From 726497d9b38fab2eb9e9f66e73050527d9963712 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 5 Oct 2004 22:30:43 +0000
Subject: If PasswordAuthentication is disabled, then offer to disable
 ChallengeResponseAuthentication too. The current PAM code will attempt
 password-style authentication if ChallengeResponseAuthentication is enabled
 (closes: #250369).

---
 debian/config | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'debian/config')

diff --git a/debian/config b/debian/config
index b5cff528c..6d9729e62 100644
--- a/debian/config
+++ b/debian/config
@@ -12,6 +12,16 @@ fi
 . /usr/share/debconf/confmodule
 db_version 2.0
 
+
+get_config_option() {
+	option="$1"
+
+	# TODO: actually only one '=' allowed after option
+	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+	   /etc/ssh/sshd_config
+}
+
+
 if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
 then
   db_input medium ssh/ssh2_keys_merged
@@ -91,6 +101,15 @@ if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then
     db_input high ssh/user_environment_tell || true
 fi
 
+if dpkg --compare-versions "$version" lt-nl 1:3.8.1p1-8.sarge.1; then
+    passwordauth="$(get_config_option PasswordAuthentication)"
+    crauth="$(get_config_option ChallengeResponseAuthentication)"
+    if [ "$passwordauth" = no ] && \
+       ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+	db_input critical ssh/disable_cr_auth || true
+    fi
+fi
+
 db_go
 
 exit 0
-- 
cgit v1.2.3