From 0e12eb7b58ae29ccf52571e82af99c3a3a04b399 Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 10 May 2022 10:08:21 -0400
Subject: [PATCH] ssh: update sshd_config for prohibit-password option

The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015.  Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).

The UsePAM description in sshd_config still mentioned
"without-password."  Update it to match the new canonical option.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
---
 crypto/openssh/sshd_config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index bb2e1098368e..956a4bd7d7af 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -78,7 +78,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.