summaryrefslogtreecommitdiff
path: root/debian/openssh-server.templates
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.templates')
-rw-r--r--debian/openssh-server.templates68
1 files changed, 68 insertions, 0 deletions
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 000000000..6c7d3999d
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,68 @@
1# These templates have been reviewed by the debian-l10n-english
2# team
3#
4# If modifications/additions/rewording are needed, please ask
5# for an advice to debian-l10n-english@lists.debian.org
6#
7# Even minor modifications require translation updates and such
8# changes should be coordinated with translators and reviewers.
9#
10Template: ssh/use_old_init_script
11Type: boolean
12Default: false
13_Description: Do you want to risk killing active SSH sessions?
14 The currently installed version of /etc/init.d/ssh is likely to kill
15 all running sshd instances. If you are doing this upgrade via an SSH
16 session, you're likely to be disconnected and leave the upgrade
17 procedure unfinished.
18 .
19 This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to
20 the start-stop-daemon line in the stop section of the file.
21
22Template: ssh/encrypted_host_key_but_no_keygen
23Type: note
24_Description: New host key mandatory
25 The current host key, in /etc/ssh/ssh_host_key, is encrypted with the
26 IDEA algorithm. OpenSSH can not handle this host key file, and the
27 ssh-keygen utility from the old (non-free) SSH installation does not
28 appear to be available.
29 .
30 You need to manually generate a new host key.
31
32Template: ssh/disable_cr_auth
33Type: boolean
34Default: false
35_Description: Disable challenge-response authentication?
36 Password authentication appears to be disabled in the current OpenSSH
37 server configuration. In order to prevent users from logging in using
38 passwords (perhaps using only public key authentication instead) with
39 recent versions of OpenSSH, you must disable challenge-response
40 authentication, or else ensure that your PAM configuration does not allow
41 Unix password file authentication.
42 .
43 If you disable challenge-response authentication, then users will not be
44 able to log in using passwords. If you leave it enabled (the default
45 answer), then the 'PasswordAuthentication no' option will have no useful
46 effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
47
48Template: ssh/vulnerable_host_keys
49Type: note
50#flag:translate!:5
51_Description: Vulnerable host keys will be regenerated
52 Some of the OpenSSH server host keys on this system were generated with a
53 version of OpenSSL that had a broken random number generator. As a result,
54 these host keys are from a well-known set, are subject to brute-force
55 attacks, and must be regenerated.
56 .
57 Users of this system should be informed of this change, as they will be
58 prompted about the host key change the next time they log in. Use
59 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade to print the
60 fingerprints of the new host keys.
61 .
62 The affected host keys are:
63 .
64 ${HOST_KEYS}
65 .
66 User keys may also be affected by this problem. The 'ssh-vulnkey' command
67 may be used as a partial test for this. See
68 /usr/share/doc/openssh-server/README.compromised-keys.gz for more details.