If PasswordAuthentication is disabled, then offer to disable

ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369).
author: Colin Watson <cjwatson@debian.org> 2004-10-05 22:30:43 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-10-05 22:30:43 +0000
commit: 726497d9b38fab2eb9e9f66e73050527d9963712 (patch)
tree: 8afa45f1e9363ed0bdda2984ab2b27118c56fed5 /debian/templates.master
parent: 82688c6fdce4f7bd07efcacc82e49b520b8d8056 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/debian/templates.master b/debian/templates.master
index 07f62b178..55727c933 100644
--- a/debian/templates.master
+++ b/debian/templates.master
@@ -123,3 +123,19 @@ _Description: Environment options on keys have been deprecated
 To re-enable this option, set "PermitUserEnvironment yes" in
 /etc/ssh/sshd_config after the upgrade is complete, taking note of the
 warning in the sshd_config(5) manual page.
+Template: ssh/disable_cr_auth
+Type: boolean
+Default: true
+_Description: Disable challenge-response authentication?
+ Password authentication appears to be disabled in your current OpenSSH
+ server configuration. In order to prevent users from logging in using
+ passwords (perhaps using only public key authentication instead) with
+ recent versions of OpenSSH, you must disable challenge-response
+ authentication, or else ensure that your PAM configuration does not allow
+ Unix password file authentication.
+ .
+ If you disable challenge-response authentication (the default answer), then
+ users will not be able to log in using passwords. If you leave it enabled,
+ then the 'PasswordAuthentication no' option will have no useful effect
+ unless you also adjust your PAM configuration in /etc/pam.d/ssh.
author	Colin Watson <cjwatson@debian.org>	2004-10-05 22:30:43 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-10-05 22:30:43 +0000
commit	726497d9b38fab2eb9e9f66e73050527d9963712 (patch)
tree	8afa45f1e9363ed0bdda2984ab2b27118c56fed5 /debian/templates.master
parent	82688c6fdce4f7bd07efcacc82e49b520b8d8056 (diff)

diff --git a/debian/templates.master b/debian/templates.master index 07f62b178..55727c933 100644 --- a/debian/templates.master +++ b/debian/templates.master
@@ -123,3 +123,19 @@ _Description: Environment options on keys have been deprecated
123	To re-enable this option, set "PermitUserEnvironment yes" in	123	To re-enable this option, set "PermitUserEnvironment yes" in
124	/etc/ssh/sshd_config after the upgrade is complete, taking note of the	124	/etc/ssh/sshd_config after the upgrade is complete, taking note of the
125	warning in the sshd_config(5) manual page.	125	warning in the sshd_config(5) manual page.
		126
		127	Template: ssh/disable_cr_auth
		128	Type: boolean
		129	Default: true
		130	_Description: Disable challenge-response authentication?
		131	Password authentication appears to be disabled in your current OpenSSH
		132	server configuration. In order to prevent users from logging in using
		133	passwords (perhaps using only public key authentication instead) with
		134	recent versions of OpenSSH, you must disable challenge-response
		135	authentication, or else ensure that your PAM configuration does not allow
		136	Unix password file authentication.
		137	.
		138	If you disable challenge-response authentication (the default answer), then
		139	users will not be able to log in using passwords. If you leave it enabled,
		140	then the 'PasswordAuthentication no' option will have no useful effect
		141	unless you also adjust your PAM configuration in /etc/pam.d/ssh.