From 23ad7ca187d4b40b45b18903c6e96b4cc3ea9ec1 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 6 Oct 2004 13:22:30 +0000 Subject: Forward-port from HEAD: * If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled. --- debian/openssh-server.config | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'debian/openssh-server.config') diff --git a/debian/openssh-server.config b/debian/openssh-server.config index b40e8afd7..0cd0a4b8d 100644 --- a/debian/openssh-server.config +++ b/debian/openssh-server.config @@ -7,6 +7,18 @@ version=$2 . /usr/share/debconf/confmodule db_version 2.0 + +get_config_option() { + option="$1" + + [ -f /etc/ssh/sshd_config ] || return + + # TODO: actually only one '=' allowed after option + perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ + /etc/ssh/sshd_config 2>/dev/null +} + + if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh then db_fset ssh/use_old_init_script seen false @@ -35,6 +47,19 @@ then then db_input medium ssh/protocol2_only ||true fi fi + + # An empty version means we're upgrading from before the package split, + # so check. + if dpkg --compare-versions "$version" lt 1:3.8.1p1-11 + then + passwordauth="$(get_config_option PasswordAuthentication)" + crauth="$(get_config_option ChallengeResponseAuthentication)" + if [ "$passwordauth" = no ] && \ + ([ -z "$crauth" ] || [ "$crauth" = yes ]) + then + db_input critical ssh/disable_cr_auth || true + fi + fi fi if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf -- cgit v1.2.3