2 files changed, 14 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index ecbea235e..8369d2aab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -52,6 +52,10 @@ openssh (1:5.2p1-1) UNRELEASED; urgency=low
     non-BSD systems (closes: #154434).
   * Remove/adjust manual page references to BSD-specific /etc/rc (closes:
     #513417).
+  * Refer to sshd_config(5) rather than sshd(8) in postinst-written
+    /etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
+    configuration file (closes: #415008, although unfortunately this will
+    only be conveniently visible on new installations).
 
  -- Colin Watson <cjwatson@debian.org>  Thu, 12 Nov 2009 21:31:44 +0000
 
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 9dfc68a5a..557bf2b23 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -294,7 +294,7 @@ create_sshdconfig() {
 
         cat <<EOF > /etc/ssh/sshd_config
 # Package generated configuration file
-# See the sshd(8) manpage for details
+# See the sshd_config(5) manpage for details
 
 # What ports, IPs and protocols we listen for
 Port 22
@@ -369,6 +369,15 @@ AcceptEnv LANG LC_*
 
 Subsystem sftp /usr/lib/openssh/sftp-server
 
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 EOF
 }