From 726497d9b38fab2eb9e9f66e73050527d9963712 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 5 Oct 2004 22:30:43 +0000
Subject: If PasswordAuthentication is disabled, then offer to disable
 ChallengeResponseAuthentication too. The current PAM code will attempt
 password-style authentication if ChallengeResponseAuthentication is enabled
 (closes: #250369).

---
 debian/templates.master | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'debian/templates.master')

diff --git a/debian/templates.master b/debian/templates.master
index 07f62b178..55727c933 100644
--- a/debian/templates.master
+++ b/debian/templates.master
@@ -123,3 +123,19 @@ _Description: Environment options on keys have been deprecated
  To re-enable this option, set "PermitUserEnvironment yes" in
  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
  warning in the sshd_config(5) manual page.
+
+Template: ssh/disable_cr_auth
+Type: boolean
+Default: true
+_Description: Disable challenge-response authentication?
+ Password authentication appears to be disabled in your current OpenSSH
+ server configuration. In order to prevent users from logging in using
+ passwords (perhaps using only public key authentication instead) with
+ recent versions of OpenSSH, you must disable challenge-response
+ authentication, or else ensure that your PAM configuration does not allow
+ Unix password file authentication.
+ .
+ If you disable challenge-response authentication (the default answer), then
+ users will not be able to log in using passwords. If you leave it enabled,
+ then the 'PasswordAuthentication no' option will have no useful effect
+ unless you also adjust your PAM configuration in /etc/pam.d/ssh.
-- 
cgit v1.2.3