Change to "PermitRootLogin without-password" for new installations

Also ask a debconf question when upgrading systems with "PermitRootLogin yes" from previous versions. Closes: #298138
author: Colin Watson <cjwatson@debian.org> 2014-03-20 02:14:01 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-27 15:50:29 +0000
commit: 0a00050c1e005182cb69c672eb53000b9dcdba2c (patch)
tree: 6e1b4c319ed0cd4638320aebd28c3a4955e2e3c7 /debian/openssh-server.templates
parent: 96f6b414c09ec85a923e02df06a90d935283f06e (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 000000000..a7ee70701
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,15 @@
+Template: openssh-server/permit-root-login
+Type: boolean
+Default: false
+_Description: Disable SSH password authentication for root?
+ Previous versions of openssh-server permitted logging in as root over SSH
+ using password authentication. The default for new installations is now
+ "PermitRootLogin without-password", which disables password authentication
+ for root without breaking systems that have explicitly configured SSH
+ public key authentication for root.
+ .
+ This change makes systems more secure against brute-force password
+ dictionary attacks on the root user (a very common target for such
+ attacks). However, it may break systems that are set up with the
+ expectation of being able to SSH as root using password authentication. You
+ should only make this change if you do not need to do that.
author	Colin Watson <cjwatson@debian.org>	2014-03-20 02:14:01 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-27 15:50:29 +0000
commit	0a00050c1e005182cb69c672eb53000b9dcdba2c (patch)
tree	6e1b4c319ed0cd4638320aebd28c3a4955e2e3c7 /debian/openssh-server.templates
parent	96f6b414c09ec85a923e02df06a90d935283f06e (diff)

diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates new file mode 100644 index 000000000..a7ee70701 --- /dev/null +++ b/debian/openssh-server.templates
@@ -0,0 +1,15 @@
	1	Template: openssh-server/permit-root-login
	2	Type: boolean
	3	Default: false
	4	_Description: Disable SSH password authentication for root?
	5	Previous versions of openssh-server permitted logging in as root over SSH
	6	using password authentication. The default for new installations is now
	7	"PermitRootLogin without-password", which disables password authentication
	8	for root without breaking systems that have explicitly configured SSH
	9	public key authentication for root.
	10	.
	11	This change makes systems more secure against brute-force password
	12	dictionary attacks on the root user (a very common target for such
	13	attacks). However, it may break systems that are set up with the
	14	expectation of being able to SSH as root using password authentication. You
	15	should only make this change if you do not need to do that.