1 files changed, 229 insertions, 0 deletions
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 000000000..a9b4394d4
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,229 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config 
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicity turn privilege separation off.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you 
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
+ Die Version von /etc/init.d/ssh, die sie installiert haben, wird 
+ vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
+ via ssh erledigen, dann ist das ein Problem.
+ .
+ Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
+ an die start-stop-daemon Zeile in dem Bereich stop der Datei 
+ /etc/init.d/ssh ergaenzen.
+Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
+ Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment
+ tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une
+ mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm).
+ .
+ Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
+ a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
+ Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und
+ ForwardAgent auf "off" gesetzt.
+ .
+ Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im
+ den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern.
+ .
+ Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
+Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut.
+ Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les
+ options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut.
+ .
+ Vous pouvez activer ces options pour les serveurs en lesquels vous avez
+ confiance, soit dans un des fichiers de configuration, soit avec l'option
+ -X de la ligne de commande.
+ .
+ Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-de: Warnung: rsh-server ist installiert --- moeglicherweise
+ ist es eine schlechte Idee den rsh-server installiert zu haben, da er 
+ die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen.
+Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e
+ Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez
+ probablement obtenir en installant ssh. Je vous conseillerais de
+ d=E9installer ce paquet.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-de: Warnung: telnetd ist installiert --- schlechte Idee
+ Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang
+ anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht
+ dass das Login und Password nicht unverschluesselt durch das Netz gesendet
+ werden.
+Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e
+ Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
+ n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl
+ pour qu'il y ait au moins une chance que les sessions telnet soient
+ encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur
+ le r=E9seau.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen
+ Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
+ per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei
+ nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
+ kann nicht gefunden werden.
+Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te
+ Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA.
+ OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver
+ l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-de: Wollen Sie den sshd Server starten?
+ Das Paket enthaelt sowohl den client als auch den sshd server.
+ .
+ Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh
+ gestartet.
+ .
+ Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner
+ zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen, 
+ dann koennen Sie hier den sshd abschalten.
+Description-fr: Voulez vous utiliser le serveur sshd ?
+ Ce paquet contient a la fois le client ssh et le serveur sshd.
+ .
+ Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants
+ via ssh.
+ .
+ Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a
+ distance sur d'autres machines a partir de celle-ci, et que vous ne
+ voulez pas vous logguer sur cette machine a distance via ssh, alors vous
+ pouvez d=E9sactiver sshd maintenant.

diff --git a/debian/templates b/debian/templates new file mode 100644 index 000000000..a9b4394d4 --- /dev/null +++ b/debian/templates
@@ -0,0 +1,229 @@
	1	Template: ssh/privsep_tell
	2	Type: note
	3	Description: Privilege separation
	4	This version of OpenSSH contains the new privilege separation
	5	option. This significantly reduces the quantity of code that runs as
	6	root, and therefore reduces the impact of security holes in sshd.
	7	.
	8	Unfortunately, privilege separation interacts badly with PAM. Any
	9	PAM session modules that need to run as root (pam_mkhomedir, for
	10	example) will fail, and PAM keyboard-interactive authentication
	11	won't work.
	12	.
	13	Privilege separation is turned on by default, so if you decide you
	14	want it turned off, you need to add "UsePrivilegeSeparation no" to
	15	/etc/ssh/sshd_config
	16	.
	17	NB! If you are running a 2.0 series Linux kernel, then privilege
	18	separation will not work at all, and your sshd will fail to start
	19	unless you explicity turn privilege separation off.
	20
	21	Template: ssh/privsep_ask
	22	Type: boolean
	23	Default: true
	24	Description: Enable Privilege separation
	25	This version of OpenSSH contains the new privilege separation
	26	option. This significantly reduces the quantity of code that runs as
	27	root, and therefore reduces the impact of security holes in sshd.
	28	.
	29	Unfortunately, privilege separation interacts badly with PAM. Any
	30	PAM session modules that need to run as root (pam_mkhomedir, for
	31	example) will fail, and PAM keyboard-interactive authentication
	32	won't work.
	33	.
	34	Since you've opted to have me generate an sshd_config file for you,
	35	you can choose whether or not to have Privilege Separation turned on
	36	or not. Unless you are running 2.0 (in which case you must say no
	37	here or your sshd won't start at all) or know you need to use PAM
	38	features that won't work with this option, you should say yes here.
	39
	40	Template: ssh/new_config
	41	Type: boolean
	42	Default: true
	43	Description: Generate new configuration file
	44	This version of OpenSSH has a considerably changed configuration file from
	45	the version shipped in Debian 'Potato', which you appear to be upgrading from.
	46	I can now generate you a new configuration file (/etc/ssh/sshd.config), which
	47	will work with the new server version, but will not contain any customisations
	48	you made with the old version.
	49	.
	50	Please note that this new configuration file will set the value of
	51	'PermitRootLogin' to yes (meaning that anyone knowing the root password can
	52	ssh directly in as root). It is the opinion of the maintainer that this is
	53	the correct default (see README.Debian for more details), but you can always
	54	edit sshd_config and set it to no if you wish.
	55	.
	56	It is strongly recommended that you let me generate a new configuration file
	57	for you
	58
	59	Template: ssh/protocol2_only
	60	Type: boolean
	61	Default: true
	62	Description: Allow SSH protocol 2 only
	63	This version of OpenSSH supports version 2 of the ssh protocol, which
	64	is much more secure. Disabling ssh 1 is encouraged, however this
	65	will slow things down on low end machines and might prevent older
	66	clients from connecting (the ssh client shipped with "potato" is affected).
	67	.
	68	Also please note that keys used for protocol 1 are different so you will
	69	not be able to use them if you only allow protocol 2 connections.
	70	.
	71	If you later change your mind about this setting, README.Debian has
	72	instructions on what to do to your sshd_config file.
	73
	74	Template: ssh/ssh2_keys_merged
	75	Type: note
	76	Description: ssh2 keys merged in configuration files
	77	As of version 3 OpenSSH no longer uses separate files for ssh1 and
	78	ssh2 keys. This means the authorized_keys2 and known_hosts2 files
	79	are no longer needed. They will still be read in order to maintain
	80	backwards compatibility
	81
	82	Template: ssh/use_old_init_script
	83	Type: boolean
	84	Default: false
	85	Description: Do you want to continue (and risk killing active ssh sessions) ?
	86	The version of /etc/init.d/ssh that you have installed, is likely to kill
	87	all running sshd instances. If you are doing this upgrade via an ssh
	88	session, that would be a Bad Thing(tm).
	89	.
	90	You can fix this by adding "--pidfile /var/run/sshd.pid" to the
	91	start-stop-daemon line in the stop section of the file.
	92	Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
	93	Die Version von /etc/init.d/ssh, die sie installiert haben, wird
	94	vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
	95	via ssh erledigen, dann ist das ein Problem.
	96	.
	97	Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
	98	an die start-stop-daemon Zeile in dem Bereich stop der Datei
	99	/etc/init.d/ssh ergaenzen.
	100	Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
	101	Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment
	102	tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une
	103	mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm).
	104	.
	105	Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
	106	a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
	107
	108	Template: ssh/forward_warning
	109	Type: note
	110	Description: NOTE: Forwarding of X11 and Authorization disabled by default.
	111	For security reasons, the Debian version of ssh has ForwardX11 and
	112	ForwardAgent set to ``off'' by default.
	113	.
	114	You can enable it for servers you trust, either
	115	in one of the configuration files, or with the -X command line option.
	116	.
	117	More details can be found in /usr/share/doc/ssh/README.Debian
	118	Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
	119	Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und
	120	ForwardAgent auf "off" gesetzt.
	121	.
	122	Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im
	123	den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern.
	124	.
	125	Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
	126	Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut.
	127	Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les
	128	options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut.
	129	.
	130	Vous pouvez activer ces options pour les serveurs en lesquels vous avez
	131	confiance, soit dans un des fichiers de configuration, soit avec l'option
	132	-X de la ligne de commande.
	133	.
	134	Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
	135
	136	Template: ssh/insecure_rshd
	137	Type: note
	138	Description: Warning: rsh-server is installed --- probably not a good idea
	139	having rsh-server installed undermines the security that you were probably
	140	wanting to obtain by installing ssh. I'd advise you to remove that package.
	141	Description-de: Warnung: rsh-server ist installiert --- moeglicherweise
	142	ist es eine schlechte Idee den rsh-server installiert zu haben, da er
	143	die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen.
	144	Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e
	145	Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez
	146	probablement obtenir en installant ssh. Je vous conseillerais de
	147	d=E9installer ce paquet.
	148
	149	Template: ssh/insecure_telnetd
	150	Type: note
	151	Description: Warning: telnetd is installed --- probably not a good idea
	152	I'd advise you to either remove the telnetd package (if you don't actually
	153	need to offer telnet access) or install telnetd-ssl so that there is at
	154	least some chance that telnet sessions will not be sending unencrypted
	155	login/password and session information over the network.
	156	Description-de: Warnung: telnetd ist installiert --- schlechte Idee
	157	Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang
	158	anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht
	159	dass das Login und Password nicht unverschluesselt durch das Netz gesendet
	160	werden.
	161	Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e
	162	Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
	163	n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl
	164	pour qu'il y ait au moins une chance que les sessions telnet soient
	165	encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur
	166	le r=E9seau.
	167
	168	Template: ssh/encrypted_host_key_but_no_keygen
	169	Type: note
	170	Description: Warning: you must create a new host key
	171	There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
	172	OpenSSH can not handle this host key file, and I can't find the
	173	ssh-keygen utility from the old (non-free) SSH installation.
	174	.
	175	You will need to generate a new host key.
	176	Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen
	177	Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
	178	per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei
	179	nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
	180	kann nicht gefunden werden.
	181	Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te
	182	Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA.
	183	OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver
	184	l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH.
	185
	186	Template: ssh/SUID_client
	187	Type: boolean
	188	Default: true
	189	Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
	190	You have the option of installing the ssh-keysign helper with the SUID
	191	bit set.
	192	.
	193	If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
	194	host-based authentication.
	195	.
	196	If in doubt, I suggest you install it with SUID. If it causes
	197	problems you can change your mind later by running: dpkg-reconfigure ssh
	198
	199	Template: ssh/run_sshd
	200	Type: boolean
	201	Default: true
	202	Description: Do you want to run the sshd server ?
	203	This package contains both the ssh client, and the sshd server.
	204	.
	205	Normally the sshd Secure Shell Server will be run to allow remote
	206	logins via ssh.
	207	.
	208	If you are only interested in using the ssh client for outbound
	209	connections on this machine, and don't want to log into it at all
	210	using ssh, then you can disable sshd here.
	211	Description-de: Wollen Sie den sshd Server starten?
	212	Das Paket enthaelt sowohl den client als auch den sshd server.
	213	.
	214	Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh
	215	gestartet.
	216	.
	217	Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner
	218	zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen,
	219	dann koennen Sie hier den sshd abschalten.
	220	Description-fr: Voulez vous utiliser le serveur sshd ?
	221	Ce paquet contient a la fois le client ssh et le serveur sshd.
	222	.
	223	Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants
	224	via ssh.
	225	.
	226	Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a
	227	distance sur d'autres machines a partir de celle-ci, et que vous ne
	228	voulez pas vous logguer sur cette machine a distance via ssh, alors vous
	229	pouvez d=E9sactiver sshd maintenant.