Package: openssh-server
Version: 1:6.7p1-3
Severity: minor
i'd like to suggest that when the upgrading question for the
"PermitRootLogin without-password" configuration option (introduced in
1:6.6p1-1) be skipped if the setting PasswordAuthentication is set to
no.
on systems where PasswordAuthentication is disabled, the change does not
have any effect, but costs the updater time or is even unseettling
("wait, didn't i disable that whole thing ages ago?"). disabling
PasswordAuthentication is a frequent recommendation in the area of
securing ssh, and as an optimist i'd expect it to be set on a
significant portion of produciton servers.
a precedent of not asking the question if it is a no-op has been
established in 1:6.6p1-2 (not asking when no root password is set), so i
expect this to be non-controversial. i don't have strong opinions on
whether the PermitRootLogin option should actually be changed when the
question is not shown.
best regards
chrysn
(sorry, the below is a little stripped down; the actual host i'm
reporting this about has no reportbug / mail)
-- debconf information:
* openssh-server/permit-root-login: false
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
* ssh/use_old_init_script: true
ssh/vulnerable_host_keys:
Attachment:
signature.asc
Description: Digital signature