Bug#852781: openssh-server: Wrong default for setting PermitRootLogin (yes instead of prohibit-password) in clean install
Package: openssh-server
Version: 1:7.4p1-6
Severity: serious
Justification: Policy 10.7.3
Dear Maintainer,
as discussed in https://lists.debian.org/debian-ssh/2017/01/msg00059.html
PermitRootLogin gets wrong default in /etc/ssh/sshd_config
* What led up to the situation?
Clean installation, no old config file (/etc/ssh/sshd_config) present
* What exactly did you do (or not do) that was effective (or
ineffective)?
nothing special
* What was the outcome of this action?
[...]
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
[...]
* What outcome did you expect instead?
[...]
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
[...]
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii dpkg 1.18.18
ii init-system-helpers 1.47
ii libaudit1 1:2.6.7-1
ii libc6 2.24-9
ii libcomerr2 1.43.3-1
ii libgssapi-krb5-2 1.15-1
ii libkrb5-3 1.15-1
ii libpam-modules 1.1.8-3.5
ii libpam-runtime 1.1.8-3.5
ii libpam0g 1.1.8-3.5
ii libselinux1 2.6-3
ii libssl1.0.2 1.0.2k-1
ii libsystemd0 232-14
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii openssh-client 1:7.4p1-6
ii openssh-sftp-server 1:7.4p1-6
ii procps 2:3.3.12-3
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-4
Versions of packages openssh-server recommends:
ii libpam-systemd 232-14
ii ncurses-term 6.0+20161126-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf-show failed
Reply to: