Package: openssh-server Version: 1:6.7p1-3 Severity: minor i'd like to suggest that when the upgrading question for the "PermitRootLogin without-password" configuration option (introduced in 1:6.6p1-1) be skipped if the setting PasswordAuthentication is set to no.
on systems where PasswordAuthentication is disabled, the change does not have any effect, but costs the updater time or is even unseettling ("wait, didn't i disable that whole thing ages ago?"). disabling PasswordAuthentication is a frequent recommendation in the area of securing ssh, and as an optimist i'd expect it to be set on a significant portion of produciton servers. a precedent of not asking the question if it is a no-op has been established in 1:6.6p1-2 (not asking when no root password is set), so i expect this to be non-controversial. i don't have strong opinions on whether the PermitRootLogin option should actually be changed when the question is not shown. best regards chrysn (sorry, the below is a little stripped down; the actual host i'm reporting this about has no reportbug / mail) -- debconf information: * openssh-server/permit-root-login: false ssh/disable_cr_auth: false ssh/encrypted_host_key_but_no_keygen: * ssh/use_old_init_script: true ssh/vulnerable_host_keys:
signature.asc
Description: Digital signature