From 5e133f112d8a05c0f7c466fc793514e2a1ee8285 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 26 Jan 2018 00:07:45 +0000
Subject: Add debconf template to disable password auth

The new template is called openssh-server/password-authentication, and
is preseeding-only (at least for now).

Closes: #878945
---
 debian/changelog                | 3 +++
 debian/openssh-server.config    | 6 ++++++
 debian/openssh-server.postinst  | 6 ++++++
 debian/openssh-server.templates | 8 ++++++++
 debian/source/lintian-overrides | 2 ++
 5 files changed, 25 insertions(+)
 create mode 100644 debian/source/lintian-overrides

diff --git a/debian/changelog b/debian/changelog
index b8e2d9a65..ac07964fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:7.6p1-4) UNRELEASED; urgency=medium
 
   * Move VCS to salsa.debian.org.
+  * Add a preseeding-only openssh-server/password-authentication debconf
+    template that can be used to disable password authentication (closes:
+    #878945).
 
  -- Colin Watson <cjwatson@debian.org>  Mon, 22 Jan 2018 01:24:57 +0000
 
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index 1cad01cff..4a66a35e9 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -17,6 +17,7 @@ get_config_option() {
 }
 
 permit_root_login="$(get_config_option PermitRootLogin)" || true
+password_authentication="$(get_config_option PasswordAuthentication)" || true
 if [ -f /etc/ssh/sshd_config ]; then
 	# Make sure the debconf database is in sync with the current state
 	# of the system.
@@ -25,6 +26,11 @@ if [ -f /etc/ssh/sshd_config ]; then
 	else
 		db_set openssh-server/permit-root-login true
 	fi
+	if [ "$password_authentication" = no ]; then
+		db_set openssh-server/password-authentication false
+	else
+		db_set openssh-server/password-authentication true
+	fi
 fi
 
 if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 94a47da20..ae273e9c8 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -88,6 +88,8 @@ create_sshdconfig() {
 	# false -> yes.
 	db_get openssh-server/permit-root-login
 	permit_root_login="$RET"
+	db_get openssh-server/password-authentication
+	password_authentication="$RET"
 
 	trap cleanup EXIT
 	new_config="$(tempfile)"
@@ -96,6 +98,10 @@ create_sshdconfig() {
 		sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
 			"$new_config"
 	fi
+	if [ "$password_authentication" != true ]; then
+		sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+			"$new_config"
+	fi
 	mkdir -p /etc/ssh
 	ucf --three-way --debconf-ok \
 		--sum-file /usr/share/openssh/sshd_config.md5sum \
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
index 27907f25d..e071fe3b8 100644
--- a/debian/openssh-server.templates
+++ b/debian/openssh-server.templates
@@ -13,3 +13,11 @@ _Description: Disable SSH password authentication for root?
  attacks). However, it may break systems that are set up with the
  expectation of being able to SSH as root using password authentication. You
  should only make this change if you do not need to do that.
+
+Template: openssh-server/password-authentication
+Type: boolean
+Default: true
+Description: Allow password authentication?
+ By default, the SSH server will allow authenticating using a password.
+ You may want to change this if all users on this system authenticate using
+ a stronger authentication method, such as public keys.
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 000000000..1a0c77d41
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# openssh-server/password-authentication is preseeding-only, at least for now.
+openssh source: untranslatable-debconf-templates openssh-server.templates: 20
-- 
cgit v1.2.3