From 23ad7ca187d4b40b45b18903c6e96b4cc3ea9ec1 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 6 Oct 2004 13:22:30 +0000 Subject: Forward-port from HEAD: * If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled. --- debian/openssh-server.templates.master | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'debian/openssh-server.templates.master') diff --git a/debian/openssh-server.templates.master b/debian/openssh-server.templates.master index e6d355639..af4d4e9f8 100644 --- a/debian/openssh-server.templates.master +++ b/debian/openssh-server.templates.master @@ -77,3 +77,19 @@ _Description: Warning: you must create a new host key from the old (non-free) SSH installation. . You will need to generate a new host key. + +Template: ssh/disable_cr_auth +Type: boolean +Default: false +_Description: Disable challenge-response authentication? + Password authentication appears to be disabled in your current OpenSSH + server configuration. In order to prevent users from logging in using + passwords (perhaps using only public key authentication instead) with + recent versions of OpenSSH, you must disable challenge-response + authentication, or else ensure that your PAM configuration does not allow + Unix password file authentication. + . + If you disable challenge-response authentication, then users will not be + able to log in using passwords. If you leave it enabled (the default + answer), then the 'PasswordAuthentication no' option will have no useful + effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. -- cgit v1.2.3