diff options
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | debian/openssh-server.config | 6 | ||||
-rw-r--r-- | debian/openssh-server.postinst | 6 | ||||
-rw-r--r-- | debian/openssh-server.templates | 8 | ||||
-rw-r--r-- | debian/source/lintian-overrides | 2 |
5 files changed, 25 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index b8e2d9a65..ac07964fa 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,9 @@ | |||
1 | openssh (1:7.6p1-4) UNRELEASED; urgency=medium | 1 | openssh (1:7.6p1-4) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * Move VCS to salsa.debian.org. | 3 | * Move VCS to salsa.debian.org. |
4 | * Add a preseeding-only openssh-server/password-authentication debconf | ||
5 | template that can be used to disable password authentication (closes: | ||
6 | #878945). | ||
4 | 7 | ||
5 | -- Colin Watson <cjwatson@debian.org> Mon, 22 Jan 2018 01:24:57 +0000 | 8 | -- Colin Watson <cjwatson@debian.org> Mon, 22 Jan 2018 01:24:57 +0000 |
6 | 9 | ||
diff --git a/debian/openssh-server.config b/debian/openssh-server.config index 1cad01cff..4a66a35e9 100644 --- a/debian/openssh-server.config +++ b/debian/openssh-server.config | |||
@@ -17,6 +17,7 @@ get_config_option() { | |||
17 | } | 17 | } |
18 | 18 | ||
19 | permit_root_login="$(get_config_option PermitRootLogin)" || true | 19 | permit_root_login="$(get_config_option PermitRootLogin)" || true |
20 | password_authentication="$(get_config_option PasswordAuthentication)" || true | ||
20 | if [ -f /etc/ssh/sshd_config ]; then | 21 | if [ -f /etc/ssh/sshd_config ]; then |
21 | # Make sure the debconf database is in sync with the current state | 22 | # Make sure the debconf database is in sync with the current state |
22 | # of the system. | 23 | # of the system. |
@@ -25,6 +26,11 @@ if [ -f /etc/ssh/sshd_config ]; then | |||
25 | else | 26 | else |
26 | db_set openssh-server/permit-root-login true | 27 | db_set openssh-server/permit-root-login true |
27 | fi | 28 | fi |
29 | if [ "$password_authentication" = no ]; then | ||
30 | db_set openssh-server/password-authentication false | ||
31 | else | ||
32 | db_set openssh-server/password-authentication true | ||
33 | fi | ||
28 | fi | 34 | fi |
29 | 35 | ||
30 | if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ | 36 | if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ |
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 94a47da20..ae273e9c8 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
@@ -88,6 +88,8 @@ create_sshdconfig() { | |||
88 | # false -> yes. | 88 | # false -> yes. |
89 | db_get openssh-server/permit-root-login | 89 | db_get openssh-server/permit-root-login |
90 | permit_root_login="$RET" | 90 | permit_root_login="$RET" |
91 | db_get openssh-server/password-authentication | ||
92 | password_authentication="$RET" | ||
91 | 93 | ||
92 | trap cleanup EXIT | 94 | trap cleanup EXIT |
93 | new_config="$(tempfile)" | 95 | new_config="$(tempfile)" |
@@ -96,6 +98,10 @@ create_sshdconfig() { | |||
96 | sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ | 98 | sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ |
97 | "$new_config" | 99 | "$new_config" |
98 | fi | 100 | fi |
101 | if [ "$password_authentication" != true ]; then | ||
102 | sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \ | ||
103 | "$new_config" | ||
104 | fi | ||
99 | mkdir -p /etc/ssh | 105 | mkdir -p /etc/ssh |
100 | ucf --three-way --debconf-ok \ | 106 | ucf --three-way --debconf-ok \ |
101 | --sum-file /usr/share/openssh/sshd_config.md5sum \ | 107 | --sum-file /usr/share/openssh/sshd_config.md5sum \ |
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates index 27907f25d..e071fe3b8 100644 --- a/debian/openssh-server.templates +++ b/debian/openssh-server.templates | |||
@@ -13,3 +13,11 @@ _Description: Disable SSH password authentication for root? | |||
13 | attacks). However, it may break systems that are set up with the | 13 | attacks). However, it may break systems that are set up with the |
14 | expectation of being able to SSH as root using password authentication. You | 14 | expectation of being able to SSH as root using password authentication. You |
15 | should only make this change if you do not need to do that. | 15 | should only make this change if you do not need to do that. |
16 | |||
17 | Template: openssh-server/password-authentication | ||
18 | Type: boolean | ||
19 | Default: true | ||
20 | Description: Allow password authentication? | ||
21 | By default, the SSH server will allow authenticating using a password. | ||
22 | You may want to change this if all users on this system authenticate using | ||
23 | a stronger authentication method, such as public keys. | ||
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 000000000..1a0c77d41 --- /dev/null +++ b/debian/source/lintian-overrides | |||
@@ -0,0 +1,2 @@ | |||
1 | # openssh-server/password-authentication is preseeding-only, at least for now. | ||
2 | openssh source: untranslatable-debconf-templates openssh-server.templates: 20 | ||