Bug#878945: marked as done (Request from cloud team: please add a debconf option for PasswordAuthentication)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 10 Feb 2018 03:11:14 +0000
with message-id <E1ekLZK-00066h-1y@fasolo.debian.org>
and subject line Bug#878945: fixed in openssh 1:7.6p1-4
has caused the Debian Bug report #878945,
regarding Request from cloud team: please add a debconf option for PasswordAuthentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
878945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878945
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Request from cloud team: please add a debconf option for PasswordAuthentication
• From: Jimmy Kaplowitz <jimmy@debian.org>
• Date: Tue, 17 Oct 2017 14:50:24 -0700
• Message-id: <150827702497.20861.3151246440906558110.reportbug@gymnast.kaplowitz.org>

Package: openssh-server
Version: 1:7.6p1-2
Severity: wishlist

Hello from the Debian cloud team sprint at Microsoft! We were just
discussing the appropriate default value for the PasswordAuthentication
option in sshd_config in Debian's cloud images. Most of these currently
set it to 'no' by modifying the config file; we'd like a debconf option
for this to be added, so that we make the change that way and offer a better
user experience across package upgrades.

Justification for the different default on most clouds:

While defaulting this to 'yes' makes sense in Debian's general case,
most of the major public clouds center their best practices around SSH
keys and support this with tooling and infratructure. Additionally,
public cloud VM instances are frequently targeted by attackers testing
passwords, who will of course not have any authorized SSH keys.

Although this meets the Debian BTS's definition of wishlist severity, we
on the cloud team view this as a reasonably important change by those
standards, so that we stay secure without manually modifying
sshd_config.

Thanks for your consideration.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser              3.116
ii  debconf              1.5.63
ii  dpkg                 1.18.24
ii  init-system-helpers  1.50
ii  libaudit1            1:2.8-1
ii  libc6                2.24-17
ii  libcomerr2           1.43.6-1
ii  libgssapi-krb5-2     1.15.1-2
ii  libkrb5-3            1.15.1-2
ii  libpam-modules       1.1.8-3.6
ii  libpam-runtime       1.1.8-3.6
ii  libpam0g             1.1.8-3.6
ii  libselinux1          2.7-2
ii  libssl1.0.2          1.0.2l-2
ii  libsystemd0          235-2
ii  libwrap0             7.6.q-26
ii  lsb-base             9.20170808
ii  openssh-client       1:7.6p1-2
ii  openssh-sftp-server  1:7.6p1-2
ii  procps               2:3.3.12-3
ii  ucf                  3.0036
ii  zlib1g               1:1.2.8.dfsg-5

Versions of packages openssh-server recommends:
ii  libpam-systemd  235-2
ii  ncurses-term    6.0+20170902-1
ii  xauth           1:1.0.9-1+b2

Versions of packages openssh-server suggests:
ii  ksshaskpass [ssh-askpass]  4:5.10.5-2
pn  molly-guard                <none>
pn  monkeysphere               <none>
pn  rssh                       <none>
pn  ufw                        <none>

-- debconf information excluded

--- End Message ---

--- Begin Message ---

• To: 878945-close@bugs.debian.org
• Subject: Bug#878945: fixed in openssh 1:7.6p1-4
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 10 Feb 2018 03:11:14 +0000
• Message-id: <E1ekLZK-00066h-1y@fasolo.debian.org>

Source: openssh
Source-Version: 1:7.6p1-4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Feb 2018 02:31:46 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.6p1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 878945
Changes:
 openssh (1:7.6p1-4) unstable; urgency=medium
 .
   * Move VCS to salsa.debian.org.
   * Add a preseeding-only openssh-server/password-authentication debconf
     template that can be used to disable password authentication (closes:
     #878945).
Checksums-Sha1:
 ff2277461cc15689a69ee2b08520226d1918f769 3105 openssh_7.6p1-4.dsc
 0510d63441b413e32d4647ae68077beb8e74227f 159732 openssh_7.6p1-4.debian.tar.xz
 cd91c69e3581e9971ddca9979a639a1fb151ecfb 14874 openssh_7.6p1-4_source.buildinfo
Checksums-Sha256:
 3b8a02d664fab7b7d757adf4d5885697e8723a4fc8b71072787af50384d442b7 3105 openssh_7.6p1-4.dsc
 c54489a7eec51a79581ad69eabfe6f9f0d8ddbe08d841157509e38631f8c0e0d 159732 openssh_7.6p1-4.debian.tar.xz
 b05df37e5e3717154febf887b4e93eae612f538305e803d5ed7736368cf3c5e4 14874 openssh_7.6p1-4_source.buildinfo
Files:
 e4ab218462fb2769f3cc62a9dc9d1c31 3105 net standard openssh_7.6p1-4.dsc
 228c6a605512d26884d6d1af6e55aa5d 159732 net standard openssh_7.6p1-4.debian.tar.xz
 8f76a02e4594104b77500970190ab176 14874 net standard openssh_7.6p1-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlp+WagACgkQOTWH2X2G
UAvBfBAAtDsMu4GZlL1WRnww7boMn9S4/nM80qQtaTFmTHxK/5kDIHuAzGLpHyvP
NnQd++35q/5oyuT4/DS8lmG4kd89+ECR4AIhT/aAKDAuME6OR3aFX3wat7v921EM
InqrHZNsZt+m35MtfOOTOE8sQK6lScmB5pYZjE/fNpjGFOaJB1BDT6QmHlQeSYBp
2vJeyHd0wX638O8kXmtHmZDl1LENQwurEGXYX/3YsbHKUm1wPDel/Su1c/yKU6TB
4bDYCulC13nXBmwTf8DhkhDAjyxWaOlZDDO/YnIrgx6j1quvV3mTkze5x2+CZKn8
UVAdAW+6BBHl0eV58tH6x8JPKxil8hy4pjotE3m2mludt2fhSeFGKB7kCdpSlO5+
CB8cuSaknyYzeG/sif33EpkuAstHxPbzB9OmxdDaz5vJ9yPWHmyqW3KB+lQ+6t/J
PgvA2kbhf4cYiDS8o4B9K1zXkLYPpyj0oR4ha2AlyJZWMc/hd3gA858tdsQsTbfd
CclzUle2l3/ZW3WvEjPK/c+8esCXljlzo8Sc2bH2iaVMMy4SpzjPMbNm7WDmLicS
TEyLht/+S+F3R9APXBhLJQAJ90W2V8u9DqA2j1xak/sMpJ+gLx1HY8peZy459d4v
1LokbtHfB8mSIKZd52bBDsBkNBc4+j5Vftgs1C0n7UL+o6F4prY=
=6Ral
-----END PGP SIGNATURE-----

--- End Message ---