Bug#878945: Request from cloud team: please add a debconf option for PasswordAuthentication

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#878945: Request from cloud team: please add a debconf option for PasswordAuthentication
From: Jimmy Kaplowitz <jimmy@debian.org>
Date: Tue, 17 Oct 2017 14:50:24 -0700
Message-id: <[🔎] 150827702497.20861.3151246440906558110.reportbug@gymnast.kaplowitz.org>
Reply-to: Jimmy Kaplowitz <jimmy@debian.org>, 878945@bugs.debian.org

Package: openssh-server
Version: 1:7.6p1-2
Severity: wishlist

Hello from the Debian cloud team sprint at Microsoft! We were just
discussing the appropriate default value for the PasswordAuthentication
option in sshd_config in Debian's cloud images. Most of these currently
set it to 'no' by modifying the config file; we'd like a debconf option
for this to be added, so that we make the change that way and offer a better
user experience across package upgrades.

Justification for the different default on most clouds:

While defaulting this to 'yes' makes sense in Debian's general case,
most of the major public clouds center their best practices around SSH
keys and support this with tooling and infratructure. Additionally,
public cloud VM instances are frequently targeted by attackers testing
passwords, who will of course not have any authorized SSH keys.

Although this meets the Debian BTS's definition of wishlist severity, we
on the cloud team view this as a reasonably important change by those
standards, so that we stay secure without manually modifying
sshd_config.

Thanks for your consideration.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser              3.116
ii  debconf              1.5.63
ii  dpkg                 1.18.24
ii  init-system-helpers  1.50
ii  libaudit1            1:2.8-1
ii  libc6                2.24-17
ii  libcomerr2           1.43.6-1
ii  libgssapi-krb5-2     1.15.1-2
ii  libkrb5-3            1.15.1-2
ii  libpam-modules       1.1.8-3.6
ii  libpam-runtime       1.1.8-3.6
ii  libpam0g             1.1.8-3.6
ii  libselinux1          2.7-2
ii  libssl1.0.2          1.0.2l-2
ii  libsystemd0          235-2
ii  libwrap0             7.6.q-26
ii  lsb-base             9.20170808
ii  openssh-client       1:7.6p1-2
ii  openssh-sftp-server  1:7.6p1-2
ii  procps               2:3.3.12-3
ii  ucf                  3.0036
ii  zlib1g               1:1.2.8.dfsg-5

Versions of packages openssh-server recommends:
ii  libpam-systemd  235-2
ii  ncurses-term    6.0+20170902-1
ii  xauth           1:1.0.9-1+b2

Versions of packages openssh-server suggests:
ii  ksshaskpass [ssh-askpass]  4:5.10.5-2
pn  molly-guard                <none>
pn  monkeysphere               <none>
pn  rssh                       <none>
pn  ufw                        <none>

-- debconf information excluded

Reply to:

Prev by Date: Bug#867921: marked as done (cloud-init: Network configuration doesn't work)
Next by Date: Debian AMI boots into runlevel 5 by default
Previous by thread: Bug#867921: marked as done (cloud-init: Network configuration doesn't work)
Next by thread: Debian AMI boots into runlevel 5 by default
Index(es):
- Date
- Thread