Change to "PermitRootLogin without-password" for new installations

Also ask a debconf question when upgrading systems with "PermitRootLogin yes" from previous versions. Closes: #298138
author: Colin Watson <cjwatson@debian.org> 2014-03-20 02:14:01 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-27 15:50:29 +0000
commit: 0a00050c1e005182cb69c672eb53000b9dcdba2c (patch)
tree: 6e1b4c319ed0cd4638320aebd28c3a4955e2e3c7 /debian/openssh-server.postinst
parent: 96f6b414c09ec85a923e02df06a90d935283f06e (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 0189f5fbb..daa0f6796 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -1,6 +1,9 @@
 #!/bin/sh
 set -e
+. /usr/share/debconf/confmodule
+db_version 2.0
 action="$1"
 oldversion="$2"
@@ -193,7 +196,7 @@ LogLevel INFO
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin without-password
 StrictModes yes
 RSAAuthentication yes
@@ -305,8 +308,15 @@ if [ "$action" = configure ]; then
            # restart it under systemd.
            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+           [ "$(get_config_option PermitRootLogin)" = yes ] &&
+           db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
+            set_config_option PermitRootLogin without-password
+        fi
 fi
 #DEBHELPER#
+db_stop
 exit 0
author	Colin Watson <cjwatson@debian.org>	2014-03-20 02:14:01 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-27 15:50:29 +0000
commit	0a00050c1e005182cb69c672eb53000b9dcdba2c (patch)
tree	6e1b4c319ed0cd4638320aebd28c3a4955e2e3c7 /debian/openssh-server.postinst
parent	96f6b414c09ec85a923e02df06a90d935283f06e (diff)