Murukesh Mohanan wrote: > 1. I have explicitly stated that I am automating new installations. > I don't understand what repeating that statement back to me means. > I have read README.Debian, and I don't see how it answers my question, > which is: *why* are you totally ignoring a user-made selection of > pre-exisitng debconf question, _irrespective_ of whether it's an upgrade > or a new installation? It appears to me that this is simply a misunderstanding. Let me review. You asked about the /etc/ssh/sshd_config PermitRootLogin variable setting. Brian replied that was the default package value upon installation and that the default value had changed and that this was documented in the /usr/share/doc/openssh-server/README.Debian.gz file. The package maintainer documented the change to the default value. There is a lot of good information there and I don't want to distract from it. Please read through the discussion about why they decided to make the change. (Personally I would rather have a different default setting but I am happy that the discussion was documented and I can respect the result and deal with it. By default installation it means that if no openssh-server package is installed then there won't be a /etc/ssh/sshd_config file. When the package is installed it will place a default sshd_config file there and that file previously contained: PermitRootLogin yes In new installations that file will contain: PermitRootLogin without-password If you have an existing installation then the file will already exist with the previous value. That is why it is different depending upon whether it is a new installation or an upgraded one. > If some ignoramus sets a weak password and get's exploited, because > of a old default, I don't see why it should become my problem or > yours. The Debian maintainers can set whatever default they chose > to, as is their right, but why make a decision to ignore the user's > right to change that default from a pre-existing method? I read through this several times and I have no idea what you are talking about. Sorry. > If you are going to do so, then why haven't you stated that in the > root-forsaken README.Debian? I've seen uses of this selection for > enabling login with password from at least over a year ago, so I am > not hallucinating about this. /rant Sorry for that. I think you must be referring to this from your original message. > I'm trying to use preseeding to automate installation, and > openssh-server is ignoring a selection > openssh-server openssh-server/permit-root-login bool true Huh? What? Huh? I can find no documentation supporting the use of that construct as a preseed. Where is that documented? Does it actually exist? (I don't have the time to try it to find out.) I think that is the root of the confusion. You are trying to use the above as a preseed but I don't find where that would be a documented preseed interface. Please educate me if it is actually documented anywhere. Since I can't find it I can only assume that is where the issue lies. It isn't a preseed. You can't set that option at install time with a preseed. I know that was Brian's expectation too because Brian suggested the option of using late_command in your preseed file and setting up a late_command to make the config file change to sshd_config so that it would be the value you want. And that would be my recommendation too. > 2. Wouldn't the right way to make this change be either a) using a > select field instead of a boolean or b) treating true as "yes", *and* > respecting this selection (assuming debconf has a way of notifying if > no value is set), instead of ignoring it? Assuming this is a documented interface, then okay. But if it isn't a documented interface then no. > 3. If I made a patch to implement 2a or 2b, and it is not crap, would > you accept it? Or is this a hard setting on the side of Debian > maintainers? Whether this is accepted in the Debian package is up to the Debain maintainers of the openssh package. That package is a team maintained package by the debian-ssh team. You would need to contact them. I don't think anyone here will know if any of those folks are subscribed to the debian-user mailing list. The debian-user mailing list is a community support mailing list. We are all simply users here and try to help each other out. Bob
Attachment:
signature.asc
Description: Digital signature