Openssh changes upgrading from <= 3.6p2 to 3.8p1
Jun-9-2004 Stew Benedict <sbenedict@mandrakesoft.com>

Some changes in the behavior of the openssh-server have
taken place in the 3.8p1 upgrade.  UsePAM is now "no" by
default, and recommendations are not to enable it lightly.

That said, some changes have been made to /etc/pam.d/ssh to
preserve expected behavior if UsePAM is enabled:

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers

This line and the entry "root" in the referenced /etc/ssh/denyusers
allows "PermitRootLogin without-password" to behave as expected, 
using keys.  Otherwise, it's possible to still get a password prompt
and login without keys.

The package has a trigger to attempt to detect alternative auth methods
(ldap, mysql, winbind), and change UsePAM to yes if one of these are
detected.  If you update and suddenly your users can't login via ssh
you may need to review and correct the configuration.  Please consult
"man sshd_config" for details of the configuration choices.

You may also find you need to set:

ChallengeResponseAuthentication=no

For things like pam_mkhomedir to work.

In addition, for X11 forwarding to work in 3.8p1, the option 
"ForwardX11Trusted yes" must be enabled in /etc/ssh/ssh_config.
This is enabled by default.

Also as of 3.9p1-3mdk, sshd by default only accepts protocol 2 connections.
To restore the old behavior change:

'Protocol 2' to 'Protocol 2,1' in /etc/ssh/sshd_config