1 files changed, 86 insertions, 0 deletions
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 000000000..3a7349a31
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,86 @@
+# These templates have been reviewed by the debian-l10n-english
+# team
+#
+# If modifications/additions/rewording are needed, please ask
+# for an advice to debian-l10n-english@lists.debian.org
+#
+# Even minor modifications require translation updates and such
+# changes should be coordinated with translators and reviewers.
+#
+Template: ssh/new_config
+Type: boolean
+Default: true
+_Description: Generate a new configuration file for OpenSSH?
+ This version of OpenSSH has a considerably changed configuration file from
+ the version shipped in Debian 'Potato', which you appear to be upgrading
+ from. This package can now generate a new configuration file
+ (/etc/ssh/sshd.config), which will work with the new server version, but
+ will not contain any customizations you made with the old version.
+ .
+ Please note that this new configuration file will set the value of
+ 'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password
+ can ssh directly in as root). Please read the README.Debian file for
+ more details about this design choice.
+ .
+ It is strongly recommended that you choose to generate a new
+ configuration file now.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+_Description: Do you want to risk killing active SSH sessions?
+ The currently installed version of /etc/init.d/ssh is likely to kill
+ all running sshd instances. If you are doing this upgrade via an SSH
+ session, you're likely to be disconnected and leave the upgrade
+ procedure unfinished.
+ .
+ This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to
+ the start-stop-daemon line in the stop section of the file.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+_Description: New host key mandatory
+ The current host key, in /etc/ssh/ssh_host_key, is encrypted with the
+ IDEA algorithm. OpenSSH can not handle this host key file, and the
+ ssh-keygen utility from the old (non-free) SSH installation does not
+ appear to be available.
+ .
+ You need to manually generate a new host key.
+Template: ssh/disable_cr_auth
+Type: boolean
+Default: false
+_Description: Disable challenge-response authentication?
+ Password authentication appears to be disabled in the current OpenSSH
+ server configuration. In order to prevent users from logging in using
+ passwords (perhaps using only public key authentication instead) with
+ recent versions of OpenSSH, you must disable challenge-response
+ authentication, or else ensure that your PAM configuration does not allow
+ Unix password file authentication.
+ .
+ If you disable challenge-response authentication, then users will not be
+ able to log in using passwords. If you leave it enabled (the default
+ answer), then the 'PasswordAuthentication no' option will have no useful
+ effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
+Template: ssh/vulnerable_host_keys
+Type: note
+#flag:translate!:5
+_Description: Vulnerable host keys will be regenerated
+ Some of the OpenSSH server host keys on this system were generated with a
+ version of OpenSSL that had a broken random number generator. As a result,
+ these host keys are from a well-known set, are subject to brute-force
+ attacks, and must be regenerated.
+ .
+ Users of this system should be informed of this change, as they will be
+ prompted about the host key change the next time they log in. Use
+ 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade to print the
+ fingerprints of the new host keys.
+ .
+ The affected host keys are:
+ .
+ ${HOST_KEYS}
+ .
+ User keys may also be affected by this problem. The 'ssh-vulnkey' command
+ may be used as a partial test for this. See
+ /usr/share/doc/openssh-server/README.compromised-keys.gz for more details.

diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates new file mode 100644 index 000000000..3a7349a31 --- /dev/null +++ b/debian/openssh-server.templates
@@ -0,0 +1,86 @@
	1	# These templates have been reviewed by the debian-l10n-english
	2	# team
	3	#
	4	# If modifications/additions/rewording are needed, please ask
	5	# for an advice to debian-l10n-english@lists.debian.org
	6	#
	7	# Even minor modifications require translation updates and such
	8	# changes should be coordinated with translators and reviewers.
	9	#
	10	Template: ssh/new_config
	11	Type: boolean
	12	Default: true
	13	_Description: Generate a new configuration file for OpenSSH?
	14	This version of OpenSSH has a considerably changed configuration file from
	15	the version shipped in Debian 'Potato', which you appear to be upgrading
	16	from. This package can now generate a new configuration file
	17	(/etc/ssh/sshd.config), which will work with the new server version, but
	18	will not contain any customizations you made with the old version.
	19	.
	20	Please note that this new configuration file will set the value of
	21	'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password
	22	can ssh directly in as root). Please read the README.Debian file for
	23	more details about this design choice.
	24	.
	25	It is strongly recommended that you choose to generate a new
	26	configuration file now.
	27
	28	Template: ssh/use_old_init_script
	29	Type: boolean
	30	Default: false
	31	_Description: Do you want to risk killing active SSH sessions?
	32	The currently installed version of /etc/init.d/ssh is likely to kill
	33	all running sshd instances. If you are doing this upgrade via an SSH
	34	session, you're likely to be disconnected and leave the upgrade
	35	procedure unfinished.
	36	.
	37	This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to
	38	the start-stop-daemon line in the stop section of the file.
	39
	40	Template: ssh/encrypted_host_key_but_no_keygen
	41	Type: note
	42	_Description: New host key mandatory
	43	The current host key, in /etc/ssh/ssh_host_key, is encrypted with the
	44	IDEA algorithm. OpenSSH can not handle this host key file, and the
	45	ssh-keygen utility from the old (non-free) SSH installation does not
	46	appear to be available.
	47	.
	48	You need to manually generate a new host key.
	49
	50	Template: ssh/disable_cr_auth
	51	Type: boolean
	52	Default: false
	53	_Description: Disable challenge-response authentication?
	54	Password authentication appears to be disabled in the current OpenSSH
	55	server configuration. In order to prevent users from logging in using
	56	passwords (perhaps using only public key authentication instead) with
	57	recent versions of OpenSSH, you must disable challenge-response
	58	authentication, or else ensure that your PAM configuration does not allow
	59	Unix password file authentication.
	60	.
	61	If you disable challenge-response authentication, then users will not be
	62	able to log in using passwords. If you leave it enabled (the default
	63	answer), then the 'PasswordAuthentication no' option will have no useful
	64	effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
	65
	66	Template: ssh/vulnerable_host_keys
	67	Type: note
	68	#flag:translate!:5
	69	_Description: Vulnerable host keys will be regenerated
	70	Some of the OpenSSH server host keys on this system were generated with a
	71	version of OpenSSL that had a broken random number generator. As a result,
	72	these host keys are from a well-known set, are subject to brute-force
	73	attacks, and must be regenerated.
	74	.
	75	Users of this system should be informed of this change, as they will be
	76	prompted about the host key change the next time they log in. Use
	77	'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade to print the
	78	fingerprints of the new host keys.
	79	.
	80	The affected host keys are:
	81	.
	82	${HOST_KEYS}
	83	.
	84	User keys may also be affected by this problem. The 'ssh-vulnkey' command
	85	may be used as a partial test for this. See
	86	/usr/share/doc/openssh-server/README.compromised-keys.gz for more details.