Package: openssh-server Version: 1:7.6p1-2 Severity: wishlist Hello from the Debian cloud team sprint at Microsoft! We were just discussing the appropriate default value for the PasswordAuthentication option in sshd_config in Debian's cloud images. Most of these currently set it to 'no' by modifying the config file; we'd like a debconf option for this to be added, so that we make the change that way and offer a better user experience across package upgrades.
Justification for the different default on most clouds: While defaulting this to 'yes' makes sense in Debian's general case, most of the major public clouds center their best practices around SSH keys and support this with tooling and infratructure. Additionally, public cloud VM instances are frequently targeted by attackers testing passwords, who will of course not have any authorized SSH keys. Although this meets the Debian BTS's definition of wishlist severity, we on the cloud team view this as a reasonably important change by those standards, so that we stay secure without manually modifying sshd_config. Thanks for your consideration. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.116 ii debconf 1.5.63 ii dpkg 1.18.24 ii init-system-helpers 1.50 ii libaudit1 1:2.8-1 ii libc6 2.24-17 ii libcomerr2 1.43.6-1 ii libgssapi-krb5-2 1.15.1-2 ii libkrb5-3 1.15.1-2 ii libpam-modules 1.1.8-3.6 ii libpam-runtime 1.1.8-3.6 ii libpam0g 1.1.8-3.6 ii libselinux1 2.7-2 ii libssl1.0.2 1.0.2l-2 ii libsystemd0 235-2 ii libwrap0 7.6.q-26 ii lsb-base 9.20170808 ii openssh-client 1:7.6p1-2 ii openssh-sftp-server 1:7.6p1-2 ii procps 2:3.3.12-3 ii ucf 3.0036 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages openssh-server recommends: ii libpam-systemd 235-2 ii ncurses-term 6.0+20170902-1 ii xauth 1:1.0.9-1+b2 Versions of packages openssh-server suggests: ii ksshaskpass [ssh-askpass] 4:5.10.5-2 pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ufw <none> -- debconf information excluded