diff options
Diffstat (limited to 'debian/openssh-server.templates.master')
-rw-r--r-- | debian/openssh-server.templates.master | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/debian/openssh-server.templates.master b/debian/openssh-server.templates.master new file mode 100644 index 000000000..af4d4e9f8 --- /dev/null +++ b/debian/openssh-server.templates.master | |||
@@ -0,0 +1,95 @@ | |||
1 | Template: ssh/new_config | ||
2 | Type: boolean | ||
3 | Default: true | ||
4 | _Description: Generate new configuration file | ||
5 | This version of OpenSSH has a considerably changed configuration file from | ||
6 | the version shipped in Debian 'Potato', which you appear to be upgrading | ||
7 | from. I can now generate you a new configuration file | ||
8 | (/etc/ssh/sshd.config), which will work with the new server version, but | ||
9 | will not contain any customisations you made with the old version. | ||
10 | . | ||
11 | Please note that this new configuration file will set the value of | ||
12 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password | ||
13 | can ssh directly in as root). It is the opinion of the maintainer that | ||
14 | this is the correct default (see README.Debian for more details), but you | ||
15 | can always edit sshd_config and set it to no if you wish. | ||
16 | . | ||
17 | It is strongly recommended that you let me generate a new configuration | ||
18 | file for you. | ||
19 | |||
20 | Template: ssh/protocol2_only | ||
21 | Type: boolean | ||
22 | Default: true | ||
23 | _Description: Allow SSH protocol 2 only | ||
24 | This version of OpenSSH supports version 2 of the ssh protocol, which is | ||
25 | much more secure. Disabling ssh 1 is encouraged, however this will slow | ||
26 | things down on low end machines and might prevent older clients from | ||
27 | connecting (the ssh client shipped with "potato" is affected). | ||
28 | . | ||
29 | Also please note that keys used for protocol 1 are different so you will | ||
30 | not be able to use them if you only allow protocol 2 connections. | ||
31 | . | ||
32 | If you later change your mind about this setting, README.Debian has | ||
33 | instructions on what to do to your sshd_config file. | ||
34 | |||
35 | Template: ssh/use_old_init_script | ||
36 | Type: boolean | ||
37 | Default: false | ||
38 | _Description: Do you want to continue (and risk killing active ssh sessions)? | ||
39 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
40 | all running sshd instances. If you are doing this upgrade via an ssh | ||
41 | session, that would be a Bad Thing(tm). | ||
42 | . | ||
43 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
44 | start-stop-daemon line in the stop section of the file. | ||
45 | |||
46 | Template: ssh/forward_warning | ||
47 | Type: note | ||
48 | _Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
49 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
50 | ForwardAgent set to ``off'' by default. | ||
51 | . | ||
52 | You can enable it for servers you trust, either in one of the | ||
53 | configuration files, or with the -X command line option. | ||
54 | . | ||
55 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
56 | |||
57 | Template: ssh/insecure_rshd | ||
58 | Type: note | ||
59 | _Description: Warning: rsh-server is installed --- probably not a good idea | ||
60 | having rsh-server installed undermines the security that you were probably | ||
61 | wanting to obtain by installing ssh. I'd advise you to remove that | ||
62 | package. | ||
63 | |||
64 | Template: ssh/insecure_telnetd | ||
65 | Type: note | ||
66 | _Description: Warning: telnetd is installed --- probably not a good idea | ||
67 | I'd advise you to either remove the telnetd package (if you don't actually | ||
68 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
69 | least some chance that telnet sessions will not be sending unencrypted | ||
70 | login/password and session information over the network. | ||
71 | |||
72 | Template: ssh/encrypted_host_key_but_no_keygen | ||
73 | Type: note | ||
74 | _Description: Warning: you must create a new host key | ||
75 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH | ||
76 | can not handle this host key file, and I can't find the ssh-keygen utility | ||
77 | from the old (non-free) SSH installation. | ||
78 | . | ||
79 | You will need to generate a new host key. | ||
80 | |||
81 | Template: ssh/disable_cr_auth | ||
82 | Type: boolean | ||
83 | Default: false | ||
84 | _Description: Disable challenge-response authentication? | ||
85 | Password authentication appears to be disabled in your current OpenSSH | ||
86 | server configuration. In order to prevent users from logging in using | ||
87 | passwords (perhaps using only public key authentication instead) with | ||
88 | recent versions of OpenSSH, you must disable challenge-response | ||
89 | authentication, or else ensure that your PAM configuration does not allow | ||
90 | Unix password file authentication. | ||
91 | . | ||
92 | If you disable challenge-response authentication, then users will not be | ||
93 | able to log in using passwords. If you leave it enabled (the default | ||
94 | answer), then the 'PasswordAuthentication no' option will have no useful | ||
95 | effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. | ||