diff options
Diffstat (limited to 'debian/openssh-server.templates')
| -rw-r--r-- | debian/openssh-server.templates | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates new file mode 100644 index 000000000..6c7d3999d --- /dev/null +++ b/debian/openssh-server.templates | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | # These templates have been reviewed by the debian-l10n-english | ||
| 2 | # team | ||
| 3 | # | ||
| 4 | # If modifications/additions/rewording are needed, please ask | ||
| 5 | # for an advice to debian-l10n-english@lists.debian.org | ||
| 6 | # | ||
| 7 | # Even minor modifications require translation updates and such | ||
| 8 | # changes should be coordinated with translators and reviewers. | ||
| 9 | # | ||
| 10 | Template: ssh/use_old_init_script | ||
| 11 | Type: boolean | ||
| 12 | Default: false | ||
| 13 | _Description: Do you want to risk killing active SSH sessions? | ||
| 14 | The currently installed version of /etc/init.d/ssh is likely to kill | ||
| 15 | all running sshd instances. If you are doing this upgrade via an SSH | ||
| 16 | session, you're likely to be disconnected and leave the upgrade | ||
| 17 | procedure unfinished. | ||
| 18 | . | ||
| 19 | This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to | ||
| 20 | the start-stop-daemon line in the stop section of the file. | ||
| 21 | |||
| 22 | Template: ssh/encrypted_host_key_but_no_keygen | ||
| 23 | Type: note | ||
| 24 | _Description: New host key mandatory | ||
| 25 | The current host key, in /etc/ssh/ssh_host_key, is encrypted with the | ||
| 26 | IDEA algorithm. OpenSSH can not handle this host key file, and the | ||
| 27 | ssh-keygen utility from the old (non-free) SSH installation does not | ||
| 28 | appear to be available. | ||
| 29 | . | ||
| 30 | You need to manually generate a new host key. | ||
| 31 | |||
| 32 | Template: ssh/disable_cr_auth | ||
| 33 | Type: boolean | ||
| 34 | Default: false | ||
| 35 | _Description: Disable challenge-response authentication? | ||
| 36 | Password authentication appears to be disabled in the current OpenSSH | ||
| 37 | server configuration. In order to prevent users from logging in using | ||
| 38 | passwords (perhaps using only public key authentication instead) with | ||
| 39 | recent versions of OpenSSH, you must disable challenge-response | ||
| 40 | authentication, or else ensure that your PAM configuration does not allow | ||
| 41 | Unix password file authentication. | ||
| 42 | . | ||
| 43 | If you disable challenge-response authentication, then users will not be | ||
| 44 | able to log in using passwords. If you leave it enabled (the default | ||
| 45 | answer), then the 'PasswordAuthentication no' option will have no useful | ||
| 46 | effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. | ||
| 47 | |||
| 48 | Template: ssh/vulnerable_host_keys | ||
| 49 | Type: note | ||
| 50 | #flag:translate!:5 | ||
| 51 | _Description: Vulnerable host keys will be regenerated | ||
| 52 | Some of the OpenSSH server host keys on this system were generated with a | ||
| 53 | version of OpenSSL that had a broken random number generator. As a result, | ||
| 54 | these host keys are from a well-known set, are subject to brute-force | ||
| 55 | attacks, and must be regenerated. | ||
| 56 | . | ||
| 57 | Users of this system should be informed of this change, as they will be | ||
| 58 | prompted about the host key change the next time they log in. Use | ||
| 59 | 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade to print the | ||
| 60 | fingerprints of the new host keys. | ||
| 61 | . | ||
| 62 | The affected host keys are: | ||
| 63 | . | ||
| 64 | ${HOST_KEYS} | ||
| 65 | . | ||
| 66 | User keys may also be affected by this problem. The 'ssh-vulnkey' command | ||
| 67 | may be used as a partial test for this. See | ||
| 68 | /usr/share/doc/openssh-server/README.compromised-keys.gz for more details. | ||