If PasswordAuthentication is disabled, then offer to disable

ChallengeResponseAuthentication too. The current PAM code will attempt
password-style authentication if ChallengeResponseAuthentication is enabled
(closes: #250369).

20 files changed, 560 insertions, 29 deletions

diff --git a/debian/changelog b/debian/changelog
index 2c157e7ad..2d527565d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:3.8.1p1-8.sarge.1) UNRELEASED; urgency=high
+
+  * If PasswordAuthentication is disabled, then offer to disable
+    ChallengeResponseAuthentication too. The current PAM code will attempt
+    password-style authentication if ChallengeResponseAuthentication is
+    enabled (closes: #250369).
+
+ -- Colin Watson <cjwatson@debian.org>  Tue,  5 Oct 2004 19:05:08 +0100
+
 openssh (1:3.8.1p1-8) unstable; urgency=high
 
   * Matthew Vernon:
diff --git a/debian/config b/debian/config
index b5cff528c..6d9729e62 100644
--- a/debian/config
+++ b/debian/config
@@ -12,6 +12,16 @@ fi
 . /usr/share/debconf/confmodule
 db_version 2.0
 
+
+get_config_option() {
+        option="$1"
+
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+
+
 if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
 then
   db_input medium ssh/ssh2_keys_merged
@@ -91,6 +101,15 @@ if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then
     db_input high ssh/user_environment_tell || true
 fi
 
+if dpkg --compare-versions "$version" lt-nl 1:3.8.1p1-8.sarge.1; then
+    passwordauth="$(get_config_option PasswordAuthentication)"
+    crauth="$(get_config_option ChallengeResponseAuthentication)"
+    if [ "$passwordauth" = no ] && \
+       ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+        db_input critical ssh/disable_cr_auth || true
+    fi
+fi
+
 db_go
 
 exit 0
diff --git a/debian/po/ca.po b/debian/po/ca.po
index 412555d19..85a65e9e4 100644
--- a/debian/po/ca.po
+++ b/debian/po/ca.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh_1:3.8p1-3_templates\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-03-05 19:46GMT\n"
 "Last-Translator: Aleix Badia i Bosch <abadia@ica.es>\n"
 "Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
@@ -348,3 +348,31 @@ msgstr ""
 "Per tornar a habilitar l'opció definiu \"PermitUserEnvironment yes\" al "
 "fitxer /etc/ssh/sshd_config al finalitzar l'actualització (recordeu la nota "
 "d'avís de la pàgina del manual sshd_config(5)). "
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
diff --git a/debian/po/cs.po b/debian/po/cs.po
index 071003350..0374e4a9f 100644
--- a/debian/po/cs.po
+++ b/debian/po/cs.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-01-28 15:10+0100\n"
 "Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
 "Language-Team: Czech <provoz@debian.cz>\n"
@@ -346,6 +346,34 @@ msgstr ""
 "str�nce sshd_config(5) a v souboru /etc/ssh/sshd_config zadejte "
 "\"PermitUserEnvironment yes\"."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Odd�len� privilegi�"
 
diff --git a/debian/po/da.po b/debian/po/da.po
index be90f82f3..74f8e266a 100644
--- a/debian/po/da.po
+++ b/debian/po/da.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1p2\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-10-28 14:30+0200\n"
 "Last-Translator: Morten Brix Pedersen <morten@wtf.dk>\n"
 "Language-Team: debian-l10n-danish <debian-l10n-danish@lists.debian.org>\n"
@@ -353,6 +353,34 @@ msgstr ""
 "ssh/sshd_config efter opgraderingen er færdig, men bemærk advarslen som står "
 "skrevet i sshd_config(5) manual-siden."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Privilegie adskillelse"
 
diff --git a/debian/po/de.po b/debian/po/de.po
index 85546e7c1..49d13b8c5 100644
--- a/debian/po/de.po
+++ b/debian/po/de.po
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-05-30 09:49-0200\n"
 "Last-Translator: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>\n"
 "Language-Team: de <debian-l10n-german@lists.debian.org>\n"
@@ -359,3 +359,31 @@ msgstr ""
 "Um diese Option wieder zu reaktivieren, setzen Sie, unter Ber�cksichtigung "
 "der Warnung in der sshd_config(5)-Handbuchseite, \"PermitUserEnvironment yes"
 "\" in /etc/ssh/sshd_config nachdem die Aktualisierung erfolgt ist."
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
diff --git a/debian/po/el.po b/debian/po/el.po
index cdc7a21fc..cb1d43cb4 100644
--- a/debian/po/el.po
+++ b/debian/po/el.po
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: el\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-02-15 14:14EEST\n"
 "Last-Translator: Konstantinos Margaritis <markos@debian.org>\n"
 "Language-Team: Greek <debian-l10n-greek@lists.debian.org>\n"
@@ -370,6 +370,34 @@ msgstr ""
 "yes\" στο αρχείο /etc/ssh/sshd_config μετά το τέλος της αναβάθμισης, έχοντας "
 "υπόψιν την προειδοποίηση στη σελίδα οδηγιών του sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Διαχωρισμός Προνομίων"
 
diff --git a/debian/po/es.po b/debian/po/es.po
index 95a76b09d..06de59528 100644
--- a/debian/po/es.po
+++ b/debian/po/es.po
@@ -32,7 +32,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1p2-11\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-01-17 17:47+0200\n"
 "Last-Translator: Javier Fernandez-Sanguino Pe�a <jfs@computer.org>\n"
 "Language-Team: Debian L10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
@@ -374,6 +374,34 @@ msgstr ""
 "etc/ssh/sshd_config al terminar la actualizaci�n, teniendo en cuenta el "
 "aviso de la p�gina de manual de sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Separaci�n de privilegios"
 
diff --git a/debian/po/fr.po b/debian/po/fr.po
index 2d7523e26..0f808b2f0 100644
--- a/debian/po/fr.po
+++ b/debian/po/fr.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1p2-5\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-05-22 10:34+0200\n"
 "Last-Translator: Denis Barbier <barbier@debian.org>\n"
 "Language-Team: French <Debian-l10n-french@lists.debian.org>\n"
@@ -371,6 +371,34 @@ msgstr ""
 "ssh/sshd_config lorsque la mise � niveau est termin�e. Veuillez tenir compte "
 "de l'avertissement donn� dans la page de manuel sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "S�paration des privil�ges"
 
diff --git a/debian/po/it.po b/debian/po/it.po
index 5e3e738e2..427ce4cb0 100644
--- a/debian/po/it.po
+++ b/debian/po/it.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-12-21 12:23+0100\n"
 "Last-Translator: Renato Gini <rgini@openlabs.it>\n"
 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
@@ -365,6 +365,34 @@ msgstr ""
 "file /etc/ssh/sshd_config dopo l'aggiornamento, considerando gli "
 "avvertimenti contenuti nella pagina del manuale sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Separazione dei privilegi"
 
diff --git a/debian/po/ja.po b/debian/po/ja.po
index 35527b294..b23859db6 100644
--- a/debian/po/ja.po
+++ b/debian/po/ja.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-09-24 09:32+0900\n"
 "Last-Translator: Kenshi Muto <kmuto@debian.org>\n"
 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
@@ -351,6 +351,34 @@ msgstr ""
 "�˥奢��ڡ����ηٹ������ɤ�ǡ� /etc/ssh/sshd_config �ե������"
 "��PermitUserEnvironment yes�פ����ꤷ�Ƥ���������"
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "�ø���ʬΥ"
 
diff --git a/debian/po/nl.po b/debian/po/nl.po
index e3fbdfc72..9ec34ca5e 100644
--- a/debian/po/nl.po
+++ b/debian/po/nl.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1p2-9\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-09-27 14:43+0100\n"
 "Last-Translator: Bart Cornelis <cobaco@linux.be>\n"
 "Language-Team: debian-l10n-dutch <debian-l10n-dutch@lists.debian.org>\n"
@@ -366,6 +366,34 @@ msgstr ""
 "in /etc/ssh/sshd_config aan te zetten in nadat de opwaardering compleet is; "
 "houd hierbij rekening met de waarschuwing in de sshd_config(5) man-pagina."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Rechtenscheiding"
 
diff --git a/debian/po/pl.po b/debian/po/pl.po
index 1d218ab8f..6211dd9f9 100644
--- a/debian/po/pl.po
+++ b/debian/po/pl.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-04-08 18:28+0200\n"
 "Last-Translator: Emil Nowak <emil5@go2.pl>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
@@ -358,6 +358,34 @@ msgstr ""
 "konfiguracji nale�y zapozna� si� z informacjami zawartymi na stronie "
 "podr�cznika systemowego sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Separacja uprawnie�"
 
diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
index 00973c88d..d705e794a 100644
--- a/debian/po/pt_BR.po
+++ b/debian/po/pt_BR.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh_3.6.1p2-9\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-11-09 16:29-0300\n"
 "Last-Translator: Andr� Lu�s Lopes <andrelop@debian.org>\n"
 "Language-Team: Debian-BR Project <debian-l10n-portuguese@lists.debian.org>\n"
@@ -365,6 +365,34 @@ msgstr ""
 "arquivo /et/ssh/sshd_config depois da a atualiza��o terminar, atentando para "
 "o aviso na p�gina de manual do sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "Separa��o de Previl�gios"
 
diff --git a/debian/po/ru.po b/debian/po/ru.po
index f86cca6d2..ed61285d9 100644
--- a/debian/po/ru.po
+++ b/debian/po/ru.po
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2003-10-02 17:20+0500\n"
 "Last-Translator: Ilgiz Kalmetev <translator@ilgiz.pp.ru>\n"
 "Language-Team: russian <ru@li.org>\n"
@@ -355,6 +355,34 @@ msgstr ""
 "����������,� �������� �������� �� �������������� � �������� ����������� "
 "sshd_config(5)."
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "���������� ����������"
 
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
index e8e8e4cd2..447bf89a4 100644
--- a/debian/po/templates.pot
+++ b/debian/po/templates.pot
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -292,3 +292,31 @@ msgid ""
 "sshd_config after the upgrade is complete, taking note of the warning in the "
 "sshd_config(5) manual page."
 msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
diff --git a/debian/po/tr.po b/debian/po/tr.po
index b40fcb2b2..af8a0a9a2 100644
--- a/debian/po/tr.po
+++ b/debian/po/tr.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ssh\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-04-27 06:50+0300\n"
 "Last-Translator: Recai Oktaş <roktas@omu.edu.tr>\n"
 "Language-Team: Turkish <debian-l10n-turkish@lists.debian.org>\n"
@@ -353,3 +353,31 @@ msgstr ""
 "Bu seçeneği tekrar etkinleştirmek için, sshd_config(5) kılavuz sayfasındaki "
 "uyarı notunu dikkate alarak, sshd yükseltmesi tamamlandığında /etc/ssh/"
 "ssh_config dosyasında \"PermitUserEnvironment yes\" satırını kullanın."
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po
index 342605317..8ced202c0 100644
--- a/debian/po/zh_CN.po
+++ b/debian/po/zh_CN.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: openssh 3.6.1p2-11\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2004-03-06 17:54+0000\n"
+"POT-Creation-Date: 2004-10-05 20:41+0100\n"
 "PO-Revision-Date: 2004-02-02 18:48+1300\n"
 "Last-Translator: Hiei Xu <nicky@mail.edu.cn>\n"
 "Language-Team: Chinese/Simplified <i18n-translation@lists.linux.net.cn>\n"
@@ -335,6 +335,34 @@ msgstr ""
 "要重新启用这个选项，升级完成后请在 /etc/ssh/sshd_config 中加入一"
 "行：“PermitUserEnvironment yes”。请注意 sshd_config(5) 手册页中提到的警告。"
 
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid "Disable challenge-response authentication?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"Password authentication appears to be disabled in your current OpenSSH "
+"server configuration. In order to prevent users from logging in using "
+"passwords (perhaps using only public key authentication instead) with recent "
+"versions of OpenSSH, you must disable challenge-response authentication, or "
+"else ensure that your PAM configuration does not allow Unix password file "
+"authentication."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates.master:130
+msgid ""
+"If you disable challenge-response authentication (the default answer), then "
+"users will not be able to log in using passwords. If you leave it enabled, "
+"then the 'PasswordAuthentication no' option will have no useful effect "
+"unless you also adjust your PAM configuration in /etc/pam.d/ssh."
+msgstr ""
+
 #~ msgid "Privilege separation"
 #~ msgstr "权限分离"
 
diff --git a/debian/postinst b/debian/postinst
index 1baae1677..efd04c3d0 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -36,6 +36,25 @@ get_config_option() {
 }
 
 
+set_config_option() {
+        option="$1"
+        value="$2"
+
+        perl -e '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        if (s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "\n$option $value\n" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+
+
 host_keys_required() {
         hostkeys="$(get_config_option HostKey)"
         if [ "$hostkeys" ]; then
@@ -86,25 +105,45 @@ create_keys() {
 }
 
 
+check_password_auth() {
+        passwordauth="$(get_config_option PasswordAuthentication)"
+        crauth="$(get_config_option ChallengeResponseAuthentication)"
+        if [ "$passwordauth" = no ] && \
+           ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+                db_get ssh/disable_cr_auth
+                if [ "$RET" = true ]; then
+                        set_config_option ChallengeResponseAuthentication no
+                fi
+        fi
+}
+
 create_sshdconfig() {
         if [ -e /etc/ssh/sshd_config ] ; then
             if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
                 db_get ssh/new_config
                 if [ "$RET" = "false" ] ; then return 0; fi
-            elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
-                 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
-                # Upgrade from pre-3.7: UsePAM needed to maintain standard
-                # Debian configuration.
-                echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
-                cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
-                perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
-                    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-                echo >> /etc/ssh/sshd_config.dpkg-new
-                echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
-                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-                echo
+            else
+                # Upgrade sshd configuration from a sane version.
+
+                if dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+                     ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
+                    # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                    # Debian configuration.
+                    echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                    perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                        /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                    echo >> /etc/ssh/sshd_config.dpkg-new
+                    echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                    mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                    echo
+                fi
+
+                if dpkg --compare-versions "$oldversion" lt-nl 1:3.8.1p1-8.sarge.1; then
+                    check_password_auth
+                fi
+
                 return 0
-            else return 0
             fi
         fi
 
diff --git a/debian/templates.master b/debian/templates.master
index 07f62b178..55727c933 100644
--- a/debian/templates.master
+++ b/debian/templates.master
@@ -123,3 +123,19 @@ _Description: Environment options on keys have been deprecated
  To re-enable this option, set "PermitUserEnvironment yes" in
  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
  warning in the sshd_config(5) manual page.
+
+Template: ssh/disable_cr_auth
+Type: boolean
+Default: true
+_Description: Disable challenge-response authentication?
+ Password authentication appears to be disabled in your current OpenSSH
+ server configuration. In order to prevent users from logging in using
+ passwords (perhaps using only public key authentication instead) with
+ recent versions of OpenSSH, you must disable challenge-response
+ authentication, or else ensure that your PAM configuration does not allow
+ Unix password file authentication.
+ .
+ If you disable challenge-response authentication (the default answer), then
+ users will not be able to log in using passwords. If you leave it enabled,
+ then the 'PasswordAuthentication no' option will have no useful effect
+ unless you also adjust your PAM configuration in /etc/pam.d/ssh.