#778459 migration question for "PermitRootLogin without-password" should be skipped if "PasswordAuthentication no" is set

Package:
openssh-server
Source:
openssh
Description:
secure shell (SSH) server, for secure access from remote machines
Submitter:
chrysn
Date:
2015-02-15 16:27:13 UTC
Severity:
minor
#778459#5
Date:
2015-02-15 11:47:34 UTC
From:
To:
i'd like to suggest that when the upgrading question for the
"PermitRootLogin without-password" configuration option (introduced in
1:6.6p1-1) be skipped if the setting PasswordAuthentication is set to
no.

on systems where PasswordAuthentication is disabled, the change does not
have any effect, but costs the updater time or is even unseettling
("wait, didn't i disable that whole thing ages ago?"). disabling
PasswordAuthentication is a frequent recommendation in the area of
securing ssh, and as an optimist i'd expect it to be set on a
significant portion of produciton servers.

a precedent of not asking the question if it is a no-op has been
established in 1:6.6p1-2 (not asking when no root password is set), so i
expect this to be non-controversial. i don't have strong opinions on
whether the PermitRootLogin option should actually be changed when the
question is not shown.

best regards
chrysn

(sorry, the below is a little stripped down; the actual host i'm
reporting this about has no reportbug / mail)

#778459#10
Date:
2015-02-15 12:36:08 UTC
From:
To:
Hi,

2015-02-15 12:47:34 chrysn:

the check for that won't be trivial, consider another common config:

PasswordAuthentication no
Match Address 2001:db8::/32
	PasswordAuthentication yes


Regards
Timo

#778459#15
Date:
2015-02-15 16:25:46 UTC
From:
To:
chrysn <chrysn@fsfe.org> writes:

You need to make sure ChallengeResponseAuthentication is disabled too.