Debian release 3.6.1p2-2.

author: Colin Watson <cjwatson@debian.org> 2003-09-01 19:14:16 +0000
committer: Colin Watson <cjwatson@debian.org> 2003-09-01 19:14:16 +0000
commit: 5e7b8cb37dbb1025c08b0ce4193b820dc1e66337 (patch)
tree: d297019b0baf31e0d3833b4abc7a5653e5df3f74 /debian/templates.master
parent: 4a4400f027c87b8b8182ecad3e821c0a0db49df0 (diff)
1 files changed, 162 insertions, 0 deletions
diff --git a/debian/templates.master b/debian/templates.master
new file mode 100644
index 000000000..3f0ccd079
--- /dev/null
+++ b/debian/templates.master
@@ -0,0 +1,162 @@
+Template: ssh/privsep_tell
+Type: note
+_Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you want it
+ turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start unless
+ you explicitly turn privilege separation off.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+_Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you, you
+ can choose whether or not to have Privilege Separation turned on or not.
+ Unless you are running 2.0 (in which case you *must* say no here or your
+ sshd won't start at all) or know you need to use PAM features that won't
+ work with this option, you should say yes here.
+Template: ssh/new_config
+Type: boolean
+Default: true
+_Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from
+ the version shipped in Debian 'Potato', which you appear to be upgrading
+ from. I can now generate you a new configuration file
+ (/etc/ssh/sshd.config), which will work with the new server version, but
+ will not contain any customisations you made with the old version.
+ .
+ Please note that this new configuration file will set the value of
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password
+ can ssh directly in as root). It is the opinion of the maintainer that
+ this is the correct default (see README.Debian for more details), but you
+ can always edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration
+ file for you.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+_Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which is
+ much more secure.  Disabling ssh 1 is encouraged, however this will slow
+ things down on low end machines and might prevent older clients from
+ connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has
+ instructions on what to do to your sshd_config file.
+Template: ssh/ssh2_keys_merged
+Type: note
+_Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
+ keys. This means the authorized_keys2 and known_hosts2 files are no longer
+ needed. They will still be read in order to maintain backwards
+ compatibility
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+_Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Template: ssh/forward_warning
+Type: note
+_Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either in one of the
+ configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Template: ssh/insecure_rshd
+Type: note
+_Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that
+ package.
+Template: ssh/insecure_telnetd
+Type: note
+_Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+_Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
+ can not handle this host key file, and I can't find the ssh-keygen utility
+ from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+_Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID bit
+ set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes problems
+ you can change your mind later by running:   dpkg-reconfigure ssh
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+_Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote logins
+ via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all using
+ ssh, then you can disable sshd here.
+Template: ssh/user_environment_tell
+Type: note
+_Description: Environment options on keys have been deprecated
+ This version of OpenSSH disables the environment option for public keys by
+ default, in order to avoid certain attacks (for example, LD_PRELOAD). If
+ you are using this option in an authorized_keys file, beware that the keys
+ in question will no longer work until the option is removed.
+ .
+ To re-enable this option, set "PermitUserEnvironment yes" in
+ /etc/ssh/sshd_config after the upgrade is complete, taking note of the
+ warning in the sshd_config(5) manual page.
author	Colin Watson <cjwatson@debian.org>	2003-09-01 19:14:16 +0000
committer	Colin Watson <cjwatson@debian.org>	2003-09-01 19:14:16 +0000
commit	5e7b8cb37dbb1025c08b0ce4193b820dc1e66337 (patch)
tree	d297019b0baf31e0d3833b4abc7a5653e5df3f74 /debian/templates.master
parent	4a4400f027c87b8b8182ecad3e821c0a0db49df0 (diff)

diff --git a/debian/templates.master b/debian/templates.master new file mode 100644 index 000000000..3f0ccd079 --- /dev/null +++ b/debian/templates.master
@@ -0,0 +1,162 @@
	1	Template: ssh/privsep_tell
	2	Type: note
	3	_Description: Privilege separation
	4	This version of OpenSSH contains the new privilege separation option. This
	5	significantly reduces the quantity of code that runs as root, and
	6	therefore reduces the impact of security holes in sshd.
	7	.
	8	Unfortunately, privilege separation interacts badly with PAM. Any PAM
	9	session modules that need to run as root (pam_mkhomedir, for example) will
	10	fail, and PAM keyboard-interactive authentication won't work.
	11	.
	12	Privilege separation is turned on by default, so if you decide you want it
	13	turned off, you need to add "UsePrivilegeSeparation no" to
	14	/etc/ssh/sshd_config.
	15	.
	16	NB! If you are running a 2.0 series Linux kernel, then privilege
	17	separation will not work at all, and your sshd will fail to start unless
	18	you explicitly turn privilege separation off.
	19
	20	Template: ssh/privsep_ask
	21	Type: boolean
	22	Default: true
	23	_Description: Enable Privilege separation
	24	This version of OpenSSH contains the new privilege separation option. This
	25	significantly reduces the quantity of code that runs as root, and
	26	therefore reduces the impact of security holes in sshd.
	27	.
	28	Unfortunately, privilege separation interacts badly with PAM. Any PAM
	29	session modules that need to run as root (pam_mkhomedir, for example) will
	30	fail, and PAM keyboard-interactive authentication won't work.
	31	.
	32	Since you've opted to have me generate an sshd_config file for you, you
	33	can choose whether or not to have Privilege Separation turned on or not.
	34	Unless you are running 2.0 (in which case you must say no here or your
	35	sshd won't start at all) or know you need to use PAM features that won't
	36	work with this option, you should say yes here.
	37
	38	Template: ssh/new_config
	39	Type: boolean
	40	Default: true
	41	_Description: Generate new configuration file
	42	This version of OpenSSH has a considerably changed configuration file from
	43	the version shipped in Debian 'Potato', which you appear to be upgrading
	44	from. I can now generate you a new configuration file
	45	(/etc/ssh/sshd.config), which will work with the new server version, but
	46	will not contain any customisations you made with the old version.
	47	.
	48	Please note that this new configuration file will set the value of
	49	'PermitRootLogin' to yes (meaning that anyone knowing the root password
	50	can ssh directly in as root). It is the opinion of the maintainer that
	51	this is the correct default (see README.Debian for more details), but you
	52	can always edit sshd_config and set it to no if you wish.
	53	.
	54	It is strongly recommended that you let me generate a new configuration
	55	file for you.
	56
	57	Template: ssh/protocol2_only
	58	Type: boolean
	59	Default: true
	60	_Description: Allow SSH protocol 2 only
	61	This version of OpenSSH supports version 2 of the ssh protocol, which is
	62	much more secure. Disabling ssh 1 is encouraged, however this will slow
	63	things down on low end machines and might prevent older clients from
	64	connecting (the ssh client shipped with "potato" is affected).
	65	.
	66	Also please note that keys used for protocol 1 are different so you will
	67	not be able to use them if you only allow protocol 2 connections.
	68	.
	69	If you later change your mind about this setting, README.Debian has
	70	instructions on what to do to your sshd_config file.
	71
	72	Template: ssh/ssh2_keys_merged
	73	Type: note
	74	_Description: ssh2 keys merged in configuration files
	75	As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
	76	keys. This means the authorized_keys2 and known_hosts2 files are no longer
	77	needed. They will still be read in order to maintain backwards
	78	compatibility
	79
	80	Template: ssh/use_old_init_script
	81	Type: boolean
	82	Default: false
	83	_Description: Do you want to continue (and risk killing active ssh sessions) ?
	84	The version of /etc/init.d/ssh that you have installed, is likely to kill
	85	all running sshd instances. If you are doing this upgrade via an ssh
	86	session, that would be a Bad Thing(tm).
	87	.
	88	You can fix this by adding "--pidfile /var/run/sshd.pid" to the
	89	start-stop-daemon line in the stop section of the file.
	90
	91	Template: ssh/forward_warning
	92	Type: note
	93	_Description: NOTE: Forwarding of X11 and Authorization disabled by default.
	94	For security reasons, the Debian version of ssh has ForwardX11 and
	95	ForwardAgent set to ``off'' by default.
	96	.
	97	You can enable it for servers you trust, either in one of the
	98	configuration files, or with the -X command line option.
	99	.
	100	More details can be found in /usr/share/doc/ssh/README.Debian
	101
	102	Template: ssh/insecure_rshd
	103	Type: note
	104	_Description: Warning: rsh-server is installed --- probably not a good idea
	105	having rsh-server installed undermines the security that you were probably
	106	wanting to obtain by installing ssh. I'd advise you to remove that
	107	package.
	108
	109	Template: ssh/insecure_telnetd
	110	Type: note
	111	_Description: Warning: telnetd is installed --- probably not a good idea
	112	I'd advise you to either remove the telnetd package (if you don't actually
	113	need to offer telnet access) or install telnetd-ssl so that there is at
	114	least some chance that telnet sessions will not be sending unencrypted
	115	login/password and session information over the network.
	116
	117	Template: ssh/encrypted_host_key_but_no_keygen
	118	Type: note
	119	_Description: Warning: you must create a new host key
	120	There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
	121	can not handle this host key file, and I can't find the ssh-keygen utility
	122	from the old (non-free) SSH installation.
	123	.
	124	You will need to generate a new host key.
	125
	126	Template: ssh/SUID_client
	127	Type: boolean
	128	Default: true
	129	_Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
	130	You have the option of installing the ssh-keysign helper with the SUID bit
	131	set.
	132	.
	133	If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
	134	host-based authentication.
	135	.
	136	If in doubt, I suggest you install it with SUID. If it causes problems
	137	you can change your mind later by running: dpkg-reconfigure ssh
	138
	139	Template: ssh/run_sshd
	140	Type: boolean
	141	Default: true
	142	_Description: Do you want to run the sshd server ?
	143	This package contains both the ssh client, and the sshd server.
	144	.
	145	Normally the sshd Secure Shell Server will be run to allow remote logins
	146	via ssh.
	147	.
	148	If you are only interested in using the ssh client for outbound
	149	connections on this machine, and don't want to log into it at all using
	150	ssh, then you can disable sshd here.
	151
	152	Template: ssh/user_environment_tell
	153	Type: note
	154	_Description: Environment options on keys have been deprecated
	155	This version of OpenSSH disables the environment option for public keys by
	156	default, in order to avoid certain attacks (for example, LD_PRELOAD). If
	157	you are using this option in an authorized_keys file, beware that the keys
	158	in question will no longer work until the option is removed.
	159	.
	160	To re-enable this option, set "PermitUserEnvironment yes" in
	161	/etc/ssh/sshd_config after the upgrade is complete, taking note of the
	162	warning in the sshd_config(5) manual page.