Change to "PermitRootLogin without-password" for new installations

Also ask a debconf question when upgrading systems with "PermitRootLogin
yes" from previous versions.

Closes: #298138

7 files changed, 134 insertions, 34 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index 6e6bf9dc8..4d16eb4d8 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -15,39 +15,41 @@ Privilege separation is turned on by default, so, if you decide you
 want it turned off, you need to add "UsePrivilegeSeparation no" to
 /etc/ssh/sshd_config.
 
-PermitRootLogin set to yes
---------------------------
-
-This is now the default setting (in line with upstream), and people
-who asked for an automatically-generated configuration file when
-upgrading from potato (or on a new install) will have this setting in
-their /etc/ssh/sshd_config file.
-
-Should you wish to change this setting, edit /etc/ssh/sshd_config, and
-change:
-PermitRootLogin yes
-to:
-PermitRootLogin no
-
-Having PermitRootLogin set to yes means that an attacker that knows
-the root password can ssh in directly (without having to go via a user
-account). If you set it to no, then they must compromise a normal user
-account. In the vast majority of cases, this does not give added
-security; remember that any account you su to root from is equivalent
-to root - compromising this account gives an attacker access to root
-easily. If you only ever log in as root from the physical console,
-then you probably want to set this value to no.
-
-As an aside, PermitRootLogin can also be set to "without-password" or
-"forced-commands-only" - see sshd(8) for more details.
-
-DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
-
-The argument above is somewhat condensed; I have had this discussion
-at great length with many people. If you think the default is
-incorrect, and feel strongly enough to want to argue about it, then
-send email to debian-ssh@lists.debian.org. I will close bug reports
-claiming the default is incorrect.
+PermitRootLogin
+---------------
+
+As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
+without-password".  This disables password authentication for root, foiling
+password dictionary attacks on the root user.  Some sites may wish to use
+the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
+but note that "PermitRootLogin no" will break setups that SSH to root with a
+forced command to take full-system backups.  You can use PermitRootLogin in
+a Match block if you want finer-grained control here.
+
+For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
+line with upstream.  To avoid breaking local setups, this is still true for
+installations upgraded from before 1:6.6p1-1.  If you wish to change this,
+you should edit /etc/ssh/sshd_config, change it manually, and run "service
+ssh restart" as root.
+
+Disabling PermitRootLogin means that an attacker possessing credentials for
+the root account (any credentials in the case of "yes", or private key
+material in the case of "without-password") must compromise a normal user
+account rather than being able to SSH directly to root.  Be careful to avoid
+a false illusion of security if you change this setting; any account you
+escalate to root from should be considered equivalent to root for the
+purposes of security against external attack.  You might for example disable
+it if you know you will only ever log in as root from the physical console.
+
+Since the root account does not generally have non-password credentials
+unless you explicitly install an SSH public key in its
+~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
+it, "without-password" should be a reasonable default for most sites.
+
+For further discussion, see:
+
+  https://bugs.debian.org/298138
+  https://bugzilla.mindrot.org/show_bug.cgi?id=2164
 
 X11 Forwarding
 --------------
diff --git a/debian/changelog b/debian/changelog
index 1b08a3d50..ad96cd6ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ openssh (1:6.6p1-1) UNRELEASED; urgency=medium
       the characters before the wildcard character.
   * Re-enable btmp logging, as its permissions were fixed a long time ago in
     response to #370050 (closes: #341883).
+  * Change to "PermitRootLogin without-password" for new installations, and
+    ask a debconf question when upgrading systems with "PermitRootLogin yes"
+    from previous versions (closes: #298138).
 
   [ Matthew Vernon ]
   * Fix failure to check SSHFP records if server presents a certificate
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
new file mode 100644
index 000000000..27594ad2d
--- /dev/null
+++ b/debian/openssh-server.config
@@ -0,0 +1,23 @@
+#! /bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+get_config_option() {
+        option="$1"
+
+        [ -f /etc/ssh/sshd_config ] || return
+
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config 2>/dev/null
+}
+
+if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+   [ "$(get_config_option PermitRootLogin)" = yes ]; then
+        db_input high openssh-server/permit-root-login || true
+        db_go
+fi
+
+exit 0
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 0189f5fbb..daa0f6796 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -1,6 +1,9 @@
 #!/bin/sh
 set -e
 
+. /usr/share/debconf/confmodule
+db_version 2.0
+
 action="$1"
 oldversion="$2"
 
@@ -193,7 +196,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin without-password
 StrictModes yes
 
 RSAAuthentication yes
@@ -305,8 +308,15 @@ if [ "$action" = configure ]; then
             # restart it under systemd.
             start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
         fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+           [ "$(get_config_option PermitRootLogin)" = yes ] &&
+           db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
+            set_config_option PermitRootLogin without-password
+        fi
 fi
 
 #DEBHELPER#
 
+db_stop
+
 exit 0
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 000000000..a7ee70701
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,15 @@
+Template: openssh-server/permit-root-login
+Type: boolean
+Default: false
+_Description: Disable SSH password authentication for root?
+ Previous versions of openssh-server permitted logging in as root over SSH
+ using password authentication. The default for new installations is now
+ "PermitRootLogin without-password", which disables password authentication
+ for root without breaking systems that have explicitly configured SSH
+ public key authentication for root.
+ .
+ This change makes systems more secure against brute-force password
+ dictionary attacks on the root user (a very common target for such
+ attacks). However, it may break systems that are set up with the
+ expectation of being able to SSH as root using password authentication. You
+ should only make this change if you do not need to do that.
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 000000000..c619f3451
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] openssh-server.templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 000000000..70e64acad
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,46 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: openssh\n"
+"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid "Disable SSH password authentication for root?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid ""
+"Previous versions of openssh-server permitted logging in as root over SSH "
+"using password authentication. The default for new installations is now "
+"\"PermitRootLogin without-password\", which disables password authentication "
+"for root without breaking systems that have explicitly configured SSH public "
+"key authentication for root."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid ""
+"This change makes systems more secure against brute-force password "
+"dictionary attacks on the root user (a very common target for such attacks). "
+"However, it may break systems that are set up with the expectation of being "
+"able to SSH as root using password authentication. You should only make this "
+"change if you do not need to do that."
+msgstr ""