Bug#745778: openssh-server/permit-root-login should be honored for new installs too
Hi Ferenc, On Tue, Jan 31, 2017 at 04:23:07PM +0100, Ferenc Wágner wrote: > Hi, > > How is this supposed to work now? On a fresh stretch install, with > /etc/ssh/sshd_config being identical to /usr/share/openssh/sshd_config, > dpkg-reconfigure openssh-server does not ask anything: > > # DEBCONF_DEBUG=developer dpkg-reconfigure openssh-server > debconf (developer): starting /var/lib/dpkg/info/openssh-server.config > reconfigure 1:7.4p1-5 > debconf (developer): <-- VERSION 2.0 > debconf (developer): --> 0 2.0 > debconf (developer): <-- SET openssh-server/permit-root-login true > debconf (developer): --> 0 value set > debconf (developer): starting /var/lib/dpkg/info/openssh-server.postinst > configure 1:7.4p1-5 > debconf (developer): <-- VERSION 2.0 > debconf (developer): --> 0 2.0 > debconf (developer): <-- GET openssh-server/permit-root-login > debconf (developer): --> 0 true > debconf (developer): <-- X_LOADTEMPLATEFILE /var/lib/dpkg/info/ucf.templates > ucf > debconf (developer): --> 0 > debconf (developer): <-- STOP > > Should it? Or did this debconf question become deprecated? I noticed, in https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#openssh # The "false" value is in fact correct despite being confusing. $ echo 'openssh-server openssh-server/permit-root-login boolean false' | debconf-set-selections Regards, Salvatore
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
Hi, How is this supposed to work now? On a fresh stretch install, with /etc/ssh/sshd_config being identical to /usr/share/openssh/sshd_config, dpkg-reconfigure openssh-server does not ask anything: # DEBCONF_DEBUG=developer dpkg-reconfigure openssh-server debconf (developer): starting /var/lib/dpkg/info/openssh-server.config reconfigure 1:7.4p1-5 debconf (developer): <-- VERSION 2.0 debconf (developer): --> 0 2.0 debconf (developer): <-- SET openssh-server/permit-root-login true debconf (developer): --> 0 value set debconf (developer): starting /var/lib/dpkg/info/openssh-server.postinst configure 1:7.4p1-5 debconf (developer): <-- VERSION 2.0 debconf (developer): --> 0 2.0 debconf (developer): <-- GET openssh-server/permit-root-login debconf (developer): --> 0 true debconf (developer): <-- X_LOADTEMPLATEFILE /var/lib/dpkg/info/ucf.templates ucf debconf (developer): --> 0 debconf (developer): <-- STOP Should it? Or did this debconf question become deprecated? -- Thanks, Feri
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
Christoph Anton Mitterer writes: > On Thu, 2015-04-30 at 23:00 +0200, Ferenc Wagner wrote: > >> By "usual means" do you mean preseeding late_command with a sed >> script editing sshd_config? > > No I rather meant by using the installation system or configuration > system you use (FAI, puppet, etc.) Actually, we only need the initial root login so that our configuration system can bootstrap the login policy of the organization (which means LDAP user DB, SSH key authorization and no root login at all). We could work around this issue in various ways, but we'd rather continue on the known path if possible. And the documentation says it is... -- Regards, Feri. -- To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87sibdzd5n@lant.ki.iif.hu
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
On Thu, 2015-04-30 at 23:00 +0200, Ferenc Wagner wrote: > By "usual means" do you mean preseeding late_command with a sed script > editing sshd_config? No I rather meant by using the installation system or configuration system you use (FAI, puppet, etc.) Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
By "usual means" do you mean preseeding late_command with a sed script editing sshd_config? https://www.debian.org/releases/jessie/i386/apbs05.html.en#preseed-hooks That's certainly possible, but preseeding a boolean (as documented) is significantly simpler. -- Regards, Feri. -- To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fv7h2uwk@lant.ki.iif.hu
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
What's the problem with simply changing the configuration by usual means as with all other options which are not specifically handled by debconf? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
The preseed possibility is actually documented in the jessie release notes, see https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#openssh I tried to use it in vain, then found this bug. Please raise its urgency. :) -- Thanks, Feri. -- To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87zj5sa267@lant.ki.iif.hu
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
On Apr 25, Marco d'Itri wrote: > Some environments need PermitRootLogin=yes. > They will configure it no matter what the openssh maintainers think > about it, so please let's save time for everybody and allow this to be > preseeded for new installs as well. Would you accept a patch to implement this? -- ciao, Marco signature.asc Description: Digital signature
Bug#745778: openssh-server/permit-root-login should be honored for new installs too
Package: openssh-server Version: 1:6.6p1-1 Severity: normal Some environments need PermitRootLogin=yes. They will configure it no matter what the openssh maintainers think about it, so please let's save time for everybody and allow this to be preseeded for new installs as well. -- ciao, Marco signature.asc Description: Digital signature