Disable ChallengeResponseAuthentication in new installations, returning to

PasswordAuthentication by default, since it now supports PAM and apparently
works better with a non-threaded sshd.

2 files changed, 8 insertions, 4 deletions

diff --git a/debian/changelog b/debian/changelog
index 427728b50..4e27729d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ openssh (1:4.1p1-1) UNRELEASED; urgency=low
     Use PAM password authentication to avoid #278394. In future I may
     provide two sets of binaries built with and without this option, since
     it seems I can't win.
+  * Disable ChallengeResponseAuthentication in new installations, returning
+    to PasswordAuthentication by default, since it now supports PAM and
+    apparently works better with a non-threaded sshd.
   * openssh-server Suggests: rssh (closes: #233012).
 
  -- Colin Watson <cjwatson@debian.org>  Thu, 26 May 2005 13:51:50 +0100
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 3fce8af1c..46813605f 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -230,11 +230,12 @@ HostbasedAuthentication no
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
 
-# Change to yes to enable tunnelled clear text passwords
-PasswordAuthentication no
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
 
 
 # To change Kerberos options