diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-01 19:14:16 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 19:14:16 +0000 |
commit | 5e7b8cb37dbb1025c08b0ce4193b820dc1e66337 (patch) | |
tree | d297019b0baf31e0d3833b4abc7a5653e5df3f74 /debian/templates.master | |
parent | 4a4400f027c87b8b8182ecad3e821c0a0db49df0 (diff) |
Debian release 3.6.1p2-2.
Diffstat (limited to 'debian/templates.master')
-rw-r--r-- | debian/templates.master | 162 |
1 files changed, 162 insertions, 0 deletions
diff --git a/debian/templates.master b/debian/templates.master new file mode 100644 index 000000000..3f0ccd079 --- /dev/null +++ b/debian/templates.master | |||
@@ -0,0 +1,162 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | _Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation option. This | ||
5 | significantly reduces the quantity of code that runs as root, and | ||
6 | therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
9 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
10 | fail, and PAM keyboard-interactive authentication won't work. | ||
11 | . | ||
12 | Privilege separation is turned on by default, so if you decide you want it | ||
13 | turned off, you need to add "UsePrivilegeSeparation no" to | ||
14 | /etc/ssh/sshd_config. | ||
15 | . | ||
16 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
17 | separation will not work at all, and your sshd will fail to start unless | ||
18 | you explicitly turn privilege separation off. | ||
19 | |||
20 | Template: ssh/privsep_ask | ||
21 | Type: boolean | ||
22 | Default: true | ||
23 | _Description: Enable Privilege separation | ||
24 | This version of OpenSSH contains the new privilege separation option. This | ||
25 | significantly reduces the quantity of code that runs as root, and | ||
26 | therefore reduces the impact of security holes in sshd. | ||
27 | . | ||
28 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
29 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
30 | fail, and PAM keyboard-interactive authentication won't work. | ||
31 | . | ||
32 | Since you've opted to have me generate an sshd_config file for you, you | ||
33 | can choose whether or not to have Privilege Separation turned on or not. | ||
34 | Unless you are running 2.0 (in which case you *must* say no here or your | ||
35 | sshd won't start at all) or know you need to use PAM features that won't | ||
36 | work with this option, you should say yes here. | ||
37 | |||
38 | Template: ssh/new_config | ||
39 | Type: boolean | ||
40 | Default: true | ||
41 | _Description: Generate new configuration file | ||
42 | This version of OpenSSH has a considerably changed configuration file from | ||
43 | the version shipped in Debian 'Potato', which you appear to be upgrading | ||
44 | from. I can now generate you a new configuration file | ||
45 | (/etc/ssh/sshd.config), which will work with the new server version, but | ||
46 | will not contain any customisations you made with the old version. | ||
47 | . | ||
48 | Please note that this new configuration file will set the value of | ||
49 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password | ||
50 | can ssh directly in as root). It is the opinion of the maintainer that | ||
51 | this is the correct default (see README.Debian for more details), but you | ||
52 | can always edit sshd_config and set it to no if you wish. | ||
53 | . | ||
54 | It is strongly recommended that you let me generate a new configuration | ||
55 | file for you. | ||
56 | |||
57 | Template: ssh/protocol2_only | ||
58 | Type: boolean | ||
59 | Default: true | ||
60 | _Description: Allow SSH protocol 2 only | ||
61 | This version of OpenSSH supports version 2 of the ssh protocol, which is | ||
62 | much more secure. Disabling ssh 1 is encouraged, however this will slow | ||
63 | things down on low end machines and might prevent older clients from | ||
64 | connecting (the ssh client shipped with "potato" is affected). | ||
65 | . | ||
66 | Also please note that keys used for protocol 1 are different so you will | ||
67 | not be able to use them if you only allow protocol 2 connections. | ||
68 | . | ||
69 | If you later change your mind about this setting, README.Debian has | ||
70 | instructions on what to do to your sshd_config file. | ||
71 | |||
72 | Template: ssh/ssh2_keys_merged | ||
73 | Type: note | ||
74 | _Description: ssh2 keys merged in configuration files | ||
75 | As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
76 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
77 | needed. They will still be read in order to maintain backwards | ||
78 | compatibility | ||
79 | |||
80 | Template: ssh/use_old_init_script | ||
81 | Type: boolean | ||
82 | Default: false | ||
83 | _Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
84 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
85 | all running sshd instances. If you are doing this upgrade via an ssh | ||
86 | session, that would be a Bad Thing(tm). | ||
87 | . | ||
88 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
89 | start-stop-daemon line in the stop section of the file. | ||
90 | |||
91 | Template: ssh/forward_warning | ||
92 | Type: note | ||
93 | _Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
94 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
95 | ForwardAgent set to ``off'' by default. | ||
96 | . | ||
97 | You can enable it for servers you trust, either in one of the | ||
98 | configuration files, or with the -X command line option. | ||
99 | . | ||
100 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
101 | |||
102 | Template: ssh/insecure_rshd | ||
103 | Type: note | ||
104 | _Description: Warning: rsh-server is installed --- probably not a good idea | ||
105 | having rsh-server installed undermines the security that you were probably | ||
106 | wanting to obtain by installing ssh. I'd advise you to remove that | ||
107 | package. | ||
108 | |||
109 | Template: ssh/insecure_telnetd | ||
110 | Type: note | ||
111 | _Description: Warning: telnetd is installed --- probably not a good idea | ||
112 | I'd advise you to either remove the telnetd package (if you don't actually | ||
113 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
114 | least some chance that telnet sessions will not be sending unencrypted | ||
115 | login/password and session information over the network. | ||
116 | |||
117 | Template: ssh/encrypted_host_key_but_no_keygen | ||
118 | Type: note | ||
119 | _Description: Warning: you must create a new host key | ||
120 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH | ||
121 | can not handle this host key file, and I can't find the ssh-keygen utility | ||
122 | from the old (non-free) SSH installation. | ||
123 | . | ||
124 | You will need to generate a new host key. | ||
125 | |||
126 | Template: ssh/SUID_client | ||
127 | Type: boolean | ||
128 | Default: true | ||
129 | _Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
130 | You have the option of installing the ssh-keysign helper with the SUID bit | ||
131 | set. | ||
132 | . | ||
133 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
134 | host-based authentication. | ||
135 | . | ||
136 | If in doubt, I suggest you install it with SUID. If it causes problems | ||
137 | you can change your mind later by running: dpkg-reconfigure ssh | ||
138 | |||
139 | Template: ssh/run_sshd | ||
140 | Type: boolean | ||
141 | Default: true | ||
142 | _Description: Do you want to run the sshd server ? | ||
143 | This package contains both the ssh client, and the sshd server. | ||
144 | . | ||
145 | Normally the sshd Secure Shell Server will be run to allow remote logins | ||
146 | via ssh. | ||
147 | . | ||
148 | If you are only interested in using the ssh client for outbound | ||
149 | connections on this machine, and don't want to log into it at all using | ||
150 | ssh, then you can disable sshd here. | ||
151 | |||
152 | Template: ssh/user_environment_tell | ||
153 | Type: note | ||
154 | _Description: Environment options on keys have been deprecated | ||
155 | This version of OpenSSH disables the environment option for public keys by | ||
156 | default, in order to avoid certain attacks (for example, LD_PRELOAD). If | ||
157 | you are using this option in an authorized_keys file, beware that the keys | ||
158 | in question will no longer work until the option is removed. | ||
159 | . | ||
160 | To re-enable this option, set "PermitUserEnvironment yes" in | ||
161 | /etc/ssh/sshd_config after the upgrade is complete, taking note of the | ||
162 | warning in the sshd_config(5) manual page. | ||