Bug#878945: Request from cloud team: please add a debconf option for PasswordAuthentication
Package: openssh-server
Version: 1:7.6p1-2
Severity: wishlist
Hello from the Debian cloud team sprint at Microsoft! We were just
discussing the appropriate default value for the PasswordAuthentication
option in sshd_config in Debian's cloud images. Most of these currently
set it to 'no' by modifying the config file; we'd like a debconf option
for this to be added, so that we make the change that way and offer a better
user experience across package upgrades.
Justification for the different default on most clouds:
While defaulting this to 'yes' makes sense in Debian's general case,
most of the major public clouds center their best practices around SSH
keys and support this with tooling and infratructure. Additionally,
public cloud VM instances are frequently targeted by attackers testing
passwords, who will of course not have any authorized SSH keys.
Although this meets the Debian BTS's definition of wishlist severity, we
on the cloud team view this as a reasonably important change by those
standards, so that we stay secure without manually modifying
sshd_config.
Thanks for your consideration.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.116
ii debconf 1.5.63
ii dpkg 1.18.24
ii init-system-helpers 1.50
ii libaudit1 1:2.8-1
ii libc6 2.24-17
ii libcomerr2 1.43.6-1
ii libgssapi-krb5-2 1.15.1-2
ii libkrb5-3 1.15.1-2
ii libpam-modules 1.1.8-3.6
ii libpam-runtime 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libselinux1 2.7-2
ii libssl1.0.2 1.0.2l-2
ii libsystemd0 235-2
ii libwrap0 7.6.q-26
ii lsb-base 9.20170808
ii openssh-client 1:7.6p1-2
ii openssh-sftp-server 1:7.6p1-2
ii procps 2:3.3.12-3
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-server recommends:
ii libpam-systemd 235-2
ii ncurses-term 6.0+20170902-1
ii xauth 1:1.0.9-1+b2
Versions of packages openssh-server suggests:
ii ksshaskpass [ssh-askpass] 4:5.10.5-2
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ufw <none>
-- debconf information excluded
Reply to: