@ -369,6 +369,15 @@ AcceptEnv LANG LC_*
 
 Subsystem sftp /usr/lib/openssh/sftp-server
 
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 EOF
 }