Bug#250369: ssh: PasswordAuthentication no should result in UsePAM No on update

[Marc Haber <mh+debian-bugs@zugschlus.de>]

Package: ssh
Version: 1:3.8.1p1-3
Severity: normal

Hi,

my woody systems routinely run with PasswordAuthenticatio No, so that
only ssh keys can be used to log in.

When updating one box to sid for testing purposes, /etc/ssh/ssd_config
was augmented with "UsePam yes", allowing users to log in using their
password. This went unnoticed, unwarned and might introduce a security
risk.

Please consider setting "UsePam no" on systems that have "Password
Authentication No" set on update.

Greetings
Marc

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zgserver
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.53         Add and remove users and groups
ii  debconf                     1.4.25       Debian configuration management sy
ii  dpkg                        1.10.21      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-12 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-21      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-21      Runtime support for the PAM librar
ii  libpam0g                    0.76-21      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7d-2     SSL shared libraries
ii  libwrap0                    7.6.dbs-3    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1.1-3  compression library - runtime

-- debconf information excluded