Bug#878945: Request from cloud team: please add a debconf option for PasswordAuthentication
On Tue, Oct 17, 2017 at 02:50:24PM -0700, Jimmy Kaplowitz wrote:
> Hello from the Debian cloud team sprint at Microsoft! We were just
> discussing the appropriate default value for the PasswordAuthentication
> option in sshd_config in Debian's cloud images. Most of these currently
> set it to 'no' by modifying the config file; we'd like a debconf option
> for this to be added, so that we make the change that way and offer a better
> user experience across package upgrades.
Thanks for the suggestion. Does this patch look OK? It seems to do the
job in my local testing.
diff --git a/debian/changelog b/debian/changelog
index f7dcbda..3d499a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ openssh (1:7.6p1-3) UNRELEASED; urgency=medium
openssh-server will preserve existing configuration, and new
installations should just enable GSSAPIAuthentication and
GSSAPIKeyExchange in sshd_config (closes: #878626).
+ * Add a preseeding-only openssh-server/password-authentication debconf
+ template that can be used to disable password authentication (closes:
+ #878945).
-- Colin Watson <cjwatson@debian.org> Mon, 16 Oct 2017 10:30:50 +0100
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index 1cad01c..4a66a35 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -17,6 +17,7 @@ get_config_option() {
}
permit_root_login="$(get_config_option PermitRootLogin)" || true
+password_authentication="$(get_config_option PasswordAuthentication)" || true
if [ -f /etc/ssh/sshd_config ]; then
# Make sure the debconf database is in sync with the current state
# of the system.
@@ -25,6 +26,11 @@ if [ -f /etc/ssh/sshd_config ]; then
else
db_set openssh-server/permit-root-login true
fi
+ if [ "$password_authentication" = no ]; then
+ db_set openssh-server/password-authentication false
+ else
+ db_set openssh-server/password-authentication true
+ fi
fi
if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 94a47da..ae273e9 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -88,6 +88,8 @@ create_sshdconfig() {
# false -> yes.
db_get openssh-server/permit-root-login
permit_root_login="$RET"
+ db_get openssh-server/password-authentication
+ password_authentication="$RET"
trap cleanup EXIT
new_config="$(tempfile)"
@@ -96,6 +98,10 @@ create_sshdconfig() {
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
"$new_config"
fi
+ if [ "$password_authentication" != true ]; then
+ sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+ "$new_config"
+ fi
mkdir -p /etc/ssh
ucf --three-way --debconf-ok \
--sum-file /usr/share/openssh/sshd_config.md5sum \
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
index 27907f2..fcb58ce 100644
--- a/debian/openssh-server.templates
+++ b/debian/openssh-server.templates
@@ -13,3 +13,11 @@ _Description: Disable SSH password authentication for root?
attacks). However, it may break systems that are set up with the
expectation of being able to SSH as root using password authentication. You
should only make this change if you do not need to do that.
+
+Template: openssh-server/password-authentication
+Type: boolean
+Default: true
+Description: Allow password authentication (for internal use)?
+ By default, the SSH server will allow authenticating using a password.
+ You may want to change this if all users on this system authenticate using
+ a stronger authentication method, such as public keys.
--
Colin Watson [cjwatson@debian.org]
Reply to: