summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/README.Debian209
-rw-r--r--debian/changelog1114
-rw-r--r--debian/conffiles5
-rw-r--r--debian/config99
-rw-r--r--debian/control48
-rw-r--r--debian/copyright.head36
-rw-r--r--debian/dirs8
-rw-r--r--debian/gnome-ssh-askpass.151
-rw-r--r--debian/init73
-rw-r--r--debian/postinst342
-rw-r--r--debian/postinst.old269
-rw-r--r--debian/postrm19
-rw-r--r--debian/preinst79
-rw-r--r--debian/prerm44
-rwxr-xr-xdebian/rules105
-rw-r--r--debian/ssh-argv030
-rw-r--r--debian/ssh-argv0.164
-rw-r--r--debian/ssh-askpass-gnome.copyright44
-rw-r--r--debian/ssh-askpass-gnome.dirs2
-rw-r--r--debian/ssh-askpass-gnome.postinst53
-rw-r--r--debian/ssh-askpass-gnome.prerm41
-rw-r--r--debian/ssh.default5
-rw-r--r--debian/ssh.pam21
-rw-r--r--debian/templates163
-rw-r--r--debian/templates.da253
-rw-r--r--debian/templates.de95
-rw-r--r--debian/templates.es266
-rw-r--r--debian/templates.fr278
-rw-r--r--debian/templates.ja205
-rw-r--r--debian/templates.pl264
-rw-r--r--debian/templates.pt_BR181
-rw-r--r--debian/templates.ru207
32 files changed, 4673 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..13d005ac0
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,209 @@
1OpenSSH for Debian
2------------------
3
4Although this package is widely referred to as OpenSSH, it is actually
5a branch of an early version of ssh which has been tidied up by the
6OpenBSD folks.
7
8It has been decided that this version should have the privilege of
9carrying the ``ssh'' name in Debian, since it is the only version of
10ssh that is going to make it into Debian proper, being the only one
11that complies with the Debian Free Software Guidelines.
12
13If you were expecting to get the non-free version of ssh (1.2.27 or
14whatever) when you installed this package, then you're out of luck, as
15Debian don't ship it.
16
17=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18
19Privilege Separation
20--------------------
21
22As of 3.3, openssh has employed privilege separation to reduce the
23quantity of code that runs as root, thereby reducing the impact of
24some security holes in sshd.
25
26Unfortunately, privilege separation interacts badly with PAM. Any PAM
27session modules that need to run as root (pam_mkhomedir, for example)
28will fail, and PAM keyboard-interactive authentication won't work.
29
30Privilege separation is turned on by default, so if you decide you
31want it turned off, you need to add "UsePrivilegeSeparation no" to
32/etc/ssh/sshd_config
33
34NB! If you are running a 2.0 series Linux kernel, then privilege
35separation will not work at all, and your sshd will fail to start
36unless you explicity turn privilege separation off.
37
38
39PermitRootLogin set to yes
40--------------------------
41
42This is now the default setting (in line with upstream), and people
43who asked for an automatically-generated configuration file when
44upgrading from potato (or on a new install) will have this setting in
45their /etc/ssh/sshd_config file.
46
47Should you wish to change this setting, edit /etc/ssh/sshd_config, and
48change:
49PermitRootLogin yes
50to:
51PermitRootLogin no
52
53Having PermitRootLogin set to yes means that an attacker that knows
54the root password can ssh in directly (without having to go via a user
55account). If you set it to no, then they must compromise a normal user
56account. In the vast majority of cases, this does not give added
57security; remember that any account you su to root from is equivalent
58to root - compromising this account gives an attacker access to root
59easily. If you only ever log in as root from the physical console,
60then you probably want to set this value to no.
61
62As an aside, PermitRootLogin can also be set to "without-password" or
63"forced-commands-only" - see sshd(8) for more details.
64
65DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
66
67The argument above is somewhat condensed; I have had this discussion
68at great length with many people. If you think the default is
69incorrect, and feel strongly enough to want to argue with me about it,
70then send me email to matthew@debian.org. I will close bug reports
71claiming the default is incorrect.
72
73SSH now uses protocol 2 by default
74----------------------------------
75
76This means all your keyfiles you used for protocol version 1 need to
77be re-generated. The server keys are done automatically, but for RSA
78authentication, please read the ssh-keygen manpage.
79
80If you have an automatically generated configuration file, and decide
81at a later stage that you do want to support protocol version 1 (not
82recommended, but note that the ssh client shipped with Debian potato
83only supported protocol version 1), then you need to do the following:
84
85Change /etc/ssh/sshd_config such that:
86Protocol 2
87becomes:
88Protocol 2,1
89Also add the line:
90HostKey /etc/ssh/ssh_host_key
91
92(you may need to generate a host key if you do not already have one)
93
94/usr/bin/ssh not SUID:
95----------------------
96If you have not installed debconf, you'll have missed the chance to
97install ssh SUID, which means you won't be able to do Rhosts
98authentication. If that upsets you, use:
99
100 dpkg-statoverride
101
102or if that's also missing, use this:
103
104 chown root.root /usr/bin/ssh
105 chmod 04755 /usr/bin/ssh
106
107X11 Forwarding:
108---------------
109ssh's default for ForwardX11 has been changed to ``no'' because it has
110been pointed out that logging into remote systems administered by
111untrusted people is likely to open you up to X11 attacks, so you
112should have to actively decide that you trust the remote machine's
113root, before enabling X11. I strongly recommend that you do this on a
114machine-by-machine basis, rather than just enabling it in the default
115host settings.
116
117In order for X11 forwarding to work, you need to install xauth on the
118server. In Debian this is in the xbase-clients package.
119
120Authorization Forwarding:
121-------------------------
122Similarly, root on a remote server could make use of your ssh-agent
123(while you're logged into their machine) to obtain access to machines
124which trust your keys. This feature is therefore disabled by default.
125You should only re-enable it for those hosts (in your ~/.ssh/config or
126/etc/ssh/ssh_config) where you are confident that the remote machine
127is not a threat.
128
129Fallback to RSH:
130----------------
131The default for this setting has been changed from Yes to No, for
132security reasons, and to stop the delay attempting to rsh to machines
133that don't offer the service. Simply switch it back on in either
134/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
135it for.
136
137Problems logging in with RSA authentication:
138--------------------------------------------
139If you have trouble logging in with RSA authentication then the
140problem is probably caused by the fact that you have your home
141directory writable by group, as well as user (this is the default on
142Debian systems).
143
144Depending upon other settings on your system (i.e. other users being
145in your group) this could open a security hole, so you will need to
146make your home directory writable only by yourself. Run this command,
147as yourself:
148
149 chmod g-w ~/
150
151to remove group write permissions. If you use ssh-copy-id to install your
152keys, it does this for you.
153
154-L option of ssh nonfree:
155-------------------------
156non-free ssh supported the usage of the option -L to use a non privileged
157port for scp. This option will not be supported by scp from openssh.
158
159Please use instead scp -o "UsePrivilegedPort=no" as documented in the
160manpage to scp itself.
161
162Problem logging in because of TCP-Wrappers:
163-------------------------------------------
164ssh is compiled with support for tcp-wrappers. So if you can no longer
165log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
166are configured so that ssh is not blocked.
167
168Kerberos Authentication:
169------------------------
170ssh is compiled without support for kerberos authentication, and there are
171no current plans to support this. Thus the KerberosAuthentication and
172KerberosTgtPassing options will not be recognised.
173
174Setgid ssh-agent and environment variables:
175-------------------------------------------
176ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace()
177attacks retrieving private key material. This has the side-effect of causing
178glibc to remove certain environment variables which might have security
179implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
180TMPDIR.
181
182If you need to set any of these environment variables, you will need to do
183so in the program exec()ed by ssh-agent. This may involve creating a small
184wrapper script.
185
186Symlink Hostname invocation:
187----------------------------
188This version of ssh no longer includes support for invoking ssh with the
189hostname as the name of the file run. People wanting this support should
190use the ssh-argv0 script.
191
192Interoperability between scp and the ssh.com SSH server:
193--------------------------------------------------------
194In version 2 and greater of the commercial SSH server produced by SSH
195Communications Security, scp was changed to use SFTP (SSH2's file transfer
196protocol) instead of the traditional rcp-over-ssh, thereby breaking
197compatibility. The OpenSSH developers regard this as a bug in the ssh.com
198server, and do not currently intend to change OpenSSH's scp to match.
199
200Workarounds for this problem are to install scp1 on the server (scp2 will
201fall back to it), to use sftp, or to use some other transfer mechanism such
202as rsync-over-ssh or tar-over-ssh.
203
204--
205Matthew Vernon
206<matthew@debian.org>
207and
208Colin Watson
209<cjwatson@debian.org>
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 000000000..532567f8d
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1114 @@
1openssh (1:3.6p1-1) unstable; urgency=low
2
3 * New upstream release.
4 - Workaround applied upstream for a bug in the interaction of glibc's
5 getaddrinfo() with the Linux 2.2 kernel (closes: #155814).
6 - As such, it should now be safe to remove --with-ipv4-default, so
7 starting sshd with -6 is no longer necessary (closes: #79861 and lots
8 of other merged bugs).
9 - ssh-copy-id prints usage when run without arguments (closes: #71376).
10 - scp exits 1 if ssh fails (closes: #138400).
11 - sshd writes to utmp's ut_addr_v6 field in IPv6 mode (closes: #167867).
12 - 'ssh-add -c' causes ssh-agent to ask the user each time a key is used
13 (closes: #109795).
14 * Install /etc/default/ssh non-executable (closes: #185537).
15
16 -- Colin Watson <cjwatson@debian.org> Mon, 31 Mar 2003 23:00:59 +0100
17
18openssh (1:3.5p1-5) unstable; urgency=low
19
20 * Add /etc/default/ssh (closes: #161049).
21 * Run the init script under 'set -e' (closes: #175010).
22 * Change the default superuser path to include /sbin, /usr/sbin, and
23 /usr/local/sbin (closes: #128235, #151267). Using login.defs would be
24 nice, but that belongs to another package. Without a defined API to
25 retrieve its settings, parsing it is off-limits.
26 * Build ssh-askpass-gnome with GNOME 2. The source package should still
27 support building on stable with GNOME 1, using the alternate
28 libgnome-dev build-dependency (thanks, Colin Walters; closes: #167582).
29
30 -- Colin Watson <cjwatson@debian.org> Sun, 9 Mar 2003 20:12:10 +0000
31
32openssh (1:3.5p1-4) unstable; urgency=low
33
34 * Point rlogin and rcp alternatives at slogin and scp respectively rather
35 than ssh (closes: #121103, #151666). Fix alternative removal to match;
36 previously it was completely wrong anyway.
37 * Find out whether /etc/ssh/sshd_not_to_be_run exists and set the debconf
38 question's default using that information, rather than using debconf as
39 a registry. Other solutions may be better in the long run, but this is
40 at least correct (thanks, Matthew Woodcraft; closes: #84725).
41 * Stop using pam_lastlog, as it doesn't currently work well as a session
42 module when privilege separation is enabled; it can usually read
43 /var/log/lastlog but can't write to it. Instead, just use sshd's
44 built-in support, already enabled by default (closes: #151297, #169938).
45 * Use 'ssh-keygen -q' rather than redirecting output to /dev/null.
46 * Add a "this may take some time" warning when creating host keys on
47 installation (part of #110094).
48 * When restarting via the init script, check for sshd_not_to_be_run after
49 stopping sshd (idea from Tomas Pospisek; closes: #149850).
50 * Append /usr/sbin:/sbin to the init script's $PATH, just in case of
51 strangeness (closes: #115138).
52 * Fix a dpkg-statoverride call to redirect stdout to /dev/null, not
53 stderr.
54 * Correct copyright file typo: "orignal" -> "original" (closes: #176490).
55 * Rebuild with libssl0.9.7 (closes: #176983).
56 * We're up to policy version 3.5.6. DEB_BUILD_OPTIONS stuff still needs to
57 be looked at.
58
59 -- Colin Watson <cjwatson@debian.org> Sat, 18 Jan 2003 01:37:23 +0000
60
61openssh (1:3.5p1-3) unstable; urgency=low
62
63 * Happy new year!
64 * Use getent rather than id to find out whether the sshd user exists
65 (closes: #150974).
66 * Remove some duplication from the postinst's ssh-keysign setuid code.
67 * Replace db_text with db_input throughout debian/config. (db_text has
68 been a compatibility wrapper since debconf 0.1.5.)
69 * Warn about PermitUserEnvironment on upgrade (closes: #167895).
70 * Use 'make install-nokeys', and disable unused debhelper commands,
71 thereby forward-porting the last pieces of Zack Weinberg's patch
72 (closes: #68341).
73 * Move the man page for gnome-ssh-askpass from the ssh package to
74 ssh-askpass-gnome (closes: #174449).
75 * Build with -DLOGIN_NO_ENDOPT, since Debian's /bin/login doesn't accept
76 '--' to terminate the list of options (closes: #171554).
77 * Add Jonathan Amery's ssh-argv0 script (closes: #111341).
78 * Update Danish debconf template (thanks, Morten Brix Pedersen;
79 closes: #174757).
80 * Document setgid ssh-agent's effect on certain environment variables in
81 README.Debian (closes: #167974).
82 * Document interoperability problems between scp and ssh.com's server in
83 README.Debian, and suggest some workarounds (closes: #174662).
84
85 -- Colin Watson <cjwatson@debian.org> Wed, 1 Jan 2003 14:18:30 +0000
86
87openssh (1:3.5p1-2) unstable; urgency=low
88
89 * Mention in the ssh package description that it provides both ssh and
90 sshd (closes: #99680).
91 * Create a system group for ssh-agent, not a user group (closes: #167669).
92
93 -- Colin Watson <cjwatson@debian.org> Mon, 4 Nov 2002 13:43:53 +0000
94
95openssh (1:3.5p1-1) unstable; urgency=low
96
97 * New upstream release.
98 - Fixes typo in ssh-add usage (closes: #152239).
99 - Fixes 'PermitRootLogin forced-commands-only' (closes: #166184).
100 - ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys
101 are deprecated for security reasons and will eventually go away. For
102 now they can be re-enabled by setting 'PermitUserEnvironment yes' in
103 sshd_config.
104 - ssh-agent is installed setgid to prevent ptrace() attacks. The group
105 actually doesn't matter, as it drops privileges immediately, but to
106 avoid confusion the postinst creates a new 'ssh' group for it.
107 * Obsolete patches:
108 - Solar Designer's privsep+compression patch for Linux 2.2 (see
109 1:3.3p1-0.0woody1).
110 - Hostbased auth ssh-keysign backport (see 1:3.4p1-4).
111
112 * Remove duplicated phrase in ssh_config(5) (closes: #152404).
113 * Source the debconf confmodule at the top of the postrm rather than at
114 the bottom, to avoid making future non-idempotency problems worse (see
115 #151035).
116 * Debconf templates:
117 - Add Polish (thanks, Grzegorz Kusnierz).
118 - Update French (thanks, Denis Barbier; closes: #132509).
119 - Update Spanish (thanks, Carlos Valdivia YagЭe; closes: #164716).
120 * Write a man page for gnome-ssh-askpass, and link it to ssh-askpass.1 if
121 this is the selected ssh-askpass alternative (closes: #67775).
122
123 -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
124
125openssh (1:3.4p1-4) unstable; urgency=low
126
127 * Allow ssh-krb5 in ssh-askpass-gnome's dependencies (closes: #129532).
128 * Restore Russia to list of countries where encryption is problematic (see
129 #148951 and http://www.average.org/freecrypto/).
130 * Drop ssh-askpass-gnome's priority to optional, per the override file.
131 * Drop the PAM special case for hurd-i386 (closes: #99157).
132 * s/dile/idle/ in ssh_config(5) (closes: #118331).
133 * Note in README.Debian that you need xauth from xbase-clients on the
134 server for X11 forwarding (closes: #140269).
135 * Use correct path to upstream README in copyright file (closes: #146037).
136 * Document the units for ProtocolKeepAlives (closes: #159479).
137 * Backport upstream patch to fix hostbased auth (closes: #117114).
138 * Add -g to CFLAGS.
139
140 -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 18:58:53 +0100
141
142openssh (1:3.4p1-3) unstable; urgency=low
143
144 * Add myself to Uploaders: and begin acting as temporary maintainer, at
145 Matthew's request. (Normal service will resume in some months' time.)
146 * Add sharutils to Build-Depends (closes: #138465).
147 * Stop creating the /usr/doc/ssh symlink.
148
149 * Fix some debconf template typos (closes: #160358).
150 * Split debconf templates into one file per language.
151 * Add debconf template translations:
152 - Brazilian Portuguese (thanks, Andre Luis Lopes; closes: #106173).
153 - Danish (thanks, Claus Hindsgaul; closes: #126607).
154 - Japanese (thanks, Tomohiro KUBOTA; closes: #137427).
155 - Russian (thanks, Ilgiz Kalmetev; closes: #136610).
156 - Spanish (thanks, Carlos Valdivia YagЭe; closes: #129041).
157 * Update debconf template translations:
158 - French (thanks, Igor Genibel; closes: #151361).
159 - German (thanks, Axel Noetzold; closes: #147069).
160 * Some of these translations are fuzzy. Please send updates.
161
162 -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 14:09:57 +0100
163
164openssh (1:3.4p1-2) unstable; urgency=high
165
166 * Get a security-fixed version into unstable
167 * Also tidy README.Debian up a little
168
169 -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 17:20:59 +0100
170
171openssh (1:3.4p1-1) testing; urgency=high
172
173 * Extend my tendrils back into this package (Closes: #150915, #151098)
174 * thanks to the security team for their work
175 * no thanks to ISS/Theo de Raadt for their handling of these bugs
176 * save old sshd_configs to sshd_config.dpkg-old when auto-generating a
177 new one
178 * tell/ask the user about PriviledgeSeparation
179 * /etc/init.d/ssh run will now create the chroot empty dir if necessary
180 * Remove our previous statoverride on /usr/bin/ssh (only for people
181 upgrading from a version where we'd put one in ourselves!)
182 * Stop slandering Russia, since someone asked so nicely (Closes: #148951)
183 * Reduce the sleep time in /etc/init.d/ssh during a restart
184
185 -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 15:52:10 +0100
186
187openssh (1:3.4p1-0.0woody1) testing-security; urgency=high
188
189 * NMU by the security team.
190 * New upstream version
191
192 -- Michael Stone <mstone@debian.org> Wed, 26 Jun 2002 15:40:38 -0400
193
194openssh (1:3.3p1-0.0woody4) testing-security; urgency=high
195
196 * NMU by the security team.
197 * fix error when /etc/ssh/sshd_config exists on new install
198 * check that user doesn't exist before running adduser
199 * use openssl internal random unconditionally
200
201 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 19:44:39 -0400
202
203openssh (1:3.3p1-0.0woody3) testing-security; urgency=high
204
205 * NMU by the security team.
206 * use correct home directory when sshd user is created
207
208 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400
209
210openssh (1:3.3p1-0.0woody2) testing-security; urgency=high
211
212 * NMU by the security team.
213 * Fix rsa1 key creation (Closes: #150949)
214 * don't fail if sshd user removal fails
215 * depends: on adduser (Closes: #150907)
216
217 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400
218
219openssh (1:3.3p1-0.0woody1) testing-security; urgency=high
220
221 * NMU by the security team.
222 * New upstream version.
223 - Enable privilege separation by default.
224 * Include patch from Solar Designer for privilege separation and
225 compression on 2.2.x kernels.
226 * Remove --disable-suid-ssh from configure.
227 * Support setuid ssh-keysign binary instead of setuid ssh client.
228 * Check sshd configuration before restarting.
229
230 -- Daniel Jacobowitz <dan@debian.org> Mon, 24 Jun 2002 13:43:44 -0400
231
232openssh (1:3.0.2p1-9) unstable; urgency=high
233
234 * Thanks to those who NMUd
235 * The only change in this version is to debian/control - I've removed
236 the bit that says you can't export it from the US - it would look
237 pretty daft to say this about a package in main! Also, it's now OK
238 to use crypto in France, so I've edited that comment slightly
239 * Correct a path in README.Debian too (Closes: #138634)
240
241 -- Matthew Vernon <matthew@debian.org> Sun, 4 Apr 2002 09:52:59 +0100
242
243openssh (1:3.0.2p1-8.3) unstable; urgency=medium
244
245 * NMU
246 * Really set urgency to medium this time (oops)
247 * Fix priority to standard per override while I'm at it
248
249 -- Aaron M. Ucko <ucko@debian.org> Sun, 24 Mar 2002 09:00:08 -0500
250
251openssh (1:3.0.2p1-8.2) unstable; urgency=low
252
253 * NMU with maintainer's permission
254 * Prepare for upcoming ssh-nonfree transitional packages per
255 <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html>
256 * Urgency medium because it would really be good to get this into woody
257 before it releases
258 * Fix sections to match override file
259 * Reissued due to clash with non-US -> main move
260
261 -- Aaron M. Ucko <ucko@debian.org> Sat, 23 Mar 2002 21:21:52 -0500
262
263openssh (1:3.0.2p1-8.1) unstable; urgency=low
264
265 * NMU
266 * Move from non-US to mani
267
268 -- LaMont Jones <lamont@debian.org> Thu, 21 Mar 2002 09:33:50 -0700
269
270openssh (1:3.0.2p1-8) unstable; urgency=critical
271
272 * Security fix - patch from upstream (Closes: #137209, #137210)
273 * Undo the changes in the unreleased -7, since they appear to break
274 things here. Accordingly, the code change is minimal, and I'm
275 happy to get it into testing ASAP
276
277 -- Matthew Vernon <matthew@debian.org> Thu, 7 Mar 2002 14:25:23 +0000
278
279openssh (1:3.0.2p1-7) unstable; urgency=high
280
281 * Build to support IPv6 and IPv4 by default again
282
283 -- Matthew Vernon <matthew@debian.org> Sat, 2 Mar 2002 00:25:05 +0000
284
285openssh (1:3.0.2p1-6) unstable; urgency=high
286
287 * Correct error in the clean target (Closes: #130868)
288
289 -- Matthew Vernon <matthew@debian.org> Sat, 26 Jan 2002 00:32:00 +0000
290
291openssh (1:3.0.2p1-5) unstable; urgency=medium
292
293 * Include the Debian version in our identification, to make it easier to
294 audit networks for patched versions in future
295
296 -- Matthew Vernon <matthew@debian.org> Mon, 21 Jan 2002 17:16:10 +0000
297
298openssh (1:3.0.2p1-4) unstable; urgency=medium
299
300 * If we're asked to not run sshd, stop any running sshd's first
301 (Closes: #129327)
302
303 -- Matthew Vernon <matthew@debian.org> Wed, 16 Jan 2002 21:24:16 +0000
304
305openssh (1:3.0.2p1-3) unstable; urgency=high
306
307 * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913)
308 * Remove extra debconf suggestion (Closes: #128094)
309 * Mmm. speedy bug-fixing :-)
310
311 -- Matthew Vernon <matthew@debian.org> Sat, 12 Jan 2002 17:23:58 +0000
312
313openssh (1:3.0.2p1-2) unstable; urgency=high
314
315 * Fix postinst to not automatically overwrite sshd_config (!)
316 (Closes: #127842, #127867)
317 * Add section in README.Debian about the PermitRootLogin setting
318
319 -- Matthew Vernon <matthew@debian.org> Sat, 5 Jan 2003 05:26:30 +0000
320
321openssh (1:3.0.2p1-1) unstable; urgency=high
322
323 * Incorporate fix from Colin's NMU
324 * New upstream version (fixes the bug Wichert fixed) (Closes: #124035)
325 * Capitalise IETF (Closes: #125379)
326 * Refer to the correct sftp-server location (Closes: #126854, #126224)
327 * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247)
328 * Ask people upgrading from potato if they want a new conffile
329 (Closes: #125642)
330 * Fix a typo in postinst (Closes: #122192, #122410, #123440)
331 * Frob the default config a little (Closes: #122284, #125827, #125696,
332 #123854)
333 * Make /etc/init.d/ssh be more clear about ssh not running (Closes:
334 #123552)
335 * Fix typo in templates file (Closes: #123411)
336
337 -- Matthew Vernon <matthew@debian.org> Fri, 4 Jan 2002 16:01:52 +0000
338
339openssh (1:3.0.1p1-1.2) unstable; urgency=high
340
341 * Non-maintainer upload
342 * Prevent local users from passing environment variables to the login
343 process when UseLogin is enabled
344
345 -- Wichert Akkerman <wakkerma@debian.org> Mon, 3 Dec 2001 19:34:45 +0100
346
347openssh (1:3.0.1p1-1.1) unstable; urgency=low
348
349 * Non-maintainer upload, at Matthew's request.
350 * Remove sa_restorer assignment to fix compilation on alpha, hppa, and
351 ia64 (closes: #122086).
352
353 -- Colin Watson <cjwatson@debian.org> Sun, 2 Dec 2001 18:54:16 +0000
354
355openssh (1:3.0.1p1-1) unstable; urgency=high
356
357 * New upstream version (Closes: #113646, #113513, #114707, #118564)
358 * Building with a libc that works (!) (Closes: #115228)
359 * Patches forward-ported are -1/-2 options for scp, the improvement to
360 'waiting for forwarded connections to terminate...'
361 * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228)
362 * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst
363 * Remove suidregister leftover from postrm
364 * Mention key we are making in the postinst
365 * Default to not enable SSH protocol 1 support, since protocol 2 is
366 much safer anyway.
367 * New version of the vpn-fixes patch, from Ian Jackson
368 * New handling of -q, and added new -qq option; thanks to Jon Amery
369 * Experimental smartcard support not enabled, since I have no way of
370 testing it.
371
372 -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000
373
374openssh (1:2.9p2-6) unstable; urgency=low
375
376 * check for correct file in /etc/init.d/ssh (Closes: #110876)
377 * correct location of version 2 keys in ssh.1 (Closes: #110439)
378 * call update-alternatives --quiet (Closes: #103314)
379 * hack ssh-copy-id to chmod go-w (Closes: #95551)
380 * TEMPORARY fix to provide largefile support using a -D in the cflags
381 line. long-term, upstream will patch the autoconf stuff
382 (Closes: #106809, #111849)
383 * remove /etc/rc references in ssh-keygen.1 (Closes: #68350)
384 * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054)
385 * Check for files containing a newline character (Closes: #111692)
386
387 -- Matthew Vernon <matthew@debian.org> Thu, 13 Sep 2001 16:47:36 +0100
388
389openssh (1:2.9p2-5) unstable; urgency=high
390
391 * Thanks to all the bug-fixers who helped!
392 * remove sa_restorer assignment (Closes: #102837)
393 * patch from Peter Benie to DTRT wrt X forwarding if the server refuses
394 us access (Closes: #48297)
395 * patch from upstream CVS to fix port forwarding (Closes: #107132)
396 * patch from Jonathan Amery to document ssh-keygen behaviour
397 (Closes:#106643, #107512)
398 * patch to postinst from Jonathan Amery (Closes: #106411)
399 * patch to manpage from Jonathan Amery (Closes: #107364)
400 * patch from Matthew Vernon to make -q emit fatal errors as that is the
401 documented behaviour (Closes: #64347)
402 * patch from Ian Jackson to cause us to destroy a file when we scp it
403 onto itself, rather than dumping bits of our memory into it, which was
404 a security hole (see #51955)
405 * patch from Jonathan Amery to document lack of Kerberos support
406 (Closes: #103726)
407 * patch from Matthew Vernon to make the 'waiting for connections to
408 terminate' message more helpful (Closes: #50308)
409
410 -- Matthew Vernon <matthew@debian.org> Thu, 23 Aug 2001 02:14:09 +0100
411
412openssh (1:2.9p2-4) unstable; urgency=high
413
414 * Today's build of ssh is strawberry flavoured
415 * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176)
416 * Tidy up debconf template (Closes: #106152)
417 * If called non-setuid, then setgid()'s failure should not be fatal (see
418 #105854)
419
420 -- Matthew Vernon <matthew@debian.org> Sun, 22 Jul 2001 14:19:43 +0100
421
422openssh (1:2.9p2-3) unstable; urgency=low
423
424 * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061)
425 * Improve the IdentityFile section in the man page (Closes: #106038)
426
427 -- Matthew Vernon <matthew@debian.org> Sat, 21 Jul 2001 14:47:27 +0100
428
429openssh (1:2.9p2-2) unstable; urgency=low
430
431 * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868)
432 * Make PrintLastLog 'no' by default (Closes: #105893)
433
434 -- Matthew Vernon <matthew@debian.org> Thu, 19 Jul 2001 18:36:41 +0100
435
436openssh (1:2.9p2-1) unstable; urgency=low
437
438 * new (several..) upstream version (Closes: #96726, #81856, #96335)
439 * Hopefully, this will close some other bugs too
440
441 -- Matthew Vernon <matthew@debian.org> Tue, 17 Jul 2001 19:41:58 +0100
442
443openssh (1:2.5.2p2-3) unstable; urgency=low
444
445 * Taking Over this package
446 * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991)
447 * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274)
448 * Don't fiddle with conf-files any more (Closes: #69501)
449
450 -- Matthew Vernon <matthew@debian.org> Tue, 03 Jul 2001 02:58:13 +0100
451
452openssh (1:2.5.2p2-2.2) unstable; urgency=low
453
454 * NMU
455 * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033)
456 * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273)
457 * Patch from Matthew Vernon for BannerTimeOut, batchmode, and
458 documentation for protocolkeepalives. Makes ssh more generally useful
459 for scripting uses (Closes: #82877, #99275)
460 * Set a umask, so ourpidfile isn't world-writable (closes: #100012,
461 #98286, #97391)
462
463 -- Matthew Vernon <matthew@debian.org> Thu, 28 Jun 2001 23:15:42 +0100
464
465openssh (1:2.5.2p2-2.1) unstable; urgency=low
466
467 * NMU
468 * Remove duplicate Build-Depends for libssl096-dev and change it to
469 depend on libssl-dev instaed. Also adding in virtual | real package
470 style build-deps. (Closes: #93793, #75228)
471 * Removing add-log entry (Closes: #79266)
472 * This was a pam bug from a while back (Closes: #86908, #88457, #86843)
473 * pam build-dep already exists (Closes: #93683)
474 * libgnome-dev build-dep already exists (Closes: #93694)
475 * No longer in non-free (Closes: #85401)
476 * Adding in fr debconf translations (Closes: #83783)
477 * Already suggests xbase-clients (Closes: #79741)
478 * No need to suggest libpam-pwdb anymore (Closes: #81658)
479 * Providing rsh-client (Closes: #79437)
480 * hurd patch was already applied (Closes: #76033)
481 * default set to no (Closes: #73682)
482 * Adding in a suggests for dnsutils (Closes: #93265)
483 * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612)
484 (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465)
485 * Adding in debconf dependency
486
487 -- Ivan E. Moore II <rkrusty@debian.org> Mon, 16 Apr 2001 14:11:04 +0100
488
489openssh (1:2.5.2p2-2) unstable; urgency=high
490
491 * disable the OpenSSL version check in entropy.c
492 (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648)
493
494 -- Philip Hands <phil@uk.alcove.com> Wed, 11 Apr 2001 20:30:04 +0100
495
496openssh (1:2.5.2p2-1) unstable; urgency=low
497
498 * New upstream release
499 * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748)
500 * fix double space indent in german templates (closes: #89493)
501 * make postinst check for ssh_host_rsa_key
502 * get rid of the last of the misguided debian/rules NMU debris :-/
503
504 -- Philip Hands <phil@hands.com> Sat, 24 Mar 2001 20:59:33 +0000
505
506openssh (1:2.5.1p2-2) unstable; urgency=low
507
508 * rebuild with new debhelper (closes: #89558, #89536, #90225)
509 * fix broken dpkg-statoverride test in postinst
510 (closes: #89612, #90474, #90460, #89605)
511 * NMU bug fixed but not closed in last upload (closes: #88206)
512
513 -- Philip Hands <phil@hands.com> Fri, 23 Mar 2001 16:11:33 +0000
514
515openssh (1:2.5.1p2-1) unstable; urgency=high
516
517 * New upstream release
518 * fix typo in postinst (closes: #88110)
519 * revert to setting PAM service name in debian/rules, backing out last
520 NMU, which also (closes: #88101)
521 * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config
522 * restore printlastlog option patch
523 * revert to using debhelper, which had been partially disabled in NMUs
524
525 -- Philip Hands <phil@hands.com> Tue, 13 Mar 2001 01:41:34 +0000
526
527openssh (1:2.5.1p1-1.8) unstable; urgency=high
528
529 * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed
530
531 -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 19:48:01 +0100
532
533openssh (1:2.5.1p1-1.7) unstable; urgency=high
534
535 * And now we mark the correct binary as setuid, when a user requested
536 to install it setuid.
537
538 -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 07:19:56 +0100
539
540openssh (1:2.5.1p1-1.6) unstable; urgency=high
541
542 * Fixes postinst to handle overrides that are already there. Damn, I
543 should have noticed the bug earlier.
544
545 -- Christian Kurz <shorty@debian.org> Wed, 28 Feb 2001 22:35:00 +0100
546
547openssh (1:2.5.1p1-1.5) unstable; urgency=high
548
549 * Rebuild ssh with pam-support.
550
551 -- Christian Kurz <shorty@debian.org> Mon, 26 Feb 2001 21:55:51 +0100
552
553openssh (1:2.5.1p1-1.4) unstable; urgency=low
554
555 * Added Build-Depends on libssl096-dev.
556 * Fixed sshd_config file to disallow root logins again.
557
558 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 20:03:55 +0100
559
560openssh (1:2.5.1p1-1.3) unstable; urgency=low
561
562 * Fixed missing manpages for sftp.1 and ssh-keyscan.1
563 * Made package policy 3.5.2 compliant.
564
565 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 15:46:26 +0100
566
567openssh (1:2.5.1p1-1.2) unstable; urgency=low
568
569 * Added Conflict with sftp, since we now provide our own sftp-client.
570 * Added a fix for our broken dpkg-statoverride call in the
571 2.3.0p1-13.
572 * Fixed some config pathes in the comments of sshd_config.
573 * Removed ssh-key-exchange-vulnerability-patch since it's not needed
574 anymore because upstream included the fix.
575
576 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 13:46:58 +0100
577
578openssh (1:2.5.1p1-1.1) unstable; urgency=high
579
580 * Another NMU to get the new upstream version 2.5.1p1 into
581 unstable. (Closes: #87123)
582 * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766)
583 * Key Exchange patch is already included by upstream. (Closes: #86015)
584 * Upgrading should be possible now. (Closes: #85525, #85523)
585 * Added --disable-suid-ssh as compile option, so ssh won't get installed
586 suid per default.
587 * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride
588 is available and the mode of the binary should be 4755. And also added
589 suggestion for a newer dpkg.
590 (Closes: #85734, #85741, #86876)
591 * sftp and ssh-keyscan will also be included from now on. (Closes: #79994)
592 * scp now understands spaces in filenames (Closes: #53783, #58958,
593 #66723)
594 * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623)
595 * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035)
596 * ssh supports the usage of other dsa keys via the ssh command line
597 options. (Closes: #81250)
598 * Documentation in sshd_config fixed. (Closes: #81088)
599 * primes file included by upstream and included now. (Closes: #82101)
600 * scp now allows dots in the username. (Closes: #82477)
601 * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124)
602
603 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 10:06:08 +0100
604
605openssh (1:2.3.0p1-1.13) unstable; urgency=low
606
607 * Config should now also be fixed with this hopefully last NMU.
608
609 -- Christian Kurz <shorty@debian.org> Sat, 10 Feb 2001 22:56:36 +0100
610
611openssh (1:2.3.0p1-1.12) unstable; urgency=high
612
613 * Added suggest for xbase-clients to control-file. (Closes #85227)
614 * Applied patch from Markus Friedl to fix a vulnerability in
615 the rsa keyexchange.
616 * Fixed position of horizontal line. (Closes: #83613)
617 * Fixed hopefully the grep problem in the config-file. (Closes: #78802)
618 * Converted package from suidregister to dpkg-statoverride.
619
620 -- Christian Kurz <shorty@debian.org> Fri, 9 Feb 2001 19:43:55 +0100
621
622openssh (1:2.3.0p1-1.11) unstable; urgency=medium
623
624 * Fixed some typos in the german translation of the debconf
625 template.
626
627 -- Christian Kurz <shorty@debian.org> Wed, 24 Jan 2001 18:22:38 +0100
628
629openssh (1:2.3.0p1-1.10) unstable; urgency=medium
630
631 * Fixed double printing of motd. (Closes: #82618)
632
633 -- Christian Kurz <shorty@debian.org> Tue, 23 Jan 2001 21:03:43 +0100
634
635openssh (1:2.3.0p1-1.9) unstable; urgency=high
636
637 * And the next NMU which includes the patch from Andrew Bartlett
638 and Markus Friedl to fix the root privileges handling of openssh.
639 (Closes: #82657)
640
641 -- Christian Kurz <shorty@debian.org> Wed, 17 Jan 2001 22:20:54 +0100
642
643openssh (1:2.3.0p1-1.8) unstable; urgency=high
644
645 * Applied fix from Ryan Murray to allow building on other architectures
646 since the hurd patch was wrong. (Closes: #82471)
647
648 -- Christian Kurz <shorty@debian.org> Tue, 16 Jan 2001 22:45:51 +0100
649
650openssh (1:2.3.0p1-1.7) unstable; urgency=medium
651
652 * Fixed another typo on sshd_config
653
654 -- Christian Kurz <shorty@debian.org> Sun, 14 Jan 2001 19:01:31 +0100
655
656openssh (1:2.3.0p1-1.6) unstable; urgency=high
657
658 * Added Build-Dependency on groff (Closes: #81886)
659 * Added Build-Depencency on debhelper (Closes: #82072)
660 * Fixed entry for known_hosts in sshd_config (Closes: #82096)
661
662 -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 23:08:16 +0100
663
664openssh (1:2.3.0p1-1.5) unstable; urgency=high
665
666 * Fixed now also the problem with sshd used as default ipv4 and
667 didn't use IPv6. This should be now fixed.
668
669 -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 21:25:55 +0100
670
671openssh (1:2.3.0p1-1.4) unstable; urgency=high
672
673 * Fixed buggy entry in postinst.
674
675 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 23:12:16 +0100
676
677openssh (1:2.3.0p1-1.3) unstable; urgency=high
678
679 * After finishing the rewrite of the rules-file I had to notice that
680 the manpage installation was broken. This should now work again.
681
682 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 22:11:59 +0100
683
684openssh (1:2.3.0p1-1.2) unstable; urgency=high
685
686 * Fixed the screwed up build-dependency.
687 * Removed --with-ipv4-default to support ipv6.
688 * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd.
689 * Fixed location to sftp-server in config.
690 * Since debian still relies on /etc/pam.d/ssh instead of moving to
691 /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name.
692 * Fixed path to host key in sshd_config.
693
694 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 08:23:47 +0100
695
696openssh (1:2.3.0p1-1.1) unstable; urgency=medium
697
698 * NMU with permission of Phil Hands.
699 * New upstream release
700 * Update Build-Depends to point to new libssl096.
701 * This upstream release doesn't leak any information depending
702 on the setting of PermitRootLogin (Closes: #59933)
703 * New upstream release contains fix against forcing a client to
704 do X/agent forwarding (Closes: #76788)
705 * Changed template to contain correct path to the documentation
706 (Closes: #67245)
707 * Added --with-4in6 switch as compile option into debian/rules.
708 * Added --with-ipv4-default as compile option into debian/rules.
709 (Closes: #75037)
710 * Changed default path to also contain /usr/local/bin and
711 /usr/X11R6/bin (Closes: #62472,#54567,#62810)
712 * Changed path to sftp-server in sshd_config to match the
713 our package (Closes: #68347)
714 * Replaced OpenBSDh with OpenBSD in the init-script.
715 * Changed location to original source in copyright.head
716 * Changed behaviour of init-script when invoked with the option
717 restart (Closes: #68706,#72560)
718 * Added a note about -L option of scp to README.Debian
719 * ssh won't print now the motd if invoked with -t option
720 (Closes: #59933)
721 * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867)
722 * Added a note about tcp-wrapper support to README.Debian
723 (Closes: #72807,#22190)
724 * Removed two unneeded options from building process.
725 * Added sshd.pam into debian dir and install it.
726 * Commented out unnecessary call to dh_installinfo.
727 * Added a line to sshd.pam so that limits will be paid attention
728 to (Closes: #66904)
729 * Restart Option has a Timeout of 10 seconds (Closes: 51264)
730 * scp won't override files anymore (Closes: 51955)
731 * Removed pam_lastlog module, so that the lastlog is now printed
732 only once (Closes: #71742, #68335, #69592, #71495, #77781)
733 * If password is expired, openssh now forces the user to change it.
734 (Closes: #51747)
735 * scp should now have no more problems with shell-init-files that
736 produces ouput (Closes: #56280,#59873)
737 * ssh now prints the motd correctly (Closes: #66926)
738 * ssh upgrade should disable ssh daemon only if users has choosen
739 to do so (Closes: #67478)
740 * ssh can now be installed suid (Closes: #70879)
741 * Modified debian/rules to support hurd.
742
743 -- Christian Kurz <shorty@debian.org> Wed, 27 Dec 2000 20:06:57 +0100
744
745openssh (1:2.2.0p1-1.1) unstable; urgency=medium
746
747 * Non-Maintainer Upload
748 * Check for new returns in the new libc
749 (closes: #72803, #74393, #72797, #71307, #71702)
750 * Link against libssl095a (closes: #66304)
751 * Correct check for PermitRootLogin (closes: #69448)
752
753 -- Ryan Murray <rmurray@debian.org> Wed, 18 Oct 2000 00:48:18 -0700
754
755openssh (1:2.2.0p1-1) unstable; urgency=low
756
757 * New upstream release
758
759 -- Philip Hands <phil@hands.com> Mon, 11 Sep 2000 14:49:43 +0100
760
761openssh (1:2.1.1p4-3) unstable; urgency=low
762
763 * add rsh alternatives
764 * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097)
765 * do the IPV4_DEFAULT thing properly this time
766
767 -- Philip Hands <phil@hands.com> Fri, 11 Aug 2000 18:14:37 +0100
768
769openssh (1:2.1.1p4-2) unstable; urgency=low
770
771 * reinstate manpage .out patch from 1:1.2.3
772 * fix typo in postinst
773 * only compile ssh with IPV4_DEFAULT
774 * apply James Troup's patch to add a -o option to scp and updated manpage
775
776 -- Philip Hands <phil@hands.com> Sun, 30 Jul 2000 00:12:49 +0100
777
778openssh (1:2.1.1p4-1) unstable; urgency=low
779
780 * New upstream release
781
782 -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 14:46:16 +0100
783
784openssh (1:1.2.3-10) unstable; urgency=low
785
786 * add version to libpam-modules dependency, because old versions of
787 pam_motd make it impossible to log in.
788
789 -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 13:28:22 +0100
790
791openssh (1:1.2.3-9) frozen unstable; urgency=low
792
793 * force location of /usr/bin/X11/xauth
794 (closes: #64424, #66437, #66859) *RC*
795 * typos in config (closes: #66779, #66780)
796 * sshd_not_to_be_run could be assumed to be true, in error, if the config
797 script died in an unusual way --- I've reversed this (closes: #66335)
798 * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk
799 (closes: #65981)
800 * change default for PermitRootLogin to "no" (closes: #66406)
801
802 -- Philip Hands <phil@hands.com> Tue, 11 Jul 2000 20:51:18 +0100
803
804openssh (1:1.2.3-8) frozen unstable; urgency=low
805
806 * get rid of Provides: rsh-server (this will mean that rstartd
807 will need to change it's depends to deal with #63948, which I'm
808 reopening) (closes: #66257)
809 Given that this is also a trivial change, and is a reversal of a
810 change that was mistakenly made after the freeze, I think this should
811 also go into frozen.
812
813 -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:26:30 +0100
814
815openssh (1:1.2.3-7) frozen unstable; urgency=low
816
817 * check if debconf is installed before calling db_stop in postinst.
818 This is required to allow ssh to be installed when debconf is not
819 wanted, which probably makes it an RC upload (hopefully the last of
820 too many).
821
822 -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:19:47 +0100
823
824openssh (1:1.2.3-6) frozen unstable; urgency=low
825
826 * fixed depressing little bug involving a line wrap looking like
827 a blank line in the templates file *RC*
828 (closes: #66090, #66078, #66083, #66182)
829
830 -- Philip Hands <phil@hands.com> Mon, 26 Jun 2000 00:45:05 +0100
831
832openssh (1:1.2.3-5) frozen unstable; urgency=low
833
834 * add code to prevent UseLogin exploit, although I think our PAM
835 conditional code breaks UseLogin in a way that protects us from this
836 exploit anyway. ;-) (closes: #65495) *RC*
837 * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard
838 grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC*
839 * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3)
840 and use db_stop in the postinst to solve that problem instead
841 (closes: #65104)
842 * add Provides: rsh-server to ssh (closes: #63948)
843 * provide config option not to run sshd
844
845 -- Philip Hands <phil@hands.com> Mon, 12 Jun 2000 23:05:11 +0100
846
847openssh (1:1.2.3-4) frozen unstable; urgency=low
848
849 * fixes #63436 which is *RC*
850 * add 10 second pause in init.d restart (closes: #63844)
851 * get rid of noenv in PAM mail line (closes: #63856)
852 * fix host key path in make-ssh-known-hosts (closes: #63713)
853 * change wording of SUID template (closes: #62788, #63436)
854
855 -- Philip Hands <phil@hands.com> Sat, 27 May 2000 11:18:06 +0100
856
857openssh (1:1.2.3-3) frozen unstable; urgency=low
858
859 * redirect sshd's file descriptors to /dev/null in init to
860 prevent debconf from locking up during installation
861 ** grave bug just submited by me **
862
863 -- Philip Hands <phil@hands.com> Thu, 20 Apr 2000 17:10:59 +0100
864
865openssh (1:1.2.3-2) frozen unstable; urgency=low
866
867 * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC **
868 * suggest debconf
869 * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst
870
871 -- Philip Hands <phil@hands.com> Wed, 19 Apr 2000 17:49:15 +0100
872
873openssh (1:1.2.3-1) frozen unstable; urgency=low
874
875 * New upstream release
876 * patch sshd to create extra xauth key required for localhost
877 (closes: #49944) *** RC ***
878 * FallbacktoRsh now defaults to ``no'' to match impression
879 given in sshd_config
880 * stop setting suid bit on ssh (closes: #58711, #58558)
881 This breaks Rhosts authentication (which nobody uses) and allows
882 the LD_PRELOAD trick to get socks working, so seems like a net benefit.
883
884 -- Philip Hands <phil@hands.com> Thu, 13 Apr 2000 20:01:54 +0100
885
886openssh (1:1.2.2-1.4) frozen unstable; urgency=low
887
888 * Recompile for frozen, contains fix for RC bug.
889
890 -- Tommi Virtanen <tv@debian.org> Tue, 29 Feb 2000 22:14:58 +0200
891
892openssh (1:1.2.2-1.3) unstable; urgency=low
893
894 * Integrated man page addition for PrintLastLog.
895 This bug was filed on "openssh", and I ended up
896 creating my own patch for this (closes: #59054)
897 * Improved error message when ssh_exchange_identification
898 gets EOF (closes: #58904)
899 * Fixed typo (your -> you're) in debian/preinst.
900 * Added else-clauses to config to make this upgradepath possible:
901 oldssh -> openssh preinst fails due to upgrade_to_openssh=false
902 -> ssh-nonfree -> openssh. Without these, debconf remembered
903 the old answer, config didn't force asking it, and preinst always
904 aborted (closes: #56596, #57782)
905 * Moved setting upgrade_to_openssh isdefault flag to the place
906 where preinst would abort. This means no double question to most
907 users, people who currently suffer from "can't upgrade" may need
908 to run apt-get install ssh twice. Did not do the same for
909 use_old_init_script, as the situation is a bit different, and
910 less common (closes: #54010, #56224)
911 * Check for existance of ssh-keygen before attempting to use it in
912 preinst, added warning for non-existant ssh-keygen in config. This
913 happens when the old ssh is removed (say, due to ssh-nonfree getting
914 installed).
915
916 -- Tommi Virtanen <tv@debian.org> Sun, 27 Feb 2000 21:36:43 +0200
917
918openssh (1:1.2.2-1.2) frozen unstable; urgency=low
919
920 * Non-maintainer upload.
921 * Added configuration option PrintLastLog, default off due to PAM
922 (closes: #54007, #55042)
923 * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's
924 Suggests: line more accurate. Also closing related bugs fixed
925 earlier, when default ssh-askpass moved to /usr/bin.
926 (closes: #52403, #54741, #50607, #52298, #50967, #51661)
927 * Patched to call vhangup, with autoconf detection and all
928 (closes: #55379)
929 * Added --with-ipv4-default workaround to a glibc bug causing
930 slow DNS lookups, as per UPGRADING. Use -6 to really use
931 IPv6 addresses. (closes: #57891, #58744, #58713, #57970)
932 * Added noenv to PAM pam_mail line. Thanks to Ben Collins.
933 (closes: #58429)
934 * Added the UPGRADING file to the package.
935 * Added frozen to the changelog line and recompiled before
936 package was installed into the archive.
937
938 -- Tommi Virtanen <tv@debian.org> Fri, 25 Feb 2000 22:08:57 +0200
939
940openssh (1:1.2.2-1.1) frozen unstable; urgency=low
941
942 * Non-maintainer upload.
943 * Integrated scp pipe buffer patch from Ben Collins
944 <benc@debian.org>, should now work even if reading
945 a pipe gives less than fstat st_blksize bytes.
946 Should now work on Alpha and Sparc Linux (closes: #53697, #52071)
947 * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393)
948 * Integrated patch from Ben Collins <benc@debian.org>
949 to do full shadow account locking and expiration
950 checking (closes: #58165, #51747)
951
952 -- Tommi Virtanen <tv@debian.org> Tue, 22 Feb 2000 20:46:12 +0200
953
954openssh (1:1.2.2-1) frozen unstable; urgency=medium
955
956 * New upstream release (closes: #56870, #56346)
957 * built against new libesd (closes: #56805)
958 * add Colin Watson <cjw44@cam.ac.uk> =NULL patch
959 (closes: #49902, #54894)
960 * use socketpairs as suggested by Andrew Tridgell to eliminate rsync
961 (and other) lockups
962 * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/
963 (closes: #49902, #55872, #56959)
964 * uncoment the * line in ssh_config (closes: #56444)
965
966 * #54894 & #49902 are release critical, so this should go in frozen
967
968 -- Philip Hands <phil@hands.com> Wed, 9 Feb 2000 04:52:04 +0000
969
970openssh (1:1.2.1pre24-1) unstable; urgency=low
971
972 * New upstream release
973
974 -- Philip Hands <phil@hands.com> Fri, 31 Dec 1999 02:47:24 +0000
975
976openssh (1:1.2.1pre23-1) unstable; urgency=low
977
978 * New upstream release
979 * excape ? in /etc/init.d/ssh (closes: #53269)
980
981 -- Philip Hands <phil@hands.com> Wed, 29 Dec 1999 16:50:46 +0000
982
983openssh (1:1.2pre17-1) unstable; urgency=low
984
985 * New upstream release
986
987 -- Philip Hands <phil@hands.com> Thu, 9 Dec 1999 16:50:40 +0000
988
989openssh (1:1.2pre16-1) unstable; urgency=low
990
991 * New upstream release
992 * upstream release (1.2pre14) (closes: #50299)
993 * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776)
994 * dispose of grep -q broken pipe message in config script (closes: #50855)
995 * add make-ssh-known-hosts (closes: #50660)
996 * add -i option to ssh-copy-id (closes: #50657)
997 * add check for *LK* in password, indicating a locked account
998
999 -- Philip Hands <phil@hands.com> Wed, 8 Dec 1999 22:59:38 +0000
1000
1001openssh (1:1.2pre13-1) unstable; urgency=low
1002
1003 * New upstream release
1004 * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules
1005 * remove duplicate line in /etc/pam.d/ssh (closes: #50310)
1006 * mention ssh -A option in ssh.1 & ssh_config
1007 * enable forwarding to localhost in default ssh_config (closes: #50373)
1008 * tweak preinst to deal with debconf being `unpacked'
1009 * use --with-tcp-wrappers (closes: #49545)
1010
1011 -- Philip Hands <phil@hands.com> Sat, 20 Nov 1999 14:20:04 +0000
1012
1013openssh (1:1.2pre11-2) unstable; urgency=low
1014
1015 * oops, just realised that I forgot to strip out the unpleasant
1016 fiddling mentioned below (which turned not to be a fix anyway)
1017
1018 -- Philip Hands <phil@hands.com> Mon, 15 Nov 1999 01:35:23 +0000
1019
1020openssh (1:1.2pre11-1) unstable; urgency=low
1021
1022 * New upstream release (closes: #49722)
1023 * add 2>/dev/null to dispose of spurious message casused by grep -q
1024 (closes: #49876, #49604)
1025 * fix typo in debian/control (closes: #49841)
1026 * Do some unpleasant fiddling with upgraded keys in the preinst, which
1027 should make the keylength problem go away. (closes: #49676)
1028 * make pam_start in sshd use ``ssh'' as the service name (closes: #49956)
1029 * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107)
1030 * apply Ben Collins <bcollins@debian.org>'s shadow patch
1031 * disable lastlogin and motd printing if using pam (closes: #49957)
1032 * add ssh-copy-id script and manpage
1033
1034 -- Philip Hands <phil@hands.com> Fri, 12 Nov 1999 01:03:38 +0000
1035
1036openssh (1:1.2pre9-1) unstable; urgency=low
1037
1038 * New upstream release
1039 * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch
1040 to channels.c, to make forwarded ports instantly reusable
1041 * replace Pre-Depend: debconf with some check code in preinst
1042 * make the ssh-add ssh-askpass failure message more helpful
1043 * fix the ssh-agent getopts bug (closes: #49426)
1044 * fixed typo on Suggests: line (closes: #49704, #49571)
1045 * tidy up ssh package description (closes: #49642)
1046 * make ssh suid (closes: #49635)
1047 * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606)
1048 * disable agent forwarding by default, for the similar reasons as
1049 X forwarding (closes: #49586)
1050
1051 -- Philip Hands <phil@hands.com> Tue, 9 Nov 1999 09:57:47 +0000
1052
1053openssh (1:1.2pre7-4) unstable; urgency=low
1054
1055 * predepend on debconf (>= 0.2.17) should now allow preinst questions
1056
1057 -- Philip Hands <phil@hands.com> Sat, 6 Nov 1999 10:31:06 +0000
1058
1059openssh (1:1.2pre7-3) unstable; urgency=low
1060
1061 * add ssh-askpass package using Tommi Virtanen's perl-tk script
1062 * add ssh-preconfig package cludge
1063 * add usage hints to ssh-agent.1
1064
1065 -- Philip Hands <phil@hands.com> Fri, 5 Nov 1999 00:38:33 +0000
1066
1067openssh (1:1.2pre7-2) unstable; urgency=low
1068
1069 * use pam patch from Ben Collins <bcollins@debian.org>
1070 * add slogin symlink to Makefile.in
1071 * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login
1072 * sort out debconf usage
1073 * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass
1074
1075 -- Philip Hands <phil@hands.com> Thu, 4 Nov 1999 11:08:54 +0000
1076
1077openssh (1:1.2pre7-1) unstable; urgency=low
1078
1079 * New upstream release
1080
1081 -- Philip Hands <phil@hands.com> Tue, 2 Nov 1999 21:02:37 +0000
1082
1083openssh (1:1.2.0.pre6db1-2) unstable; urgency=low
1084
1085 * change the binary package name to ssh (the non-free branch of ssh has
1086 been renamed to ssh-nonfree)
1087 * make pam file comply with Debian standards
1088 * use an epoch to make sure openssh supercedes ssh-nonfree
1089
1090 -- Philip Hands <phil@hands.com> Sat, 30 Oct 1999 16:26:05 +0100
1091
1092openssh (1.2pre6db1-1) unstable; urgency=low
1093
1094 * New upstream source
1095 * sshd accepts logins now!
1096
1097 -- Dan Brosemer <odin@linuxfreak.com> Fri, 29 Oct 1999 11:13:38 -0500
1098
1099openssh (1.2.0.19991028-1) unstable; urgency=low
1100
1101 * New upstream source
1102 * Added test for -lnsl to configure script
1103
1104 -- Dan Brosemer <odin@linuxfreak.com> Thu, 28 Oct 1999 18:52:09 -0500
1105
1106openssh (1.2.0.19991027-3) unstable; urgency=low
1107
1108 * Initial release
1109
1110 -- Dan Brosemer <odin@linuxfreak.com> Wed, 27 Oct 1999 19:39:46 -0500
1111
1112Local variables:
1113mode: debian-changelog
1114End:
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 000000000..b5c7a47fc
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1,5 @@
1/etc/ssh/ssh_config
2/etc/ssh/moduli
3/etc/init.d/ssh
4/etc/pam.d/ssh
5/etc/default/ssh
diff --git a/debian/config b/debian/config
new file mode 100644
index 000000000..7b4f85b43
--- /dev/null
+++ b/debian/config
@@ -0,0 +1,99 @@
1#!/bin/sh
2
3action=$1
4version=$2
5
6if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
7 version=1.2.27
8 cp -a /etc/ssh-nonfree /etc/ssh
9fi
10
11# Source debconf library.
12. /usr/share/debconf/confmodule
13db_version 2.0
14
15if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
16then
17 db_input medium ssh/ssh2_keys_merged
18fi
19
20if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
21then
22 db_fset ssh/use_old_init_script isdefault true
23 db_input medium ssh/use_old_init_script || true
24 db_go
25
26 db_get ssh/use_old_init_script
27 [ "$RET" = "false" ] && exit 0
28else
29 db_set ssh/use_old_init_script true
30 db_fset ssh/use_old_init_script isdefault false
31fi
32
33if [ -z "$version" -a ! -e /etc/ssh/sshd_config ]
34then
35 db_input medium ssh/protocol2_only || true
36fi
37
38if [ -e /etc/ssh/sshd_config ]
39then
40 if dpkg --compare-versions "$version" lt-nl 1:1.3 ;
41 then db_input medium ssh/new_config || true
42 db_get ssh/new_config
43 if [ "$RET" = "true" ];
44 then db_input medium ssh/protocol2_only ||true
45 db_input high ssh/privsep_ask ||true
46 else db_input high ssh/privsep_tell ||true
47 fi
48 else db_input high ssh/privsep_tell ||true
49 fi
50else db_input high ssh/privsep_tell ||true
51fi
52
53db_input medium ssh/SUID_client || true
54
55# To be correct during initial installation, this relies on the desired
56# default for run_sshd being "true".
57if [ -e /etc/ssh/sshd_not_to_be_run ]
58then
59 db_set ssh/run_sshd false
60else
61 db_set ssh/run_sshd true
62fi
63db_input medium ssh/run_sshd || true
64
65if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
66then
67 if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null
68 then
69 db_input low ssh/insecure_telnetd || true
70 fi
71fi
72
73key=/etc/ssh/ssh_host_key
74export key
75if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] &&
76 dpkg --compare-versions "$version" lt 1.2.28
77then
78 # make sure that keys get updated to get rid of IDEA; preinst
79 # actually does the work, but if the old ssh-keygen is not found,
80 # it can't do that -- thus, we tell the user that he must create
81 # a new host key.
82 echo -en '\0\0' | 3<&0 sh -c \
83 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
84 # this means that bytes 32&33 of the key were not both zero, in which
85 # case the key is encrypted, which we need to fix
86 db_input high ssh/encrypted_host_key_but_no_keygen || true
87 }
88fi
89
90
91db_input low ssh/forward_warning || true
92
93if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then
94 db_input high ssh/user_environment_tell || true
95fi
96
97db_go
98
99exit 0
diff --git a/debian/control b/debian/control
new file mode 100644
index 000000000..5a69855e2
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,48 @@
1Source: openssh
2Section: net
3Priority: standard
4Maintainer: Matthew Vernon <matthew@debian.org>
5Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, groff, debhelper (>=1.1.17), sharutils
6Standards-Version: 3.5.6
7Uploaders: Colin Watson <cjwatson@debian.org>
8
9Package: ssh
10Architecture: any
11Depends: ${shlibs:Depends}, libpam-modules (>= 0.72-9), debconf, adduser
12Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1)
13Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
14Provides: rsh-client
15Description: Secure rlogin/rsh/rcp replacement (OpenSSH)
16 This is the portable version of OpenSSH, a free implementation of
17 the Secure Shell protocol as specified by the IETF secsh working
18 group.
19 .
20 Ssh (Secure Shell) is a program for logging into a remote machine
21 and for executing commands on a remote machine.
22 It provides secure encrypted communications between two untrusted
23 hosts over an insecure network. X11 connections and arbitrary TCP/IP
24 ports can also be forwarded over the secure channel.
25 It is intended as a replacement for rlogin, rsh and rcp, and can be
26 used to provide applications with a secure communication channel.
27 .
28 This package provides both the ssh client and the sshd server.
29 .
30 --------------------------------------------------------------------
31 .
32 In some countries, particularly Russia, Iraq, and Pakistan, it may
33 be illegal to use any encryption at all without a special permit.
34
35Package: ssh-askpass-gnome
36Section: x11
37Priority: optional
38Architecture: any
39Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ssh-krb5
40Replaces: ssh (<< 1:3.5p1-3)
41Provides: ssh-askpass
42Description: under X, asks user for a passphrase for ssh-add
43 This has been split out of the main ssh package, so that the ssh will
44 not need to depend upon the Gnome libraries.
45 .
46 You probably want the ssh-askpass package instead, but this is
47 provided to add to your choice and/or confusion.
48
diff --git a/debian/copyright.head b/debian/copyright.head
new file mode 100644
index 000000000..5bd397447
--- /dev/null
+++ b/debian/copyright.head
@@ -0,0 +1,36 @@
1This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999
2(with help from Dan Brosemer <odin@linuxfreak.com>)
3
4It was downloaded from here:
5 ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz
6
7worldwide mirrors are listed here:
8 http://www.openssh.com/ftp.html
9
10The Debian specific parts of the package are mostly taken from the
11original ssh package, which has since been renamed as ssh-nonfree.
12
13The Debian patch is distributed under the terms of the GPL.
14
15The upstream source for this package is a combination of the ssh
16branch that is being maintained by the OpenBSD team (starting from
17the last version of SSH that was distributed under a free license),
18and porting work by Damien Miller <damien@ibs.com.au> to get it
19working on Linux. Other people also contributed to this, and are
20credited in /usr/share/doc/ssh/README.
21
22Copyright:
23
24Code in helper.[ch] is Copyright Internet Business Solutions and is
25released under a X11-style license (see source file for details).
26
27(A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a
28X11-style license (see source file for details).
29
30make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>,
31and is distributed under the GPL (see source file for details).
32
33The copyright for the original SSH version follows. It has been
34modified with [comments] to reflect the changes that the OpenBSD folks
35have made:
36
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 000000000..1496845fc
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,8 @@
1usr/bin
2usr/sbin
3usr/lib
4etc/ssh
5etc/init.d
6etc/default
7usr/share/man/man1
8usr/share/man/man8
diff --git a/debian/gnome-ssh-askpass.1 b/debian/gnome-ssh-askpass.1
new file mode 100644
index 000000000..b74c410a8
--- /dev/null
+++ b/debian/gnome-ssh-askpass.1
@@ -0,0 +1,51 @@
1.TH GNOME-SSH-ASKPASS 1
2.SH NAME
3gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME
4.SH SYNOPSIS
5.B gnome\-ssh\-askpass
6.SH DESCRIPTION
7.B gnome\-ssh\-askpass
8is a GNOME-based passphrase dialog for use with OpenSSH.
9It is intended to be called by the
10.BR ssh\-add (1)
11program and not invoked directly.
12It allows
13.BR ssh\-add (1)
14to obtain a passphrase from a user, even if not connected to a terminal
15(assuming that an X display is available).
16This happens automatically in the case where
17.B ssh\-add
18is invoked from one's
19.B ~/.xsession
20or as one of the GNOME startup programs, for example.
21.PP
22In order to be called automatically by
23.BR ssh\-add ,
24.B gnome\-ssh\-askpass
25should be installed as
26.IR /usr/bin/ssh\-askpass .
27.SH "ENVIRONMENT VARIABLES"
28The following environment variables are recognized:
29.TP
30.I GNOME_SSH_ASKPASS_GRAB_SERVER
31Causes
32.B gnome\-ssh\-askpass
33to grab the X server before asking for a passphrase.
34.TP
35.I GNOME_SSH_ASKPASS_GRAB_POINTER
36Causes
37.B gnome\-ssh\-askpass
38to grab the mouse pointer using
39.IR gdk_pointer_grab ()
40before asking for a passphrase.
41.PP
42Regardless of whether either of these environment variables is set,
43.B gnome\-ssh\-askpass
44will grab the keyboard using
45.IR gdk_keyboard_grab ().
46.SH AUTHOR
47This manual page was written by Colin Watson <cjwatson@debian.org>
48for the Debian system (but may be used by others).
49It was based on that for
50.B x11\-ssh\-askpass
51by Philip Hands.
diff --git a/debian/init b/debian/init
new file mode 100644
index 000000000..0eddf722e
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,73 @@
1#! /bin/sh
2set -e
3
4# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
5
6test -x /usr/sbin/sshd || exit 0
7( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
8
9if test -f /etc/default/ssh; then
10 . /etc/default/ssh
11fi
12
13check_for_no_start() {
14 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
15 if [ -e /etc/ssh/sshd_not_to_be_run ]; then
16 echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
17 exit 0
18 fi
19}
20
21check_privsep_dir() {
22 # Create the PrivSep empty dir if necessary
23 if [ ! -d /var/run/sshd ]; then
24 mkdir /var/run/sshd
25 chmod 0755 /var/run/sshd
26 fi
27}
28
29check_config() {
30 /usr/sbin/sshd -t || exit 1
31}
32
33export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
34
35case "$1" in
36 start)
37 check_for_no_start
38 check_privsep_dir
39 echo -n "Starting OpenBSD Secure Shell server: sshd"
40 start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS
41 echo "."
42 ;;
43 stop)
44 echo -n "Stopping OpenBSD Secure Shell server: sshd"
45 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
46 echo "."
47 ;;
48
49 reload|force-reload)
50 check_for_no_start
51 check_config
52 echo -n "Reloading OpenBSD Secure Shell server's configuration"
53 start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
54 echo "."
55 ;;
56
57 restart)
58 check_config
59 echo -n "Restarting OpenBSD Secure Shell server: sshd"
60 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
61 check_for_no_start
62 check_privsep_dir
63 sleep 2
64 start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS
65 echo "."
66 ;;
67
68 *)
69 echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
70 exit 1
71esac
72
73exit 0
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..4d3598a31
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,342 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6test -e /usr/share/debconf/confmodule && {
7 . /usr/share/debconf/confmodule
8 db_version 2.0
9}
10
11umask 022
12
13if [ "$action" != configure ]
14 then
15 exit 0
16fi
17
18
19
20check_idea_key() {
21 #check for old host_key files using IDEA, which openssh does not support
22 if [ -f /etc/ssh/ssh_host_key ] ; then
23 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
24 grep -q 'unknown cipher' 2>/dev/null ; then
25 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
26 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
27 fi
28 fi
29}
30
31
32create_key() {
33 local msg="$1"
34 shift
35 local file="$1"
36 shift
37
38 if [ ! -f "$file" ] ; then
39 echo -n $msg
40 ssh-keygen -q -f "$file" -N '' "$@"
41 echo
42 fi
43}
44
45
46create_keys() {
47 RET=true
48 test -e /usr/share/debconf/confmodule && {
49 db_get ssh/protocol2_only
50 }
51
52 if [ "$RET" = "false" ] ; then
53 create_key "Creating SSH1 key; this may take some time ..." \
54 /etc/ssh/ssh_host_key -t rsa1
55 fi
56
57 create_key "Creating SSH2 RSA key; this may take some time ..." \
58 /etc/ssh/ssh_host_rsa_key -t rsa
59 create_key "Creating SSH2 DSA key; this may take some time ..." \
60 /etc/ssh/ssh_host_dsa_key -t dsa
61}
62
63
64create_sshdconfig() {
65 if [ -e /etc/ssh/sshd_config ] ; then
66 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
67 RET=true
68 test -e /usr/share/debconf/confmodule && {
69 db_get ssh/new_config
70 }
71 if [ "$RET" = "false" ] ; then return 0; fi
72 else return 0
73 fi
74 fi
75 RET=true
76 test -e /usr/share/debconf/confmodule && {
77 db_get ssh/protocol2_only
78 }
79
80 #Preserve old sshd_config before generating a new on
81 if [ -e /etc/ssh/sshd_config ] ; then
82 mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
83 fi
84
85 cat <<EOF > /etc/ssh/sshd_config
86# Package generated configuration file
87# See the sshd(8) manpage for defails
88
89# What ports, IPs and protocols we listen for
90Port 22
91# Use these options to restrict which interfaces/protocols sshd will bind to
92#ListenAddress ::
93#ListenAddress 0.0.0.0
94EOF
95if [ "$RET" = "false" ]; then
96 cat <<EOF >> /etc/ssh/sshd_config
97Protocol 2,1
98# HostKeys for protocol version 1
99HostKey /etc/ssh/ssh_host_key
100# HostKeys for protocol version 2
101HostKey /etc/ssh/ssh_host_rsa_key
102HostKey /etc/ssh/ssh_host_dsa_key
103EOF
104else
105 cat <<EOF >> /etc/ssh/sshd_config
106Protocol 2
107# HostKeys for protocol version 2
108HostKey /etc/ssh/ssh_host_rsa_key
109HostKey /etc/ssh/ssh_host_dsa_key
110EOF
111fi
112
113test -e /usr/share/debconf/confmodule && {
114 db_get ssh/privsep_ask
115}
116if [ "$RET" = "false" ]; then
117 cat <<EOF >> /etc/ssh/sshd_config
118#Explicitly set PrivSep off, as requested
119UsePrivilegeSeparation no
120
121# Use PAM authentication via keyboard-interactive so PAM modules can
122# properly interface with the user
123PAMAuthenticationViaKbdInt yes
124EOF
125else
126 cat <<EOF >> /etc/ssh/sshd_config
127#Privilege Separation is turned on for security
128UsePrivilegeSeparation yes
129
130# ...but breaks Pam auth via kbdint, so we have to turn it off
131# Use PAM authentication via keyboard-interactive so PAM modules can
132# properly interface with the user (off due to PrivSep)
133PAMAuthenticationViaKbdInt no
134EOF
135fi
136
137 cat <<EOF >> /etc/ssh/sshd_config
138# Lifetime and size of ephemeral version 1 server key
139KeyRegenerationInterval 3600
140ServerKeyBits 768
141
142# Logging
143SyslogFacility AUTH
144LogLevel INFO
145
146# Authentication:
147LoginGraceTime 600
148PermitRootLogin yes
149StrictModes yes
150
151RSAAuthentication yes
152PubkeyAuthentication yes
153#AuthorizedKeysFile %h/.ssh/authorized_keys
154
155# rhosts authentication should not be used
156RhostsAuthentication no
157# Don't read the user's ~/.rhosts and ~/.shosts files
158IgnoreRhosts yes
159# For this to work you will also need host keys in /etc/ssh_known_hosts
160RhostsRSAAuthentication no
161# similar for protocol version 2
162HostbasedAuthentication no
163# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
164#IgnoreUserKnownHosts yes
165
166# To enable empty passwords, change to yes (NOT RECOMMENDED)
167PermitEmptyPasswords no
168
169# Uncomment to disable s/key passwords
170#ChallengeResponseAuthentication no
171
172# To disable tunneled clear text passwords, change to no here!
173PasswordAuthentication yes
174
175
176# To change Kerberos options
177#KerberosAuthentication no
178#KerberosOrLocalPasswd yes
179#AFSTokenPassing no
180#KerberosTicketCleanup no
181
182# Kerberos TGT Passing does only work with the AFS kaserver
183#KerberosTgtPassing yes
184
185X11Forwarding no
186X11DisplayOffset 10
187PrintMotd no
188PrintLastLog yes
189KeepAlive yes
190#UseLogin no
191
192#MaxStartups 10:30:60
193#Banner /etc/issue.net
194#ReverseMappingCheck yes
195
196Subsystem sftp /usr/lib/sftp-server
197
198EOF
199}
200
201
202fix_rsh_diversion() {
203# get rid of mistaken rsh diversion (circa 1.2.27-1)
204
205 if [ -L /usr/bin/rsh ] &&
206 dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
207 for cmd in rlogin rsh rcp ; do
208 [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
209 dpkg-divert --package ssh --remove --rename \
210 --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
211
212 [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
213 dpkg-divert --package ssh --remove --rename \
214 --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
215 done
216
217 rmdir /usr/bin/rsh.real
218 fi
219}
220
221
222fix_statoverride() {
223# Remove an erronous override for sshd (we should have overridden ssh)
224 if [ -x /usr/sbin/dpkg-statoverride ]; then
225 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
226 dpkg-statoverride --remove /usr/sbin/sshd
227 fi
228 fi
229}
230
231
232create_alternatives() {
233# Create alternatives for the various r* tools.
234# Make sure we don't change existing alternatives that a user might have
235# changed, but clean up after some old alternatives that mistakenly pointed
236# rlogin and rcp to ssh.
237 update-alternatives --quiet --remove rlogin /usr/bin/ssh
238 update-alternatives --quiet --remove rcp /usr/bin/ssh
239 for cmd in rsh rlogin rcp; do
240 scmd="s${cmd#r}"
241 if ! update-alternatives --display "$cmd" | \
242 grep -q "$scmd"; then
243 update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
244 --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
245 fi
246 done
247}
248
249setup_sshd_user() {
250 if ! getent passwd | grep -q '^sshd:'; then
251 adduser --quiet --system --no-create-home --home /var/run/sshd sshd
252 fi
253}
254
255set_sshd_permissions() {
256 suid=false
257
258 if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
259 if [ -x /usr/sbin/dpkg-statoverride ] ; then
260 if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
261 dpkg-statoverride --remove /usr/bin/ssh >/dev/null
262 fi
263 fi
264 fi
265
266 [ -e /usr/share/debconf/confmodule ] && {
267 db_get ssh/SUID_client
268 suid="$RET"
269 }
270 if [ ! -x /usr/sbin/dpkg-statoverride ] || \
271 ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
272 if [ "$suid" = "false" ] ; then
273 chmod 0755 /usr/lib/ssh-keysign
274 elif [ "$suid" = "true" ] ; then
275 chmod 4755 /usr/lib/ssh-keysign
276 fi
277 fi
278}
279
280
281fix_ssh_group() {
282 # Try to remove non-system group mistakenly created by 1:3.5p1-1.
283 # set_ssh_agent_permissions() below will re-create it properly.
284 if getent group | grep -q '^ssh:'; then
285 delgroup --quiet ssh || true
286 fi
287}
288
289
290set_ssh_agent_permissions() {
291 if ! getent group | grep -q '^ssh:'; then
292 addgroup --system --quiet ssh
293 fi
294 if ! [ -x /usr/sbin/dpkg-statoverride ] || \
295 ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
296 chgrp ssh /usr/bin/ssh-agent
297 chmod 2755 /usr/bin/ssh-agent
298 fi
299}
300
301
302setup_startup() {
303 start=yes
304 [ -e /usr/share/debconf/confmodule ] && {
305 db_get ssh/run_sshd
306 start="$RET"
307 }
308
309 if [ "$start" != "true" ] ; then
310 /etc/init.d/ssh stop 2>&1 >/dev/null
311 touch /etc/ssh/sshd_not_to_be_run
312 else
313 rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
314 fi
315}
316
317
318setup_init() {
319 if [ -e /etc/init.d/ssh ]; then
320 update-rc.d ssh defaults >/dev/null
321 /etc/init.d/ssh restart
322 fi
323}
324
325check_idea_key
326create_keys
327create_sshdconfig
328fix_rsh_diversion
329fix_statoverride
330create_alternatives
331setup_sshd_user
332set_sshd_permissions
333if [ "$2" = "1:3.5p1-1" ]; then fix_ssh_group; fi
334set_ssh_agent_permissions
335setup_startup
336setup_init
337
338
339[ -e /usr/share/debconf/confmodule ] && db_stop
340
341exit 0
342
diff --git a/debian/postinst.old b/debian/postinst.old
new file mode 100644
index 000000000..586da1cc6
--- /dev/null
+++ b/debian/postinst.old
@@ -0,0 +1,269 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6test -e /usr/share/debconf/confmodule && {
7 . /usr/share/debconf/confmodule
8 db_version 2.0
9}
10
11
12if [ "$action" != configure ]
13 then
14 exit 0
15fi
16
17
18
19check_idea_key() {
20 #check for old host_key files using IDEA, which openssh does not support
21 if [ -f /etc/ssh/ssh_host_key ] ; then
22 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
23 grep -q 'unknown cipher' 2>/dev/null ; then
24 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
25 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
26 fi
27 fi
28}
29
30
31create_key() {
32 local file="$1"
33 shift
34
35 if [ ! -f "$file" ] ; then
36 ( umask 022 ; \
37 ssh-keygen -f "$file" -N '' "$@" > /dev/null )
38 fi
39}
40
41
42create_keys() {
43 RET=true
44test -e /usr/share/debconf/confmodule && {
45 db_get ssh/protocol2_only
46}
47
48 if [ "$RET" = "false" ] ; then
49 echo "Creating SSH1 key"
50 create_key /etc/ssh/ssh_host_key
51fi
52
53 echo "Creating SSH2 RSA key"
54 create_key /etc/ssh/ssh_host_rsa_key -t rsa
55 echo "Creating SSH2 DSA key"
56 create_key /etc/ssh/ssh_host_dsa_key -t dsa
57}
58
59
60create_sshdconfig() {
61 [ -e /etc/ssh/sshd_config ] && return
62
63RET=true
64test -e /usr/share/debconf/confmodule && {
65 db_get ssh/protocol2_only
66}
67
68 cat <<EOF > /etc/ssh/sshd_config
69# Package generated configuration file
70# See the sshd(8) manpage for defails
71
72# What ports, IPs and protocols we listen for
73Port 22
74# Uncomment the next entry to accept IPv6 traffic.
75#ListenAddress ::
76#ListenAddress 0.0.0.0
77EOF
78if [ "$RET" = "false" ]; then
79 cat <<EOF >> /etc/ssh/sshd_config
80Protocol 2,1
81# HostKeys for protocol version 1
82HostKey /etc/ssh/ssh_host_key
83# HostKeys for protocol version 2
84HostKey /etc/ssh/ssh_host_rsa_key
85HostKey /etc/ssh/ssh_host_dsa_key
86EOF
87else
88 cat <<EOF >> /etc/ssh/sshd_config
89Protocol 2
90# HostKeys for protocol version 2
91HostKey /etc/ssh/ssh_host_rsa_key
92HostKey /etc/ssh/ssh_host_dsa_key
93EOF
94fi
95
96
97 cat <<EOF >> /etc/ssh/sshd_config
98# Lifetime and size of ephemeral version 1 server key
99KeyRegenerationInterval 3600
100ServerKeyBits 768
101
102# Logging
103SyslogFacility AUTH
104LogLevel INFO
105
106# Authentication:
107LoginGraceTime 600
108PermitRootLogin no
109StrictModes yes
110
111RSAAuthentication yes
112PubkeyAuthentication yes
113#AuthorizedKeysFile %h/.ssh/authorized_keys
114
115# rhosts authentication should not be used
116RhostsAuthentication no
117# Don't read the user's ~/.rhosts and ~/.shosts files
118IgnoreRhosts yes
119# For this to work you will also need host keys in /etc/ssh_known_hosts
120RhostsRSAAuthentication no
121# similar for protocol version 2
122HostbasedAuthentication no
123# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
124#IgnoreUserKnownHosts yes
125
126# To disable tunneled clear text passwords, change to no here!
127PermitEmptyPasswords no
128
129# Uncomment to disable s/key passwords
130#ChallengeResponseAuthentication no
131
132# Use PAM authentication via keyboard-interactive so PAM modules can
133# properly interface with the user
134PasswordAuthentication no
135PAMAuthenticationViaKbdInt yes
136
137# To change Kerberos options
138#KerberosAuthentication no
139#KerberosOrLocalPasswd yes
140#AFSTokenPassing no
141#KerberosTicketCleanup no
142
143# Kerberos TGT Passing does only work with the AFS kaserver
144#KerberosTgtPassing yes
145
146X11Forwarding no
147X11DisplayOffset 10
148PrintMotd no
149#PrintLastLog no
150KeepAlive yes
151#UseLogin no
152
153#MaxStartups 10:30:60
154#Banner /etc/issue.net
155#ReverseMappingCheck yes
156
157Subsystem sftp /usr/libexec/sftp-server
158EOF
159}
160
161
162fix_rsh_diversion() {
163# get rid of mistaken rsh diversion (circa 1.2.27-1)
164
165 if [ -L /usr/bin/rsh ] &&
166 dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
167 for cmd in rlogin rsh rcp ; do
168 [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
169 dpkg-divert --package ssh --remove --rename \
170 --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
171
172 [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
173 dpkg-divert --package ssh --remove --rename \
174 --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
175 done
176
177 rmdir /usr/bin/rsh.real
178 fi
179}
180
181
182fix_statoverride() {
183# Remove an erronous override for sshd (we should have overridden ssh)
184if [ -x /usr/sbin/dpkg-statoverride ]; then
185 if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
186 dpkg-statoverride --remote /usr/sbin/sshd
187 fi
188 fi
189}
190
191
192create_alternatives() {
193# Create alternatives for the various r* tools
194# Make sure we don't change existing alternatives that a user might have
195# changed
196 for cmd in rsh rlogin rcp ; do
197 if ! update-alternatives --display $cmd | \
198 grep -q ssh ; then
199 update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
200 --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
201 fi
202 done
203
204}
205
206
207set_sshd_permissions() {
208 suid=no
209
210 [ -e /usr/share/debconf/confmodule ] && {
211 db_get ssh/SUID_client
212 suid="$RET"
213 }
214
215 if [ "$suid" = "yes" ] ; then
216 if [ -x /usr/sbin/dpkg-statoverride ] && \
217 ! dpkg-statoverride /usr/bin/ssh ; then
218 dpkg-statoverride --add root root 04755 /usr/bin/ssh
219fi
220 fi
221}
222
223
224setup_startup() {
225 start=yes
226 [ -e /usr/share/debconf/confmodule ] && {
227 db_get ssh/run_sshd
228 start="$RET"
229 }
230
231 if [ "$start" != "true" ] ; then
232 touch /etc/ssh/sshd_not_to_be_run
233 else
234 rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
235 fi
236}
237
238
239setup_init() {
240if [ -e /etc/init.d/ssh ]; then
241 update-rc.d ssh defaults >/dev/null
242 /etc/init.d/ssh restart
243fi
244}
245
246check_idea_key
247create_keys
248create_sshdconfig
249fix_rsh_diversion
250fix_statoverride
251create_alternatives
252set_sshd_permissions
253setup_startup
254setup_init
255
256
257# Automatically added by dh_installdocs
258if [ "$1" = "configure" ]; then
259 if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
260 ln -sf ../share/doc/ssh /usr/doc/ssh
261 fi
262fi
263# End automatically added section
264
265
266[ -e /usr/share/debconf/confmodule ] && db_stop
267
268exit 0
269
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 000000000..c76f662df
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,19 @@
1#!/bin/sh -e
2
3#DEBHELPER#
4
5if [ "$1" = "purge" ]
6then
7 rm -rf /etc/ssh
8fi
9
10if [ "$1" = "purge" ] ; then
11 update-rc.d ssh remove >/dev/null
12fi
13
14if [ "$1" = "purge" ] ; then
15 deluser --quiet sshd > /dev/null || true
16 delgroup --quiet ssh > /dev/null || true
17fi
18
19exit 0
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 000000000..320d4df2a
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,79 @@
1#!/bin/sh -e
2
3action=$1
4version=$2
5
6if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
7 version=1.2.27
8fi
9
10if [ "$action" = upgrade -o "$action" = install ]
11then
12 # check if debconf is missing
13 if ! test -f /usr/share/debconf/confmodule
14 then
15 cat <<EOF
16
17WARNING: ssh's pre-configuration script relies on debconf to tell you
18about some problems that might prevent you from logging in if you are
19upgrading from the old, Non-free version of ssh.
20
21If this is a new installation, you don't need to worry about this.
22Just go ahead and install ssh (make sure to read .../ssh/README.Debian).
23
24If you are upgrading, but you have alternative ways of logging into
25the machine (i.e. you're sitting in front of it, or you have telnetd
26running), then you also don't need to worry too much, because you can
27fix it up afterwards if there's a problem.
28
29If you're upgrading from an older (non-free) version of ssh, and ssh
30is the only way you have to access this machine, then you should
31probably abort the installation of ssh, install debconf, and then
32retry the installation of ssh.
33
34EOF
35 echo -n "Do you want to install SSH anyway [yN]: "
36 read input
37 expr "$input" : '[Yy]' >/dev/null || exit 1
38
39 # work around for missing debconf
40 db_get() { : ; }
41 RET=true
42 if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
43 cp -a /etc/ssh-nonfree /etc/ssh
44 fi
45 else
46 # Source debconf library.
47 . /usr/share/debconf/confmodule
48 db_version 2.0
49 fi
50
51 db_get ssh/use_old_init_script
52 if [ "$RET" = "false" ]; then
53 echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2
54 exit 1
55 fi
56
57 # deal with upgrading from pre-OpenSSH versions
58 key=/etc/ssh/ssh_host_key
59 export key
60 if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] &&
61 dpkg --compare-versions "$version" lt 1.2.28
62 then
63 # make sure that keys get updated to get rid of IDEA
64 #
65 # N.B. this only works because we've still got the old
66 # nonfree ssh-keygen at this point
67 #
68 # First, check if we need to bother
69 echo -en '\0\0' | 3<&0 sh -c \
70 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
71 # this means that bytes 32&33 of the key were not both zero, in which
72 # case the key is encrypted, which we need to fix
73 chmod 600 $key
74 ssh-keygen -u -f $key >/dev/null
75 }
76 fi
77fi
78
79#DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 000000000..8ed7e07ec
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,44 @@
1#! /bin/sh
2# prerm script for ssh
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <prerm> `remove'
10# * <old-prerm> `upgrade' <new-version>
11# * <new-prerm> `failed-upgrade' <old-version>
12# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
13# * <deconfigured's-prerm> `deconfigure' `in-favour'
14# <package-being-installed> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17
18case "$1" in
19 remove|deconfigure)
20 update-alternatives --quiet --remove rsh /usr/bin/ssh
21 update-alternatives --quiet --remove rlogin /usr/bin/slogin
22 update-alternatives --quiet --remove rcp /usr/bin/scp
23 if [ -e /etc/init.d/ssh ]; then
24 /etc/init.d/ssh stop
25 fi
26# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
27 ;;
28 upgrade)
29# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
30 ;;
31 failed-upgrade)
32 ;;
33 *)
34 echo "prerm called with unknown argument \`$1'" >&2
35 exit 0
36 ;;
37esac
38
39# dh_installdeb will replace this with shell code automatically
40# generated by other debhelper scripts.
41
42#DEBHELPER#
43
44exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 000000000..dcf406f24
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,105 @@
1#!/usr/bin/make -f
2
3# Uncomment this to turn on verbose mode.
4# export DH_VERBOSE=1
5
6# This is the debhelper compatability version to use.
7export DH_COMPAT=1
8
9# This has to be exported to make some magic below work.
10export DH_OPTIONS
11
12#PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog)
13
14build: build-stamp
15build-stamp:
16 dh_testdir
17#Change the version string to include the Debian Version
18 if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \
19 then mv version.h version.h.upstream; mv version.h.new version.h; \
20 else echo "Version number change failed"; exit 1; \
21 fi
22 ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \
23 --with-privsep-path=/var/run/sshd --without-rand-helper
24 $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
25 SSH_KEYSIGN='/usr/lib/ssh-keysign'
26 # Support building on Debian 3.0 (with GNOME 1.4) and later.
27 if [ -f /usr/include/libgnomeui-2.0/gnome.h ]; then \
28 $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc -O2'; \
29 elif [ -f /usr/include/gnome-1.0/gnome.h ]; then \
30 $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'; \
31 fi
32
33 touch build-stamp
34
35clean:
36 dh_testdir
37 rm -f build-stamp
38 -$(MAKE) -i distclean
39 -$(MAKE) -C contrib clean
40 rm -f config.log
41 if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \
42 fi
43 dh_clean
44
45install: DH_OPTIONS=
46install: build
47 dh_testdir
48 dh_testroot
49 dh_clean -k
50 dh_installdirs
51
52 # Add here commands to install the package into debian/tmp.
53 $(MAKE) DESTDIR=`pwd`/debian/tmp install-nokeys
54
55 rm -f debian/tmp/etc/ssh/sshd_config
56 #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
57 rm -f debian/tmp/usr/share/Ssh.bin
58
59 install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
60 install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
61
62 if [ -f contrib/gnome-ssh-askpass2 ]; then \
63 install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass; \
64 elif [ -f contrib/gnome-ssh-askpass1 ]; then \
65 install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass; \
66 fi
67 install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1
68
69 install -m 755 debian/ssh-argv0 debian/tmp/usr/bin/ssh-argv0
70 install -m 644 debian/ssh-argv0.1 debian/tmp/usr/share/man/man1/ssh-argv0.1
71
72 install -o root -g root debian/init debian/tmp/etc/init.d/ssh
73 install -o root -g root -m 644 debian/ssh.default debian/tmp/etc/default/ssh
74
75 install -o root -g root -m 755 -d debian/tmp/var/run/sshd
76
77# Build architecture-independent files here.
78binary-indep: build install
79 # nothing to do
80
81# Build architecture-dependent files here.
82binary-arch: build install
83 dh_testdir
84 dh_testroot
85 dh_installdebconf
86 dh_installdocs OVERVIEW README
87 cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright
88 nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
89 gzip -9 debian/tmp/usr/share/doc/ssh/RFC
90 rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
91 dh_installpam
92 dh_installchangelogs ChangeLog
93 dh_strip
94 dh_compress
95 dh_fixperms
96 dh_installdeb
97 test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
98 || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
99 dh_shlibdeps
100 dh_gencontrol
101 dh_md5sums
102 dh_builddeb
103
104binary: binary-indep binary-arch
105.PHONY: build clean binary-indep binary-arch binary install
diff --git a/debian/ssh-argv0 b/debian/ssh-argv0
new file mode 100644
index 000000000..67599aec2
--- /dev/null
+++ b/debian/ssh-argv0
@@ -0,0 +1,30 @@
1#! /bin/sh -e
2
3# Copyright (c) 2001 Jonathan Amery.
4#
5# Redistribution and use in source and binary forms, with or without
6# modification, are permitted provided that the following conditions
7# are met:
8# 1. Redistributions of source code must retain the above copyright
9# notice, this list of conditions and the following disclaimer.
10# 2. Redistributions in binary form must reproduce the above copyright
11# notice, this list of conditions and the following disclaimer in the
12# documentation and/or other materials provided with the distribution.
13#
14# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
25if [ "${0##*/}" = "ssh-argv0" ]
26then
27 echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2
28 exit 1
29fi
30exec ssh "${0##*/}" "$@"
diff --git a/debian/ssh-argv0.1 b/debian/ssh-argv0.1
new file mode 100644
index 000000000..a36a63d40
--- /dev/null
+++ b/debian/ssh-argv0.1
@@ -0,0 +1,64 @@
1.Dd September 7, 2001
2.Dt SSH-ARGV0 1
3.Os Debian Project
4.Sh NAME
5.Nm ssh-argv0
6.Nd replaces the old ssh command-name as hostname handling
7.Sh SYNOPSIS
8.Ar hostname | user@hostname
9.Op Fl l Ar login_name
10.Op Ar command
11.Pp
12.Ar hostname | user@hostname
13.Op Fl afgknqstvxACNTX1246
14.Op Fl b Ar bind_address
15.Op Fl c Ar cipher_spec
16.Op Fl e Ar escape_char
17.Op Fl i Ar identity_file
18.Op Fl l Ar login_name
19.Op Fl m Ar mac_spec
20.Op Fl o Ar option
21.Op Fl p Ar port
22.Op Fl F Ar configfile
23.Oo Fl L Xo
24.Sm off
25.Ar port :
26.Ar host :
27.Ar hostport
28.Sm on
29.Xc
30.Oc
31.Oo Fl R Xo
32.Sm off
33.Ar port :
34.Ar host :
35.Ar hostport
36.Sm on
37.Xc
38.Oc
39.Op Fl D Ar port
40.Op Ar command
41.Sh DESCRIPTION
42.Nm
43replaces the old ssh command-name as hostname handling.
44If you link to this script with a hostname then executing the link is
45equivalent to having executed ssh with that hostname as an argument.
46All other arguments are passed to ssh and will be processed normally.
47.Sh OPTIONS
48See
49.Xr ssh 1 .
50.Sh FILES
51See
52.Xr ssh 1 .
53.Sh AUTHORS
54OpenSSH is a derivative of the original and free
55ssh 1.2.12 release by Tatu Ylonen.
56Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
57Theo de Raadt and Dug Song
58removed many bugs, re-added newer features and
59created OpenSSH.
60Markus Friedl contributed the support for SSH
61protocol versions 1.5 and 2.0.
62Jonathan Amery wrote this ssh-argv0 script and the associated documentation.
63.Sh SEE ALSO
64.Xr ssh 1
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright
new file mode 100644
index 000000000..4a71dda00
--- /dev/null
+++ b/debian/ssh-askpass-gnome.copyright
@@ -0,0 +1,44 @@
1This package contains a Gnome based implementation of ssh-askpass
2written by Damien Miller.
3
4It is split out from the main package to isolate the dependency on the
5Gnome and X11 libraries.
6
7It was packaged for Debian by Philip Hands <phil@hands.com>.
8
9Copyright:
10
11/*
12**
13** GNOME ssh passphrase requestor
14**
15** Damien Miller <djm@ibs.com.au>
16**
17** Copyright 1999 Internet Business Solutions
18**
19** Permission is hereby granted, free of charge, to any person
20** obtaining a copy of this software and associated documentation
21** files (the "Software"), to deal in the Software without
22** restriction, including without limitation the rights to use, copy,
23** modify, merge, publish, distribute, sublicense, and/or sell copies
24** of the Software, and to permit persons to whom the Software is
25** furnished to do so, subject to the following conditions:
26**
27** The above copyright notice and this permission notice shall be
28** included in all copies or substantial portions of the Software.
29**
30** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
31** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
32** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
33** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET
34** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
36** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
37** OR OTHER DEALINGS IN THE SOFTWARE.
38**
39** Except as contained in this notice, the name of Internet Business
40** Solutions shall not be used in advertising or otherwise to promote
41** the sale, use or other dealings in this Software without prior
42** written authorization from Internet Business Solutions.
43**
44*/
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs
new file mode 100644
index 000000000..4d0ee7a32
--- /dev/null
+++ b/debian/ssh-askpass-gnome.dirs
@@ -0,0 +1,2 @@
1usr/lib/ssh
2usr/share/man/man1
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst
new file mode 100644
index 000000000..7441cca29
--- /dev/null
+++ b/debian/ssh-askpass-gnome.postinst
@@ -0,0 +1,53 @@
1#! /bin/sh
2# postinst script for ssh-askpass-gnome
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <postinst> `configure' <most-recently-configured-version>
10# * <old-postinst> `abort-upgrade' <new version>
11# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
12# <new-version>
13# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
14# <failed-install-package> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17#
18# quoting from the policy:
19# Any necessary prompting should almost always be confined to the
20# post-installation script, and should be protected with a conditional
21# so that unnecessary prompting doesn't happen if a package's
22# installation fails and the `postinst' is called with `abort-upgrade',
23# `abort-remove' or `abort-deconfigure'.
24
25case "$1" in
26 configure)
27 update-alternatives --quiet \
28 --install /usr/bin/ssh-askpass ssh-askpass \
29 /usr/lib/ssh/gnome-ssh-askpass 30 \
30 --slave /usr/share/man/man1/ssh-askpass.1.gz \
31 ssh-askpass.1.gz /usr/share/man/man1/gnome-ssh-askpass.1.gz
32
33
34 ;;
35
36 abort-upgrade|abort-remove|abort-deconfigure)
37
38 ;;
39
40 *)
41 echo "postinst called with unknown argument \`$1'" >&2
42 exit 0
43 ;;
44esac
45
46# dh_installdeb will replace this with shell code automatically
47# generated by other debhelper scripts.
48
49#DEBHELPER#
50
51exit 0
52
53
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm
new file mode 100644
index 000000000..6f3f5756d
--- /dev/null
+++ b/debian/ssh-askpass-gnome.prerm
@@ -0,0 +1,41 @@
1#! /bin/sh
2# prerm script for ssh-askpass-gnome
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <prerm> `remove'
10# * <old-prerm> `upgrade' <new-version>
11# * <new-prerm> `failed-upgrade' <old-version>
12# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
13# * <deconfigured's-prerm> `deconfigure' `in-favour'
14# <package-being-installed> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17
18case "$1" in
19 remove|deconfigure)
20 update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass
21# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
22 ;;
23 upgrade)
24# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
25 ;;
26 failed-upgrade)
27 ;;
28 *)
29 echo "prerm called with unknown argument \`$1'" >&2
30 exit 0
31 ;;
32esac
33
34# dh_installdeb will replace this with shell code automatically
35# generated by other debhelper scripts.
36
37#DEBHELPER#
38
39exit 0
40
41
diff --git a/debian/ssh.default b/debian/ssh.default
new file mode 100644
index 000000000..aa03c4e07
--- /dev/null
+++ b/debian/ssh.default
@@ -0,0 +1,5 @@
1# Default settings for ssh. This file is sourced by /bin/sh from
2# /etc/init.d/ssh.
3
4# Options to pass to sshd
5SSHD_OPTS=
diff --git a/debian/ssh.pam b/debian/ssh.pam
new file mode 100644
index 000000000..f6fbd3ebc
--- /dev/null
+++ b/debian/ssh.pam
@@ -0,0 +1,21 @@
1#%PAM-1.0
2auth required pam_nologin.so
3auth required pam_unix.so
4auth required pam_env.so # [1]
5
6account required pam_unix.so
7
8session required pam_unix.so
9session optional pam_motd.so # [1]
10session optional pam_mail.so standard noenv # [1]
11session required pam_limits.so
12
13password required pam_unix.so
14
15# Alternate strength checking for password. Note that this
16# requires the libpam-cracklib package to be installed.
17# You will need to comment out the password line above and
18# uncomment the next two in order to use this.
19#
20# password required pam_cracklib.so retry=3 minlen=6 difok=3
21# password required pam_unix.so use_authtok nullok md5
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 000000000..ea8565d29
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,163 @@
1Template: ssh/privsep_tell
2Type: note
3Description: Privilege separation
4 This version of OpenSSH contains the new privilege separation
5 option. This significantly reduces the quantity of code that runs as
6 root, and therefore reduces the impact of security holes in sshd.
7 .
8 Unfortunately, privilege separation interacts badly with PAM. Any
9 PAM session modules that need to run as root (pam_mkhomedir, for
10 example) will fail, and PAM keyboard-interactive authentication
11 won't work.
12 .
13 Privilege separation is turned on by default, so if you decide you
14 want it turned off, you need to add "UsePrivilegeSeparation no" to
15 /etc/ssh/sshd_config.
16 .
17 NB! If you are running a 2.0 series Linux kernel, then privilege
18 separation will not work at all, and your sshd will fail to start
19 unless you explicitly turn privilege separation off.
20
21Template: ssh/privsep_ask
22Type: boolean
23Default: true
24Description: Enable Privilege separation
25 This version of OpenSSH contains the new privilege separation
26 option. This significantly reduces the quantity of code that runs as
27 root, and therefore reduces the impact of security holes in sshd.
28 .
29 Unfortunately, privilege separation interacts badly with PAM. Any
30 PAM session modules that need to run as root (pam_mkhomedir, for
31 example) will fail, and PAM keyboard-interactive authentication
32 won't work.
33 .
34 Since you've opted to have me generate an sshd_config file for you,
35 you can choose whether or not to have Privilege Separation turned on
36 or not. Unless you are running 2.0 (in which case you *must* say no
37 here or your sshd won't start at all) or know you need to use PAM
38 features that won't work with this option, you should say yes here.
39
40Template: ssh/new_config
41Type: boolean
42Default: true
43Description: Generate new configuration file
44 This version of OpenSSH has a considerably changed configuration file from
45 the version shipped in Debian 'Potato', which you appear to be upgrading from.
46 I can now generate you a new configuration file (/etc/ssh/sshd.config), which
47 will work with the new server version, but will not contain any customisations
48 you made with the old version.
49 .
50 Please note that this new configuration file will set the value of
51 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
52 ssh directly in as root). It is the opinion of the maintainer that this is
53 the correct default (see README.Debian for more details), but you can always
54 edit sshd_config and set it to no if you wish.
55 .
56 It is strongly recommended that you let me generate a new configuration file
57 for you.
58
59Template: ssh/protocol2_only
60Type: boolean
61Default: true
62Description: Allow SSH protocol 2 only
63 This version of OpenSSH supports version 2 of the ssh protocol, which
64 is much more secure. Disabling ssh 1 is encouraged, however this
65 will slow things down on low end machines and might prevent older
66 clients from connecting (the ssh client shipped with "potato" is affected).
67 .
68 Also please note that keys used for protocol 1 are different so you will
69 not be able to use them if you only allow protocol 2 connections.
70 .
71 If you later change your mind about this setting, README.Debian has
72 instructions on what to do to your sshd_config file.
73
74Template: ssh/ssh2_keys_merged
75Type: note
76Description: ssh2 keys merged in configuration files
77 As of version 3 OpenSSH no longer uses separate files for ssh1 and
78 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
79 are no longer needed. They will still be read in order to maintain
80 backwards compatibility
81
82Template: ssh/use_old_init_script
83Type: boolean
84Default: false
85Description: Do you want to continue (and risk killing active ssh sessions) ?
86 The version of /etc/init.d/ssh that you have installed, is likely to kill
87 all running sshd instances. If you are doing this upgrade via an ssh
88 session, that would be a Bad Thing(tm).
89 .
90 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
91 start-stop-daemon line in the stop section of the file.
92
93Template: ssh/forward_warning
94Type: note
95Description: NOTE: Forwarding of X11 and Authorization disabled by default.
96 For security reasons, the Debian version of ssh has ForwardX11 and
97 ForwardAgent set to ``off'' by default.
98 .
99 You can enable it for servers you trust, either
100 in one of the configuration files, or with the -X command line option.
101 .
102 More details can be found in /usr/share/doc/ssh/README.Debian
103
104Template: ssh/insecure_rshd
105Type: note
106Description: Warning: rsh-server is installed --- probably not a good idea
107 having rsh-server installed undermines the security that you were probably
108 wanting to obtain by installing ssh. I'd advise you to remove that package.
109
110Template: ssh/insecure_telnetd
111Type: note
112Description: Warning: telnetd is installed --- probably not a good idea
113 I'd advise you to either remove the telnetd package (if you don't actually
114 need to offer telnet access) or install telnetd-ssl so that there is at
115 least some chance that telnet sessions will not be sending unencrypted
116 login/password and session information over the network.
117
118Template: ssh/encrypted_host_key_but_no_keygen
119Type: note
120Description: Warning: you must create a new host key
121 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
122 OpenSSH can not handle this host key file, and I can't find the
123 ssh-keygen utility from the old (non-free) SSH installation.
124 .
125 You will need to generate a new host key.
126
127Template: ssh/SUID_client
128Type: boolean
129Default: true
130Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
131 You have the option of installing the ssh-keysign helper with the SUID
132 bit set.
133 .
134 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
135 host-based authentication.
136 .
137 If in doubt, I suggest you install it with SUID. If it causes
138 problems you can change your mind later by running: dpkg-reconfigure ssh
139
140Template: ssh/run_sshd
141Type: boolean
142Default: true
143Description: Do you want to run the sshd server ?
144 This package contains both the ssh client, and the sshd server.
145 .
146 Normally the sshd Secure Shell Server will be run to allow remote
147 logins via ssh.
148 .
149 If you are only interested in using the ssh client for outbound
150 connections on this machine, and don't want to log into it at all
151 using ssh, then you can disable sshd here.
152
153Template: ssh/user_environment_tell
154Type: note
155Description: Environment options on keys have been deprecated
156 This version of OpenSSH disables the environment option for public keys by
157 default, in order to avoid certain attacks (for example, LD_PRELOAD). If
158 you are using this option in an authorized_keys file, beware that the keys
159 in question will no longer work until the option is removed.
160 .
161 To re-enable this option, set "PermitUserEnvironment yes" in
162 /etc/ssh/sshd_config after the upgrade is complete, taking note of the
163 warning in the sshd_config(5) manual page.
diff --git a/debian/templates.da b/debian/templates.da
new file mode 100644
index 000000000..b8fc9be18
--- /dev/null
+++ b/debian/templates.da
@@ -0,0 +1,253 @@
1Template: ssh/privsep_tell
2Type: note
3Description: Privilege separation
4 This version of OpenSSH contains the new privilege separation option. This
5 significantly reduces the quantity of code that runs as root, and
6 therefore reduces the impact of security holes in sshd.
7 .
8 Unfortunately, privilege separation interacts badly with PAM. Any PAM
9 session modules that need to run as root (pam_mkhomedir, for example) will
10 fail, and PAM keyboard-interactive authentication won't work.
11 .
12 Privilege separation is turned on by default, so if you decide you want it
13 turned off, you need to add "UsePrivilegeSeparation no" to
14 /etc/ssh/sshd_config.
15 .
16 NB! If you are running a 2.0 series Linux kernel, then privilege
17 separation will not work at all, and your sshd will fail to start unless
18 you explicitly turn privilege separation off.
19Description-da: Privilegie adskillelse
20 Denne version af OpenSSH indeholder den nye privilegie adskillelses
21 mulighed. Det reducerer markant mФngden af kode der kЬrer som root, og
22 derfor reducerer det impakten pЕ sikkerheds huller i sshd.
23 .
24 DesvФrre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul
25 der skal kЬres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM
26 tastatur-interaktive autentifikationer vil ikke virke.
27 .
28 Privilegie adskillelse er slЕet til som standard, sЕ hvis du beslutter at
29 slЕ det fra, skal du bruge "UsePrivilegeSeparation no" i
30 /etc/ssh/sshd_config.
31
32Template: ssh/privsep_ask
33Type: boolean
34Default: true
35Description: Enable Privilege separation
36 This version of OpenSSH contains the new privilege separation option. This
37 significantly reduces the quantity of code that runs as root, and
38 therefore reduces the impact of security holes in sshd.
39 .
40 Unfortunately, privilege separation interacts badly with PAM. Any PAM
41 session modules that need to run as root (pam_mkhomedir, for example) will
42 fail, and PAM keyboard-interactive authentication won't work.
43 .
44 Since you've opted to have me generate an sshd_config file for you, you
45 can choose whether or not to have Privilege Separation turned on or not.
46 Unless you are running 2.0 (in which case you *must* say no here or your
47 sshd won't start at all) or know you need to use PAM features that won't
48 work with this option, you should say yes here.
49Description-da: Aktiver Privilegie adskillelse
50 Denne version af OpenSSH indeholder den nye privilegie adskillelses
51 mulighed. Det reducerer markant mФngden af kode der kЬrer som root, og
52 derfor reducerer det impakten pЕ sikkerheds huller i sshd.
53 .
54 DesvФrre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul
55 der skal kЬres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM
56 tastatur-interaktive autentifikationer vil ikke virke.
57 .
58 Siden du har bedt mig om at lave en sshd_config fil til dig, kan du vФlge
59 om du vil have privilegie adskillelse slЕet til eller ej. Medmindre du
60 kЬrer 2.0 (i hvilket tilfФlde du *skal* sige nej her, ellers vil din sshd
61 slet ikke starte) eller ved at du skal bruge PAM funktioner som ikke vil
62 virke med dette tilvalg, skal du sige ja her.
63
64Template: ssh/new_config
65Type: boolean
66Default: true
67Description: Generate new configuration file
68 This version of OpenSSH has a considerably changed configuration file from
69 the version shipped in Debian 'Potato', which you appear to be upgrading
70 from. I can now generate you a new configuration file
71 (/etc/ssh/sshd.config), which will work with the new server version, but
72 will not contain any customisations you made with the old version.
73 .
74 Please note that this new configuration file will set the value of
75 'PermitRootLogin' to yes (meaning that anyone knowing the root password
76 can ssh directly in as root). It is the opinion of the maintainer that
77 this is the correct default (see README.Debian for more details), but you
78 can always edit sshd_config and set it to no if you wish.
79 .
80 It is strongly recommended that you let me generate a new configuration
81 file for you.
82Description-da: Opret ny konfigurations fil
83 Denne version af OpenSSH har en betydeligt Фndret konfigurations fil fra
84 den version der kom med Debian 'Potato', som du ser ud til at opgradere fra.
85 Jeg kan nu oprette en ny konfigurations fil (//etc/ssh/sshd.config), som
86 vil virke med den nye server version, men det vil ikke beholde eventuelle
87 Фndringer du lavede med den gamle version.
88 .
89 Venligst bemФrk at den nye konfigurations fil vil sФtte vФrdien af
90 'PermitRootLogin' til ja (som betyder at alle der kender roots password,
91 kan tilgЕ maskinen via ssh direkte). Det er vedligeholderens mening, at det
92 er den korrekte standard-vФrdi (se README.Debian for flere detaljer), men
93 du kan altid redigere sshd_config og slЕ det fra, hvis du Ьnsker.
94 .
95 Du rЕdes stФrkt til at lade mig genere en ny konfigurations fil for dig.
96
97Template: ssh/protocol2_only
98Type: boolean
99Default: true
100Description: Allow SSH protocol 2 only
101 This version of OpenSSH supports version 2 of the ssh protocol, which is
102 much more secure. Disabling ssh 1 is encouraged, however this will slow
103 things down on low end machines and might prevent older clients from
104 connecting (the ssh client shipped with "potato" is affected).
105 .
106 Also please note that keys used for protocol 1 are different so you will
107 not be able to use them if you only allow protocol 2 connections.
108 .
109 If you later change your mind about this setting, README.Debian has
110 instructions on what to do to your sshd_config file.
111Description-da: Tillad kun SSH protokol 2
112 Denne udgave af OpenSSH understЬtter version 2 af ssh-protokollen, som er
113 betydeligt mere sikker. Det anbefales af deaktivere version 1. Dog kan det
114 slЬve langsomme maskiner, og forhindre Фldre klienter i at opnЕ
115 forbindelse (ssh klienten der kommer med "potato" er en af dem).
116 .
117 Du skal ogsЕ bemФrke at de nЬgler som bliver anvendt til protokol 1 er
118 forskellige, sЕ du vil ikke Фvre i stand til at bruge dem, hvis du kun
119 tillader protokol 2 forbindelser.
120 .
121 Hvis du senere Фndrer din mening om denne indstilling, har README.Debian
122 instruktioner pЕ hvad du skal gЬre ved din sshd_config fil.
123
124Template: ssh/ssh2_keys_merged
125Type: note
126Description: ssh2 keys merged in configuration files
127 As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
128 keys. This means the authorized_keys2 and known_hosts2 files are no longer
129 needed. They will still be read in order to maintain backwards
130 compatibility
131Description-da: ssh2-nЬgler flettet i opsФtningsfilerne
132 Siden version 3 har OpenSSH ikke lФngere separate filer for ssh1- og
133 ssh2-nЬgler. Det betyder, at filerne authorized_keys2 og known_hosts2 ikke
134 lФngere er nЬdvendige. De vil stadig dog stadig blive lФst for
135 bagudkompatilitetens skyld.
136
137Template: ssh/use_old_init_script
138Type: boolean
139Default: false
140Description: Do you want to continue (and risk killing active ssh sessions) ?
141 The version of /etc/init.d/ssh that you have installed, is likely to kill
142 all running sshd instances. If you are doing this upgrade via an ssh
143 session, that would be a Bad Thing(tm).
144 .
145 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
146 start-stop-daemon line in the stop section of the file.
147Description-da: Vil du fortsФtte (og risikere at afbryde aktive ssh-forbindelser)?
148 Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis
149 afbryde alle sshd-dФmoner. Det vil vФre en rigtigt dЕrlig idИ, hvis du er
150 ved at opgradering via en ssh-forbindelse.
151 .
152 Du kan afhjФlpe dette ved at tilfЬje "--pidfile /var/run/sshd.pid" til
153 'start-stop-daemon'-linjen i stop-afsnittet af filen.
154
155Template: ssh/forward_warning
156Type: note
157Description: NOTE: Forwarding of X11 and Authorization disabled by default.
158 For security reasons, the Debian version of ssh has ForwardX11 and
159 ForwardAgent set to ``off'' by default.
160 .
161 You can enable it for servers you trust, either in one of the
162 configuration files, or with the -X command line option.
163 .
164 More details can be found in /usr/share/doc/ssh/README.Debian
165Description-da: BEMфRK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret.
166 Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og
167 ForwardAgent til 'off' som standard.
168 .
169 Du kan aktivere dem for servere, du stoler pЕ i en af opsФtningsfilerne
170 eller med kommandolinjetilvalget '-X'.
171
172Template: ssh/insecure_rshd
173Type: note
174Description: Warning: rsh-server is installed --- probably not a good idea
175 having rsh-server installed undermines the security that you were probably
176 wanting to obtain by installing ssh. I'd advise you to remove that
177 package.
178Description-da: Advarsel: rsh-serveren er installeret --- sikkert ikke en god idИ
179 Den sikkerhed, du nok Ьnskede at opnЕ ved at installere ssh undermineres
180 ved, at du har rsh-server installeret. Jeg vil rЕde dig til at fjerne
181 pakken rsh-server.
182
183Template: ssh/insecure_telnetd
184Type: note
185Description: Warning: telnetd is installed --- probably not a good idea
186 I'd advise you to either remove the telnetd package (if you don't actually
187 need to offer telnet access) or install telnetd-ssl so that there is at
188 least some chance that telnet sessions will not be sending unencrypted
189 login/password and session information over the network.
190Description-da: Advarsel: telnetd er installeret --- sikkert ikke en god idИ
191 Jeg vil rЕde dig til enten at fjerne pakken telnetd (hvis du i
192 virkeligheden ikke har brug for at tilbyde telnet-adgang) eller installere
193 telnetd-ssl, sЕ der i det mindste er en mulighed for, at telnet-sessioner
194 ikke sender adgangskoder og sessions-oplysninger ukrypteret over
195 netvФrket.
196
197Template: ssh/encrypted_host_key_but_no_keygen
198Type: note
199Description: Warning: you must create a new host key
200 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
201 can not handle this host key file, and I can't find the ssh-keygen utility
202 from the old (non-free) SSH installation.
203 .
204 You will need to generate a new host key.
205Description-da: Advarsel: du skal oprette en ny vФrtsnЬgle
206 Der ligger en gammel, IDEA-krypteret /etc/ssh/ssh_host_key. OpenSSH kan
207 ikke hЕndtere sЕdan en vФrtsnЬglefil, og jeg kan ikke finde vФrktЬjet
208 ssh-keygen fra den gamle (ikke-frie, 'non-free') SSH-installation.
209
210Template: ssh/SUID_client
211Type: boolean
212Default: true
213Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
214 You have the option of installing the ssh-keysign helper with the SUID bit
215 set.
216 .
217 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
218 host-based authentication.
219 .
220 If in doubt, I suggest you install it with SUID. If it causes problems
221 you can change your mind later by running: dpkg-reconfigure ssh
222Description-da: Vil du have, at /usr/bin/ssh-keysign bliver installeret 'SUID root'?
223 Du har mulighed for at installere ssh-keysign hjФlperen med SUID-flaget
224 sat.
225 .
226 Hvis du gЬr ssh-keysign SUID, vil du blive i stand til at benytte SSH
227 protokol 2's vФrtsnavn-baserede autentifikation.
228 .
229 Hvis du er i tvivl, vil jeg rЕde dig til at installere den med SUID. Hvis
230 det skaber problemer, kan du Фndre det tilbage igen ved at kЬre:
231 dpkg-reconfigure ssh
232
233Template: ssh/run_sshd
234Type: boolean
235Default: true
236Description: Do you want to run the sshd server ?
237 This package contains both the ssh client, and the sshd server.
238 .
239 Normally the sshd Secure Shell Server will be run to allow remote logins
240 via ssh.
241 .
242 If you are only interested in using the ssh client for outbound
243 connections on this machine, and don't want to log into it at all using
244 ssh, then you can disable sshd here.
245Description-da: Vil du kЬre sshd-serveren?
246 Denne pakke indeholder bЕde ssh-klienten og sshd-serveren.
247 .
248 Normalt vil sshd sikker skalserver ('Secure Shell Server') blive aktiveret
249 og tillade fjerne brugere i at logge pЕ via ssh.
250 .
251 Hvis du udelukkende er interesseret i at bruge ssh-klienten til udgЕende
252 forbindelser fra denne maskine, og ikke Ьnsker at tilgЕ denne maskine
253 udefra via ssh, kan du nu deaktivere sshd.
diff --git a/debian/templates.de b/debian/templates.de
new file mode 100644
index 000000000..5feb24cd9
--- /dev/null
+++ b/debian/templates.de
@@ -0,0 +1,95 @@
1Template: ssh/use_old_init_script
2Type: boolean
3Default: false
4Description: Do you want to continue (and risk killing active ssh sessions) ?
5 The version of /etc/init.d/ssh that you have installed, is likely to kill
6 all running sshd instances. If you are doing this upgrade via an ssh
7 session, that would be a Bad Thing(tm).
8 .
9 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
10 start-stop-daemon line in the stop section of the file.
11Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
12 Die Version von /etc/init.d/ssh, die Sie installiert haben, wird
13 vermutlich Ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
14 via ssh erledigen, dann ist das ein Problem.
15 .
16 Sie kЖnnen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
17 an die start-stop-daemon Zeile in dem Bereich stop der Datei
18 /etc/init.d/ssh ergДnzen.
19
20Template: ssh/forward_warning
21Type: note
22Description: NOTE: Forwarding of X11 and Authorization disabled by default.
23 For security reasons, the Debian version of ssh has ForwardX11 and
24 ForwardAgent set to ``off'' by default.
25 .
26 You can enable it for servers you trust, either
27 in one of the configuration files, or with the -X command line option.
28 .
29 More details can be found in /usr/share/doc/ssh/README.Debian
30Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
31 Aus SicherheitsgrЭnden sind die Debian Pakete von ssh ForwardX11 und
32 ForwardAgent auf "off" gesetzt.
33 .
34 Sie kЖnnen dies fЭr Server, denen Sie trauen, entweder per Eintrag in
35 die Konfigurations Dateien oder per Kommando-Zeilen Option -X Дndern.
36 .
37 Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
38
39Template: ssh/insecure_rshd
40Type: note
41Description: Warning: rsh-server is installed --- probably not a good idea
42 having rsh-server installed undermines the security that you were probably
43 wanting to obtain by installing ssh. I'd advise you to remove that package.
44Description-de: Warnung: rsh-server ist installiert --- mЖglicherweise
45 ist es eine schlechte Idee, den rsh-server installiert zu haben, da er
46 die Sicherheit untergrДbt. Wir empfehlen, das Paket zu entfernen.
47
48Template: ssh/insecure_telnetd
49Type: note
50Description: Warning: telnetd is installed --- probably not a good idea
51 I'd advise you to either remove the telnetd package (if you don't actually
52 need to offer telnet access) or install telnetd-ssl so that there is at
53 least some chance that telnet sessions will not be sending unencrypted
54 login/password and session information over the network.
55Description-de: Warnung: telnetd ist installiert --- schlechte Idee
56 Wir empfehlen das telnetd Paket zu entfernen (falls Sie keinen telnet Zugang
57 anbieten) oder telnetd-ssl zu installieren, so daъ Sie verhindern kЖnnen,
58 daъ Login und Password unverschlЭsselt durch das Netz gesendet
59 werden.
60
61Template: ssh/encrypted_host_key_but_no_keygen
62Type: note
63Description: Warning: you must create a new host key
64 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
65 OpenSSH can not handle this host key file, and I can't find the
66 ssh-keygen utility from the old (non-free) SSH installation.
67 .
68 You will need to generate a new host key.
69Description-de: Warnung: Sie mЭssen einen neuen Host Key erzeugen
70 Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
71 per IDEA verschlЭsselt ist. OpenSSH kann eine solche Host Key Datei
72 nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
73 kann nicht gefunden werden.
74
75Template: ssh/run_sshd
76Type: boolean
77Default: true
78Description: Do you want to run the sshd server ?
79 This package contains both the ssh client, and the sshd server.
80 .
81 Normally the sshd Secure Shell Server will be run to allow remote
82 logins via ssh.
83 .
84 If you are only interested in using the ssh client for outbound
85 connections on this machine, and don't want to log into it at all
86 using ssh, then you can disable sshd here.
87Description-de: MЖchten Sie den sshd Server starten?
88 Das Paket enthДlt sowohl den Client als auch den sshd Server.
89 .
90 Normal wird der sshd Secure Shell Server fЭr Remote Logins per ssh
91 gestartet.
92 .
93 Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechnern
94 zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen,
95 dann kЖnnen Sie hier den sshd abschalten.
diff --git a/debian/templates.es b/debian/templates.es
new file mode 100644
index 000000000..8d7b25a34
--- /dev/null
+++ b/debian/templates.es
@@ -0,0 +1,266 @@
1Template: ssh/run_sshd
2Type: boolean
3Default: true
4Description: Do you want to run the sshd server ?
5 This package contains both the ssh client, and the sshd server.
6 .
7 Normally the sshd Secure Shell Server will be run to allow remote logins
8 via ssh.
9 .
10 If you are only interested in using the ssh client for outbound
11 connections on this machine, and don't want to log into it at all using
12 ssh, then you can disable sshd here.
13Description-es: ©Quiere ejecutar el servidor sshd?
14 Este paquete contiene el cliente ssh y el servidor sshd.
15 .
16 Generalmente, el servidor de ssh (Secure Shell Server) se ejecuta para
17 permitir el acceso remoto mediante ssh.
18 .
19 Si sСlo estА interesado en usar el cliente ssh en conexiones salientes del
20 sistema y no quiere acceder a Иl mediante ssh, entonces puede desactivar
21 sshd.
22
23Template: ssh/use_old_init_script
24Type: boolean
25Default: false
26Description: Do you want to continue (and risk killing active ssh sessions) ?
27 The version of /etc/init.d/ssh that you have installed, is likely to kill
28 all running sshd instances. If you are doing this upgrade via an ssh
29 session, that would be a Bad Thing(tm).
30 .
31 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
32 start-stop-daemon line in the stop section of the file.
33Description-es: ©Desea continuar, aЗn a riesgo de matar las sesiones ssh activas?
34 La versiСn de /etc/init.d/ssh que tiene instalada es muy probable que
35 mate el demonio ssh. Si estА actualizando a travИs de una sesiСn ssh,
36 puede que no sea muy buena idea.
37 .
38 Puede arreglarlo aЯadiendo "--pidfile /var/run/sshd.pid" a la lМnea
39 'start-stop-daemon', en la secciСn 'stop' del fichero.
40
41Template: ssh/SUID_client
42Type: boolean
43Default: true
44Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
45 You have the option of installing the ssh-keysign helper with the SUID bit
46 set.
47 .
48 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
49 host-based authentication.
50 .
51 If in doubt, I suggest you install it with SUID. If it causes problems
52 you can change your mind later by running: dpkg-reconfigure ssh
53Description-es: ©Quiere instalar /usr/lib/ssh-keysign SUID root?
54 Puede instalar ssh-keysign con el bit SUID (se ejecutarА con privilegios
55 de root).
56 .
57 Si hace ssh-keysign SUID, podrА usar la autentificiaciСn basada en
58 servidor de la versiСn 2 del protocolo SSH.
59 .
60 Si duda, se recomienda que lo instale SUID. Si surgen problemas puede
61 cambiar de opiniСn posteriormente ejecutando ╚dpkg-reconfigure ssh╩.
62
63Template: ssh/encrypted_host_key_but_no_keygen
64Type: note
65Description: Warning: you must create a new host key
66 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
67 can not handle this host key file, and I can't find the ssh-keygen utility
68 from the old (non-free) SSH installation.
69 .
70 You will need to generate a new host key.
71Description-es: Aviso: debe crear una nueva clave para su servidor
72 Su sistema tiene un /etc/ssh/ssh_host_key antiguo, que usa cifrado IDEA.
73 OpenSSH no puede manejar este fichero de claves y tampoco se encuentra la
74 utilidad ssh-keygen incluida en el paquete ssh no libre.
75 .
76 NecesitarА generar una nueva clave para su servidor.
77
78Template: ssh/insecure_telnetd
79Type: note
80Description: Warning: telnetd is installed --- probably not a good idea
81 I'd advise you to either remove the telnetd package (if you don't actually
82 need to offer telnet access) or install telnetd-ssl so that there is at
83 least some chance that telnet sessions will not be sending unencrypted
84 login/password and session information over the network.
85Description-es: Aviso: tiene telnetd instalado
86 Es muy aconsejable que borre el paquete telnetd si no necesita realmente
87 ofrecer acceso mediante telnet o instalar telnetd-ssl para que las
88 contraseЯas, nombres de usuario y demАs informaciСn de las sesiones telnet
89 no viajen sin cifrar por la red.
90
91Template: ssh/forward_warning
92Type: note
93Description: NOTE: Forwarding of X11 and Authorization disabled by default.
94 For security reasons, the Debian version of ssh has ForwardX11 and
95 ForwardAgent set to ``off'' by default.
96 .
97 You can enable it for servers you trust, either in one of the
98 configuration files, or with the -X command line option.
99 .
100 More details can be found in /usr/share/doc/ssh/README.Debian
101Description-es: NOTA: ReenvМo de X11 y AutorizaciСn desactivadas por defecto.
102 Por razones de seguridad, la versiСn de ssh de Debian tiene por defecto
103 ForwardX11 y ForwardAgent desactivadas.
104 .
105 Puede activar estas opciones para los servidores en los que confМe, en los
106 ficheros de configuraciСn o con la opciСn -X en lМnea de comandos.
107 .
108 Puede encontrar mАs detalles en /usr/share/doc/ssh/README.Debian.
109
110Template: ssh/privsep_tell
111Type: note
112Description: Privilege separation
113 This version of OpenSSH contains the new privilege separation option. This
114 significantly reduces the quantity of code that runs as root, and
115 therefore reduces the impact of security holes in sshd.
116 .
117 Unfortunately, privilege separation interacts badly with PAM. Any PAM
118 session modules that need to run as root (pam_mkhomedir, for example) will
119 fail, and PAM keyboard-interactive authentication won't work.
120 .
121 Privilege separation is turned on by default, so if you decide you want it
122 turned off, you need to add "UsePrivilegeSeparation no" to
123 /etc/ssh/sshd_config.
124 .
125 NB! If you are running a 2.0 series Linux kernel, then privilege
126 separation will not work at all, and your sshd will fail to start unless
127 you explicitly turn privilege separation off.
128Description-es: SeparaciСn de privilegios
129 Esta versiСn de OpenSSH incluye una nueva opciСn de separaciСn de
130 privilegios que reduce significativamente la cantidad de cСdigo que se
131 ejecuta como root, por lo que reduce el impacto de posibles agujeros de
132 seguridad en sshd.
133 .
134 Desafortunadamente, la separaciСn de privilegios no interactЗa
135 correctamente con PAM. Cualquier mСdulo PAM que necesite ejecutarse como
136 root (como, por ejemplo, pam_mkhomedir) y la autentificaciСn interactiva
137 PAM con teclado no funcionarАn.
138 .
139 La separaciСn de privilegios estА activa por defecto, por lo que si decide
140 desactivarla, tiene que aЯadir "UsePrivilegeSeparation no" al fichero
141 /etc/ssh/sshd_config.
142 .
143 Nota: Si utiliza un nЗcleo Linux de la serie 2.0, la separaciСn de
144 privilegios fallarА estrepitosamente y sshd no funcionarА a no ser que la
145 desactive.
146
147Template: ssh/ssh2_keys_merged
148Type: note
149Description: ssh2 keys merged in configuration files
150 As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
151 keys. This means the authorized_keys2 and known_hosts2 files are no longer
152 needed. They will still be read in order to maintain backwards
153 compatibility
154Description-es: Las claves ssh2 ya se incluyen en los ficheros de configuraciСn
155 A partir de la versiСn 3, OpenSSH ya no utiliza ficheros diferentes para
156 las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los
157 ficheros authorized_keys2 y known_hosts2, aunque aЗn se seguirАn leyendo
158 para mantener compatibilidad hacia atrАs.
159
160Template: ssh/protocol2_only
161Type: boolean
162Default: true
163Description: Allow SSH protocol 2 only
164 This version of OpenSSH supports version 2 of the ssh protocol, which is
165 much more secure. Disabling ssh 1 is encouraged, however this will slow
166 things down on low end machines and might prevent older clients from
167 connecting (the ssh client shipped with "potato" is affected).
168 .
169 Also please note that keys used for protocol 1 are different so you will
170 not be able to use them if you only allow protocol 2 connections.
171 .
172 If you later change your mind about this setting, README.Debian has
173 instructions on what to do to your sshd_config file.
174Description-es: Permitir sСlo la versiСn 2 del protocolo SSH
175 Esta versiСn de OpenSSH soporta la versiСn 2 del protocolo ssh, que es
176 mucho mАs segura que la anterior. Se recomienda desactivar la versiСn 1,
177 aunque funcionarА mАs lento en mАquinas modestas y puede impedir que se
178 conecten clientes antiguos, como, por ejemplo, el incluido en "potato".
179 .
180 TambiИn tenga en cuenta que las claves utilizadas para el protocolo 1 son
181 diferentes, por lo que no podrА usarlas si Зnicamente permite conexiones
182 mediante la versiСn 2 del protocolo.
183 .
184 Si mАs tarde cambia de opiniСn, el fichero README.Debian contiene
185 instrucciones sobre cСmo modificar en el fichero sshd_config.
186
187Template: ssh/insecure_rshd
188Type: note
189Description: Warning: rsh-server is installed --- probably not a good idea
190 having rsh-server installed undermines the security that you were probably
191 wanting to obtain by installing ssh. I'd advise you to remove that
192 package.
193Description-es: Aviso: tiene rsh-server instalado
194 Tener rsh-server instalado representa un menoscabo de la seguridad que
195 probablemente desea obtener instalando ssh. Es muy aconsejable que borre
196 ese paquete.
197
198Template: ssh/privsep_ask
199Type: boolean
200Default: true
201Description: Enable Privilege separation
202 This version of OpenSSH contains the new privilege separation option. This
203 significantly reduces the quantity of code that runs as root, and
204 therefore reduces the impact of security holes in sshd.
205 .
206 Unfortunately, privilege separation interacts badly with PAM. Any PAM
207 session modules that need to run as root (pam_mkhomedir, for example) will
208 fail, and PAM keyboard-interactive authentication won't work.
209 .
210 Since you've opted to have me generate an sshd_config file for you, you
211 can choose whether or not to have Privilege Separation turned on or not.
212 Unless you are running 2.0 (in which case you *must* say no here or your
213 sshd won't start at all) or know you need to use PAM features that won't
214 work with this option, you should say yes here.
215Description-es: Activar separaciСn de privilegios
216 Esta versiСn de OpenSSH incluye una nueva opciСn de separaciСn de
217 privilegios que reduce significativamente la cantidad de cСdigo que se
218 ejecuta como root, por lo que reduce el impacto de posibles agujeros de
219 seguridad en sshd.
220 .
221 Desafortunadamente, la separaciСn de privilegios no interactЗa
222 correctamente con PAM. Cualquier mСdulo PAM que necesite ejecutarse como
223 root (como, por ejemplo, pam_mkhomedir) y la autentificaciСn PAM mediante
224 teclado no funcionarАn.
225 .
226 Puesto que ha elegido crear automАticamente el fichero sshd_config, puede
227 decidir ahora si quiere activar la opciСn de separaciСn de privilegios. A
228 menos que utilice la versiСn 2.0 (en cuyo caso debe responer no aquМ o
229 sshd no arrancarА) o sepa que necesita usar ciertas caracterМsticas de PAM
230 que funcionan con esta opciСn, deberМa responder sМ a esta pregunta.
231
232Template: ssh/new_config
233Type: boolean
234Default: true
235Description: Generate new configuration file
236 This version of OpenSSH has a considerably changed configuration file from
237 the version shipped in Debian 'Potato', which you appear to be upgrading
238 from. I can now generate you a new configuration file
239 (/etc/ssh/sshd.config), which will work with the new server version, but
240 will not contain any customisations you made with the old version.
241 .
242 Please note that this new configuration file will set the value of
243 'PermitRootLogin' to yes (meaning that anyone knowing the root password
244 can ssh directly in as root). It is the opinion of the maintainer that
245 this is the correct default (see README.Debian for more details), but you
246 can always edit sshd_config and set it to no if you wish.
247 .
248 It is strongly recommended that you let me generate a new configuration
249 file for you.
250Description-es: Generar un nuevo fichero de configuraciСn
251 Esta versiСn de OpenSSH tiene un fichero de configuraciСn
252 considerablemente diferente del incluido en Debian Potato, que es la
253 versiСn desde la que parece estar actualizando. Puede crear
254 automАticamente un nuevo fichero de configuraciСn (/etc/ssh/sshd_config),
255 que funcionarА con la nueva versiСn del servidor, pero no incuirА las
256 modificaciones que hiciera en la versiСn antigua.
257 .
258 AdemАs, recuerde que este nuevo fichero de configuraciСn dirА sМ en la
259 opciСn 'PermitRootLogin', por lo que cualquiera que conozca la contraseЯa
260 de root podrА entrar mediante ssh directamente como root. En opiniСn del
261 mantenedor Иsta es la opciСn predeterminada mАs adecuada (puede leer
262 README.Debian si quiere conocer mАs detalles), pero siempre puede editar
263 sshd_config y poner no si lo desea.
264 .
265 Es muy recomendable que permita que se genere un nuevo fichero de
266 configuraciСn ahora.
diff --git a/debian/templates.fr b/debian/templates.fr
new file mode 100644
index 000000000..5eee0f92a
--- /dev/null
+++ b/debian/templates.fr
@@ -0,0 +1,278 @@
1Template: ssh/privsep_tell
2Type: note
3Description: Privilege separation
4 This version of OpenSSH contains the new privilege separation
5 option. This significantly reduces the quantity of code that runs as
6 root, and therefore reduces the impact of security holes in sshd.
7 .
8 Unfortunately, privilege separation interacts badly with PAM. Any
9 PAM session modules that need to run as root (pam_mkhomedir, for
10 example) will fail, and PAM keyboard-interactive authentication
11 won't work.
12 .
13 Privilege separation is turned on by default, so if you decide you
14 want it turned off, you need to add "UsePrivilegeSeparation no" to
15 /etc/ssh/sshd_config.
16 .
17 NB! If you are running a 2.0 series Linux kernel, then privilege
18 separation will not work at all, and your sshd will fail to start
19 unless you explicitly turn privilege separation off.
20Description-fr: SИparation des privilХges
21 Cette version d'OpenSSH est livrИe avec la nouvelle option de
22 sИparation des privilХges. Cela rИduit de maniХre significative la
23 quantitИ de code s'exИcutant en tant que super-utilisateur, et donc
24 rИduit l'impact des trous de sИcuritИ dans sshd.
25 .
26 Malheureusement, la sИparation des privilХges interagit mal avec PAM.
27 Tous les modules de session PAM qui doivent Йtre exИcutИs en tant
28 que super-utilisateur (pam_mkhomedir, par exemple) ne s'exИcuteront
29 pas, et l'authentification interactive au clavier ne fonctionnera pas.
30 .
31 La sИparation des privilХges est activИe par dИfaut ; si vous
32 souhaitez la dИsactiver, vous devez ajouter ╚═UsePrivilegeSeparation
33 no═╩ dans /etc/ssh/sshd_config.
34 .
35 NB═! Si vous avez un noyau Linux de la sИrie des 2.0, la sИparation
36 des privilХges ne fonctionne pas, et votre dИmon sshd ne se lancera
37 que si vous avez explicitement dИsactivИ la sИparation des privilХges.
38
39Template: ssh/privsep_ask
40Type: boolean
41Default: true
42Description: Enable Privilege separation
43 This version of OpenSSH contains the new privilege separation
44 option. This significantly reduces the quantity of code that runs as
45 root, and therefore reduces the impact of security holes in sshd.
46 .
47 Unfortunately, privilege separation interacts badly with PAM. Any
48 PAM session modules that need to run as root (pam_mkhomedir, for
49 example) will fail, and PAM keyboard-interactive authentication
50 won't work.
51 .
52 Since you've opted to have me generate an sshd_config file for you,
53 you can choose whether or not to have Privilege Separation turned on
54 or not. Unless you are running 2.0 (in which case you *must* say no
55 here or your sshd won't start at all) or know you need to use PAM
56 features that won't work with this option, you should say yes here.
57Description-fr: Activer la sИparation des privilХges
58 Cette version d'OpenSSH est livrИe avec la nouvelle option de
59 sИparation des privilХges. Cela rИduit de maniХre significative la
60 quantitИ de code s'exИcutant en tant que super-utilisateur, et donc
61 rИduit l'impact des trous de sИcuritИ dans sshd.
62 .
63 Malheureusement, la sИparation des privilХges interagit mal avec PAM.
64 Tous les modules de session PAM qui doivent Йtre exИcutИs en tant
65 que super-utilisateur (pam_mkhomedir, par exemple) ne s'exИcuteront
66 pas, et l'authentification interactive au clavier ne fonctionnera pas.
67 .
68 Comme vous souhaitez que je gИnХre le fichier de configuration
69 sshd_config Ю votre place, vous pouvez choisir d'activer ou non
70 l'option de sИparation des privilХges. Si vous utilisez un noyau 2.0
71 (dans ce cas vous *devez* dИsactiver cette option ou alors sshd ne se
72 lancera pas) ou bien si vous avez besoin de fonctionnalitИs PAM, cela
73 ne fonctionnera pas si cette option est activИe, dans le cas contraire
74 vous devriez l'activer.
75
76Template: ssh/new_config
77Type: boolean
78Default: true
79Description: Generate new configuration file
80 This version of OpenSSH has a considerably changed configuration file from
81 the version shipped in Debian 'Potato', which you appear to be upgrading from.
82 I can now generate you a new configuration file (/etc/ssh/sshd.config), which
83 will work with the new server version, but will not contain any customisations
84 you made with the old version.
85 .
86 Please note that this new configuration file will set the value of
87 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
88 ssh directly in as root). It is the opinion of the maintainer that this is
89 the correct default (see README.Debian for more details), but you can always
90 edit sshd_config and set it to no if you wish.
91 .
92 It is strongly recommended that you let me generate a new configuration file
93 for you.
94Description-fr: CrИer un nouveau fichier de configuration
95 Cette version d'OpenSSH utilise un fichier de configuration qui a
96 ИnormИment changИ depuis la version contenue dans la distribution
97 Debian ╚═Potato═╩, depuis laquelle vous semblez faire une mise Ю jour.
98 Je peux gИnИrer maintenant pour vous un nouveau fichier de
99 configuration (/etc/ssh/sshd.config) qui marchera avec la nouvelle
100 version du serveur, mais ne contiendra aucun des rИglages que vous avez
101 faits sur l'ancienne version.
102 .
103 Veuillez noter que ce nouveau fichier de configuration positionnera la
104 valeur de ╚═PermitRootLogin═╩ Ю ╚═yes═╩ (ce qui signifie que quiconque
105 connaissant le mot de passe du super-utilisateur peut se connecter
106 en tant que tel sur la machine). Le responsable du paquet
107 pense que c'est lЮ un comportement par dИfaut normal (lisez
108 README.Debian pour plus d'informations), mais vous pouvez toujours
109 Иditer le fichier sshd_config et changer cela.
110 .
111 Il est fortement recommandИ que vous me laissiez gИnИrer le nouveau
112 fichier de configuration.
113
114Template: ssh/protocol2_only
115Type: boolean
116Default: true
117Description: Allow SSH protocol 2 only
118 This version of OpenSSH supports version 2 of the ssh protocol, which
119 is much more secure. Disabling ssh 1 is encouraged, however this
120 will slow things down on low end machines and might prevent older
121 clients from connecting (the ssh client shipped with "potato" is affected).
122 .
123 Also please note that keys used for protocol 1 are different so you will
124 not be able to use them if you only allow protocol 2 connections.
125 .
126 If you later change your mind about this setting, README.Debian has
127 instructions on what to do to your sshd_config file.
128Description-fr: Permettre seulement la version 2 du protocole SSH
129 Cette version d'OpenSSH connaНt la version 2 du protocole ssh, qui est
130 bien plus sШre. DИsactiver ssh 1 est une bonne chose, cependant cela
131 peut ralentir les machines peu puissantes et pourrait empЙcher ceux qui
132 utilisent des vieilles versions de la partie cliente de se connecter
133 (le client ssh de la distribution Debian ╚═Potato═╩ en fait partie).
134 .
135 De plus, les clИs utilisИes par la version 1 du protocole sont
136 diffИrentes et vous ne pourrez pas les utiliser si vous
137 n'autorisez que les connexions utilisant la version 2 du protocole.
138 .
139 Si vous changez d'avis ultИrieurement et dИcidez de modifier ce
140 rИglage, les instructions fournies dans le fichier README.Debian vous
141 indiquent comment modifier le fichier sshd_config.
142
143Template: ssh/ssh2_keys_merged
144Type: note
145Description: ssh2 keys merged in configuration files
146 As of version 3 OpenSSH no longer uses separate files for ssh1 and
147 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
148 are no longer needed. They will still be read in order to maintain
149 backwards compatibility
150Description-fr: ClИs pour ssh2 fusionnИes dans les fichiers de configuration
151 OpenSSH, depuis sa version 3, n'utilise plus de fichiers distincts pour
152 les clИs ssh1 et ssh2. Cela signifie que les fichiers authorized_keys2
153 et known_hosts2 ne sont plus utiles. Ils seront nИanmoins lus afin de
154 prИserver la compatibilitИ descendante.
155
156Template: ssh/use_old_init_script
157Type: boolean
158Default: false
159Description: Do you want to continue (and risk killing active ssh sessions) ?
160 The version of /etc/init.d/ssh that you have installed, is likely to kill
161 all running sshd instances. If you are doing this upgrade via an ssh
162 session, that would be a Bad Thing(tm).
163 .
164 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
165 start-stop-daemon line in the stop section of the file.
166Description-fr: Voulez-vous continuer (et risquer de rompre les sessions ssh actives)═?
167 Il est probable que la version de /etc/init.d/ssh installИe en ce moment
168 tue toutes les instances de sshd en cours. En cas de mise Ю jour par ssh,
169 Гa serait une mauvaise idИe.
170 .
171 Vous pouvez corriger cela en ajoutant dans /etc/init.d/ssh ╚═--pidfile
172 /var/run/sshd.pid═╩ Ю la ligne ╚═start-stop-daemon═╩ dans la section
173 ╚═stop═╩ du fichier.
174
175Template: ssh/forward_warning
176Type: note
177Description: NOTE: Forwarding of X11 and Authorization disabled by default.
178 For security reasons, the Debian version of ssh has ForwardX11 and
179 ForwardAgent set to ``off'' by default.
180 .
181 You can enable it for servers you trust, either
182 in one of the configuration files, or with the -X command line option.
183 .
184 More details can be found in /usr/share/doc/ssh/README.Debian
185Description-fr: NOTE═: suivi de session X11 et d'agent d'autorisation dИsactivИs par dИfaut.
186 Pour des raisons de sИcuritИ, la version Debian de ssh positionne les
187 options ForwardX11 et ForwardAgent Ю ╚═Off═╩ par dИfaut.
188 .
189 Vous pouvez activer ces options pour les serveurs en qui vous avez
190 confiance, soit dans un des fichiers de configuration, soit avec l'option
191 -X de la ligne de commande.
192 .
193 Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
194
195Template: ssh/insecure_rshd
196Type: note
197Description: Warning: rsh-server is installed --- probably not a good idea
198 having rsh-server installed undermines the security that you were probably
199 wanting to obtain by installing ssh. I'd advise you to remove that package.
200Description-fr: Attention═: rsh-server est installИ -- ce n'est probablement pas une bonne idИe
201 Avoir un serveur rsh installИ affaiblit la sИcuritИ que vous vouliez
202 probablement obtenir en installant ssh. Je vous conseille de
203 supprimer ce paquet.
204
205Template: ssh/insecure_telnetd
206Type: note
207Description: Warning: telnetd is installed --- probably not a good idea
208 I'd advise you to either remove the telnetd package (if you don't actually
209 need to offer telnet access) or install telnetd-ssl so that there is at
210 least some chance that telnet sessions will not be sending unencrypted
211 login/password and session information over the network.
212Description-fr: Attention═: telnetd est installИ -- ce n'est probablement pas une bonne idИe
213 Je vous conseille soit d'enlever le paquet telnetd (si ce service
214 n'est pas nИcessaire), soit de le remplacer par le paquet telnetd-ssl pour
215 qu'il y ait au moins une chance que les sessions telnet soient chiffrИes
216 et que les mots de passe et noms d'utilisateurs ne passent pas en clair
217 sur le rИseau.
218
219Template: ssh/encrypted_host_key_but_no_keygen
220Type: note
221Description: Warning: you must create a new host key
222 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
223 OpenSSH can not handle this host key file, and I can't find the
224 ssh-keygen utility from the old (non-free) SSH installation.
225 .
226 You will need to generate a new host key.
227Description-fr: Attention═: vous devez crИer une nouvelle clИ d'hТte
228 Il existe un vieux /etc/ssh/ssh_host_key qui est chiffrИ avec IDEA.
229 OpenSSH ne peut utiliser ce fichier de clИ, et je ne peux trouver
230 l'utilitaire ssh-keygen de l'installation prИcИdente (non libre) de SSH.
231 .
232 Vous aurez besoin de gИnИrer une nouvelle clИ d'hТte.
233
234Template: ssh/SUID_client
235Type: boolean
236Default: true
237Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
238 You have the option of installing the ssh-keysign helper with the SUID
239 bit set.
240 .
241 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
242 host-based authentication.
243 .
244 If in doubt, I suggest you install it with SUID. If it causes
245 problems you can change your mind later by running: dpkg-reconfigure ssh
246Description-fr: Voulez-vous que /usr/lib/ssh-keysign soit installИ avec le bit SETUID activИ═?
247 Vous avez la possibilitИ d'installer ssh-keysign avec le bit SETUID
248 activИ.
249 .
250 Si vous mettez ssh-keysign avec le bit SETUID, vous permettrez
251 l'authentification basИe sur les hТtes, disponible dans la version 2 du
252 protocole SSH.
253 .
254 Dans le doute, je vous suggХre de l'installer avec le bit SETUID
255 activИ. Si cela vous cause des problХmes, vous pourrez revenir sur
256 votre dИcision avec ╚═dpkg-reconfigure ssh═╩.
257
258Template: ssh/run_sshd
259Type: boolean
260Default: true
261Description: Do you want to run the sshd server ?
262 This package contains both the ssh client, and the sshd server.
263 .
264 Normally the sshd Secure Shell Server will be run to allow remote
265 logins via ssh.
266 .
267 If you are only interested in using the ssh client for outbound
268 connections on this machine, and don't want to log into it at all
269 using ssh, then you can disable sshd here.
270Description-fr: Voulez-vous utiliser le serveur sshd═?
271 Ce paquet contient Ю la fois le client ssh et le serveur sshd.
272 .
273 Normalement le serveur sshd est lancИ pour permettre les connexions
274 distantes via ssh.
275 .
276 Si vous dИsirez seulement utiliser le client ssh pour des connexions vers
277 l'extИrieur, ou si vous ne voulez pas vous connecter sur cette machine
278 via ssh, vous pouvez dИsactiver sshd maintenant.
diff --git a/debian/templates.ja b/debian/templates.ja
new file mode 100644
index 000000000..cdcc829cc
--- /dev/null
+++ b/debian/templates.ja
@@ -0,0 +1,205 @@
1Template: ssh/new_config
2Type: boolean
3Default: true
4Description: Generate new configuration file
5 This version of OpenSSH has a considerably changed configuration file from
6 the version shipped in Debian 'Potato', which you appear to be upgrading from.
7 I can now generate you a new configuration file (/etc/ssh/sshd.config), which
8 will work with the new server version, but will not contain any customisations
9 you made with the old version.
10 .
11 Please note that this new configuration file will set the value of
12 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
13 ssh directly in as root). It is the opinion of the maintainer that this is
14 the correct default (see README.Debian for more details), but you can always
15 edit sshd_config and set it to no if you wish.
16 .
17 It is strongly recommended that you let me generate a new configuration file
18 for you
19Description-ja: ©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓Р╨Н╓Й╓ч╓╧
20 OpenSSH ╓н╓Ё╓н╔п║╪╔╦╔Г╔С╓о║╒Debian 'Potato' ╓к╢ч╓ч╓Л╓ф╓╓╓К╔п║╪╔╦╔Г╔С
21 (╓╓╓ч║╒╓╫╓н╔п║╪╔╦╔Г╔С╓╚╓И╓н╔п║╪╔╦╔Г╔С╔╒╔ц╔в╓Р╩Н╓ъ╓ф╓╓╓К╓х╓Ё╓М) ╓╚╓И║╒
22 юъдЙ╔у╔║╔╓╔К╓╛бГиЩ╓кйя╡╫╓╥╓ф╓╓╓ч╓╧║ё╓╓╓ч║╒©╥╓╥╓╓╔п║╪╔╦╔Г╔С╓н╔╣║╪╔п╓г
23 ╩х╓╕╓Ё╓х╓╛╓г╓╜╓К©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К (/etc/ssh/sshd/config) ╓Р╪╚ф╟ю╦ю╝
24 ╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒╓╫╓н╔у╔║╔╓╔К╓о║╒╦е╓╓╔п║╪╔╦╔Г╔С╓нюъдЙ╔у╔║╔╓╔К╓к
25 ╢ч╓ч╓Л╓К╓╒╓й╓©╓нюъдЙ╓╛а╢╓╞╢ч╓ч╓Л╓ч╓╩╓С║ё
26 .
27 ╓Ё╓н©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓о║╒║жPermitRootLogin║в╓Р║жyes║в╓кюъдЙ╓╥╓ч╓╧║ё
28 (╓д╓ч╓Й║╒root ╓н╔я╔╧╔О║╪╔и╓Рцн╓ц╓ф╓╓╓К©м╓й╓Иц╞╓г╓Бд╬юэ╔М╔╟╔╓╔С╓г╓╜╓ч
29 ╓╧)║ё╓Ё╓Л╓г╓Х╓╓║╒╓х╓╓╓╕╓н╓╛╓Ё╓н╔я╔ц╔╠║╪╔╦╓н╔А╔С╔ф╔й╓н╟у╦╚╓г╓╧╓╛ (╬э╓╥
30 ╓╞╓о README.Debian ╓Рфи╓С╓г╡╪╓╣╓╓)║╒sshd_config ╓Рйт╫╦╓╥╓ф║жno║в╓кюъ
31 дЙ╓╧╓К╓Ё╓х╓Б╓г╓╜╓ч╓╧║ё
32 .
33 ©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓Р╪╚ф╟ю╦ю╝╓╧╓К╓Ё╓х╓Р╤╞╓╞╓╙╢╚╓А╓╥╓ч╓╧║ё
34
35Template: ssh/protocol2_only
36Type: boolean
37Default: true
38Description: Allow SSH protocol 2 only
39 This version of OpenSSH supports version 2 of the ssh protocol, which
40 is much more secure. Disabling ssh 1 is encouraged, however this
41 will slow things down on low end machines and might prevent older
42 clients from connecting (the ssh client shipped with "potato" is affected).
43 .
44 Also please note that keys used for protocol 1 are different so you will
45 not be able to use them if you only allow protocol 2 connections.
46 .
47 If you later change your mind about this setting, README.Debian has
48 instructions on what to do to your sshd_config file.
49Description-ja: SSH ╔в╔М╔х╔Ё╔К 2 ╓н╓ъ╓Р╣Ж╡д╓╥╓ч╓╧
50 OpenSSH ╓н╓Ё╓н╔п║╪╔╦╔Г╔С╓о║╒╓╨╓ц╓х╟ба╢╓й║╒ssh ╔в╔М╔х╔Ё╔К╓н╔п║╪╔╦╔Г╔С
51 2 ╓Р╔╣╔щ║╪╔х╓╥╓ф╓╓╓ч╓╧║ёssh 1 ╓Р╤ь╩ъ╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧╓╛║╒цы╓╓╔ч
52 ╔╥╔С╓г╓оф╟╨Н╓╛цы╓╞╓й╓ц╓©╓Й║╒╦е╓╓╔╞╔И╔╓╔╒╔С╔х╓╚╓ИюэбЁ╓г╓╜╓й╓╞╓й╓ц╓©╓Й
53 ╓╥╓ч╓╧ ("potato" ╓н ssh ╔╞╔И╔╓╔╒╔С╔х╓БюэбЁ╓г╓╜╓й╓╞╓й╓Й╓ч╓╧)║ё
54 .
55 ╓ч╓©║╒╔в╔М╔х╔Ё╔К 1 ╓г╩х╓╕╔╜║╪╓о╟ш╓й╓К╓©╓А║╒╔в╔М╔х╔Ё╔К 2 ╓Рм╜╦З╓к╓╥╓©
56 ╓ю╓╠╓г╓о╓╫╓н╔╜║╪╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╩╓С║ё
57 .
58 ╓Б╓╥╨ё╦Е╓╒╓й╓©╓╛╧м╓╗╓Рйя╓╗╓©╓И║╒README.Debian ╓Рфи╓Ю╓х sshd_config ╓Р
59 ╓и╓н╓Х╓╕╓кйя╧╧╓╥╓©╓И╓Х╓╓╓╚╓╛й╛╓╚╓Й╓ч╓╧║ё
60
61Template: ssh/ssh2_keys_merged
62Type: note
63Description: ssh2 keys merged in configuration files
64 As of version 3 OpenSSH no longer uses separate files for ssh1 and
65 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
66 are no longer needed. They will still be read in order to maintain
67 backwards compatibility
68Description-ja: ssh2 ╔╜║╪╓оюъдЙ╔у╔║╔╓╔К╓кеЩ╧Г╓╣╓Л╓ч╓╧
69 OpenSSH ╓н╔п║╪╔╦╔Г╔С 3 ╓о║╒ssh1 ╓х ssh2 ╓н╔╜║╪╓к╦дйл╓н╔у╔║╔╓╔К╓Р╩х╓╓
70 ╓ч╓╩╓С║ё╓д╓ч╓Й║╒authorized_keys2 ╔у╔║╔╓╔К╓х known_hosts2 ╔у╔║╔╓╔К╓о╓Б
71 ╓о╓Дитмв╓х╓й╓Й╓ч╓╥╓©║ё╦ЕйЩ╦ъ╢╧ю╜╓Рйщ╓д╓©╓А╓к╓о╓Ё╓Л╓И╓н╔у╔║╔╓╔К╓╛и╛мв
72 ╓г╓╧║ё
73
74Template: ssh/use_old_init_script
75Type: boolean
76Default: false
77Description: Do you want to continue (and risk killing active ssh sessions) ?
78 The version of /etc/init.d/ssh that you have installed, is likely to kill
79 all running sshd instances. If you are doing this upgrade via an ssh
80 session, that would be a Bad Thing(tm).
81 .
82 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
83 start-stop-daemon line in the stop section of the file.
84Description-ja: бЁ╓╠╓ф╓╓╓╓╓г╓╧╓╚ (юэбЁцФ╓н ssh ╔╩╔ц╔╥╔Г╔С╓╛юз╓Л╓К╓╚╓Б╓╥╓Л╓ч╓╩╓С)
85 ╓╓╓ч╔╓╔С╔╧╔х║╪╔К╓╥╓© /etc/init.d/ssh ╓о║╒╓╙╓╫╓И╓╞╪б╧тцФ╓н sshd ╓Ра╢╓ф
86 дД╩ъ╓╣╓╩╓ч╓╧║ё╓Ё╓н╔п║╪╔╦╔Г╔С╔╒╔ц╔в╓Р ssh ╔╩╔ц╔╥╔Г╔С╓Рмя╓╓╓ф╧т╓╕╓н╓о╢ж
87 ╟Ц╓ц╓©╓Д╓Й╓╚╓©╓г╓╧║ё
88 .
89 ╓Ё╓н╬У╤╥╓Р╫╓ю╣╓╧╓К╓к╓о║╒/etc/init.d/ssh ╓н stop ╔╩╔╞╔╥╔Г╔С╓н
90 start-stop-daemon ╓н╧т╓к║ж--pidfile /var/run/sshd.pid║в╓хди╡ц╓╥╓ч╓╧║ё
91
92Template: ssh/forward_warning
93Type: note
94Description: NOTE: Forwarding of X11 and Authorization disabled by default.
95 For security reasons, the Debian version of ssh has ForwardX11 and
96 ForwardAgent set to ``off'' by default.
97 .
98 You can enable it for servers you trust, either
99 in one of the configuration files, or with the -X command line option.
100 .
101 More details can be found in /usr/share/doc/ssh/README.Debian
102Description-ja: цМ╟у: X11 ╓хг╖╬з╓н╔у╔╘╔О║╪╔г╔ё╔С╔╟╓о╔г╔у╔╘╔К╔х╓г╓о╤ь╩ъ╓╣╓Л╓ч╓╧
103 ╔╩╔╜╔Е╔Й╔ф╔ё╬Е╓нмЩмЁ╓╚╓И║╒Debian ╓н ssh ╓г╓о ForwardX11 ╓х
104 ForwardAgent ╓о╔г╔у╔╘╔К╔х╓г╓о║жoff║в╓кюъдЙ╓╣╓Л╓ч╓╧║ё
105 .
106 юъдЙ╔у╔║╔╓╔К╓Р╩х╓ц╓©╓Й║╒-X ╔Ё╔ч╔С╔и╔И╔╓╔С╔╙╔в╔╥╔Г╔С╓Р╩х╓ц╓©╓Й╓╧╓К
107 ╓Ё╓х╓г║╒©╝мя╓г╓╜╓К╔╣║╪╔п╓кбп╓╥╓ф╣Ж╡д╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё
108 .
109 ╬э╨ы╓о /usr/share/doc/ssh/README.Debian ╓Рфи╓С╓г╡╪╓╣╓╓║ё
110
111Template: ssh/insecure_rshd
112Type: note
113Description: Warning: rsh-server is installed --- probably not a good idea
114 having rsh-server installed undermines the security that you were probably
115 wanting to obtain by installing ssh. I'd advise you to remove that package.
116Description-ja: ╥ы╧П: rsh-server ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓ч╓╧║ё╓©╓ж╓Сни╓╓╧м╓╗╓г╓о╓╒╓Й╓ч╓╩╓С
117 rsh-server ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓К╓х║╒╓╒╓й╓©╓╛ ssh ╓к╓Х╓ц╓ффю╓©╓╓╓х
118 ╩в╓ц╓ф╓╓╓К╓г╓╒╓М╓╕╔╩╔╜╔Е╔Й╔ф╔ё╓╛б╩╓й╓О╓Л╓ч╓╧║ё╓╫╓н╔я╔ц╔╠║╪╔╦╓Р╔╒╔С╔╓
119 ╔С╔╧╔х║╪╔К╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧║ё
120
121Template: ssh/insecure_telnetd
122Type: note
123Description: Warning: telnetd is installed --- probably not a good idea
124 I'd advise you to either remove the telnetd package (if you don't actually
125 need to offer telnet access) or install telnetd-ssl so that there is at
126 least some chance that telnet sessions will not be sending unencrypted
127 login/password and session information over the network.
128Description-ja: ╥ы╧П: telnetd ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓ч╓╧║ё╓©╓ж╓Сни╓╓╧м╓╗╓г╓о╓╒╓Й╓ч╓╩╓С
129 (╓Б╓╥ telnet ╔╒╔╞╔╩╔╧╓РдС╤║╓╥╓©╓╓╓х╩в╓ц╓ф╓╓╓й╓╓╓н╓г╓╥╓©╓И) telnetd
130 ╔я╔ц╔╠║╪╔╦╓Р╔╒╔С╔╓╔С╔╧╔х║╪╔К╓╧╓К╓╚║╒╓ч╓©╓о║╒telnetd-ssh ╔я╔ц╔╠║╪╔╦╓Р
131 ╔╓╔С╔╧╔х║╪╔К╓╥╓ф╬╞╓й╓╞╓х╓Б╔м╔ц╔х╔О║╪╔╞╬Е╓Р╟е╧Ф╡╫╓╣╓Л╓ф╓╓╓й╓╓╔Ф║╪╔╤л╬
132 ╓Д╔я╔╧╔О║╪╔и╓Д╔╩╔ц╔╥╔Г╔С╬ПйС╓╛н╝╓Л╓й╓╓╓Х╓╕╓к╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧║ё
133
134Template: ssh/encrypted_host_key_but_no_keygen
135Type: note
136Description: Warning: you must create a new host key
137 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
138 OpenSSH can not handle this host key file, and I can't find the
139 ssh-keygen utility from the old (non-free) SSH installation.
140 .
141 You will need to generate a new host key.
142Description-ja: ╥ы╧П: ©╥╓╥╓╓╔ш╔╧╔х╔╜║╪╓Р╨Н╓И╓й╓╓╓х╓╓╓╠╓ч╓╩╓С
143 IDEA ╓г╟е╧Ф╡╫╓╣╓Л╓©╦е╓╓╔╜║╪╓╛ /etc/ssh/ssh_host_key ╓к╓╒╓Й╓ч╓╧║ё
144 OpenSSH ╓о╓Ё╓н╔ш╔╧╔х╔╜║╪╔у╔║╔╓╔К╓Р╟╥╓╗╓ч╓╩╓С║ё╓ч╓©║╒╨ё╔╓╔С╔╧╔х║╪╔К
145 ╓╣╓Л╓ф╓╓╓К╦е╓╓ (╔у╔Й║╪╓г╓о╓й╓╓) SSH ╓к╓о ssh-keygen ╔Ф║╪╔ф╔ё╔Й╔ф╔ё
146 ╓╛╢ч╓ч╓Л╓ф╓╓╓ч╓╩╓С║ё
147 .
148 ©╥╓╥╓╓╔ш╔╧╔х╔╜║╪╓Р╨Н╓Ки╛мв╓╛╓╒╓Й╓ч╓╧║ё
149
150Template: ssh/SUID_client
151Type: boolean
152Default: true
153Description: Do you want /usr/bin/ssh to be installed SUID root?
154 You have the option of installing the ssh client with the SUID bit set.
155 .
156 If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
157 authentication, but will not be able to use socks via the LD_PRELOAD
158 trick. This is the traditional approach.
159 .
160 If you do not make ssh SUID, you will be able to use socks, but
161 Rhosts/RhostsRSA authentication will stop working, which may stop you
162 logging in to remote systems. It will also mean that the source
163 port will be above 1024, which may confound firewall rules you've set up.
164 .
165 If in doubt, I suggest you install it with SUID. If it causes
166 problems you can change your mind later by running: dpkg-reconfigure ssh
167Description-ja: /usr/bin/ssh ╓Р SUID root ╓г╔╓╔С╔╧╔х║╪╔К╓╥╓ч╓╧╓╚?
168 ssh ╔╞╔И╔╓╔╒╔С╔х╓Р╔╓╔С╔╧╔х║╪╔К╓╧╓К╨щ║╒SUID ╔с╔ц╔х╓РюъдЙ╓╧╓К╓╚╓╥╓й╓╓╓╚
169 ╓Ра╙╓ж╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё
170 .
171 SUID ╓РюъдЙ╓╧╓Л╓п║╒Rhosts/RhostsRSA г╖╬з╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒
172 LD_PRELOAD ╔х╔Й╔ц╔╞╓Рмя╓╓╓ф socks ╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓й╓╞╓й╓Й╓ч╓╧║ё╓Ё╓Л
173 ╓оеаеЩе╙╓й╓Д╓Й╓╚╓©╓г╓╧║ё
174 .
175 SUID ╓РюъдЙ╓╥╓й╓╠╓Л╓п║╒socks ╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒Rhosts/RhostRSA
176 г╖╬з╓╛ф╞╓╚╓й╓╞╓й╓Й║╒╔Й╔Б║╪╔х╔╥╔╧╔ф╔Ю╓ь╓н╔М╔╟╔╓╔С╓╛╓г╓╜╓й╓╞╓й╓К╓╚╓Б╓╥
177 ╓Л╓ч╓╩╓С║ё╓ч╓©║╒╔╫║╪╔╧╔щ║╪╔х╓╛ 1024 ╟й╬Е╓х╓й╓Й║╒╓╒╓й╓©╓╛юъдЙ╓╥╓©╔у╔║
178 ╔╓╔╒╔╕╔╘║╪╔К╓н╔К║╪╔К╓Р╨╝мП╓╣╓╩╓К╓╚╓Б╓╥╓Л╓ч╓╩╓С║ё
179 .
180 ╓Б╓╥й╛╓╚╓И╓й╓╠╓Л╓п║╒SUID ╓РюъдЙ╓╥╓©╬Убж╓г╔╓╔С╔╧╔х║╪╔К╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А
181 ╓╥╓ч╓╧║ё╓╫╓Л╓г╓Б╓╥╡©╓╚лДбЙ╓╛╓╒╓Л╓п║╒dpkg-reconfigure ssh ╓Р╪б╧т╓╧╓К╓Ё
182 ╓х╓гюъдЙ╓Рйя╧╧╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё
183
184Template: ssh/run_sshd
185Type: boolean
186Default: true
187Description: Do you want to run the sshd server ?
188 This package contains both the ssh client, and the sshd server.
189 .
190 Normally the sshd Secure Shell Server will be run to allow remote
191 logins via ssh.
192 .
193 If you are only interested in using the ssh client for outbound
194 connections on this machine, and don't want to log into it at all
195 using ssh, then you can disable sshd here.
196Description-ja: sshd ╔╣║╪╔п╓Р╪б╧т╓╥╓ч╓╧╓╚?
197 ╓Ё╓н╔я╔ц╔╠║╪╔╦╓о║╒ssh ╔╞╔И╔╓╔╒╔С╔х╓х sshd ╔╣║╪╔п╓нн╬йЩ╓Р╢ч╓С╓г╓╓╓ч╓╧║ё
198 .
199 дл╬О║╒sshd ╔╩╔╜╔Е╔╒╔╥╔╖╔К╔╣║╪╔п╓о║╒ssh ╓Рмя╓╓╓©╔Й╔Б║╪╔х╓╚╓И╓н╔М╔╟╔╓╔С
200 ╓Р╡дг╫╓к╓╧╓К╓©╓А╓к╪б╧т╓╥╓ч╓╧║ё
201 .
202 ╓Б╓╥ ssh ╔╞╔И╔╓╔╒╔С╔х╓Р╩х╓ц╓ф╓Ё╓н╔ч╔╥╔С╓╚╓Иб╬╔ч╔╥╔С╓ь╓хюэбЁ╓╧╓К╓ю╓╠╓г
203 ╓г║╒╓Ё╓н╔ч╔╥╔С╓ь╓х ssh ╓Р╩х╓ц╓ф╔М╔╟╔╓╔С╓╥╓й╓╓╓н╓г╓╥╓©╓И║╒╓Ё╓Ё╓г sshd
204 ╓Р╪б╧т╓╥╓й╓╓╓г╓╙╓╜╓ч╓╧║ё
205
diff --git a/debian/templates.pl b/debian/templates.pl
new file mode 100644
index 000000000..d4b8fda6d
--- /dev/null
+++ b/debian/templates.pl
@@ -0,0 +1,264 @@
1Template: ssh/privsep_tell
2Type: note
3Description: Privilege separation
4 This version of OpenSSH contains the new privilege separation
5 option. This significantly reduces the quantity of code that runs as
6 root, and therefore reduces the impact of security holes in sshd.
7 .
8 Unfortunately, privilege separation interacts badly with PAM. Any
9 PAM session modules that need to run as root (pam_mkhomedir, for
10 example) will fail, and PAM keyboard-interactive authentication
11 won't work.
12 .
13 Privilege separation is turned on by default, so if you decide you
14 want it turned off, you need to add "UsePrivilegeSeparation no" to
15 /etc/ssh/sshd_config.
16 .
17 NB! If you are running a 2.0 series Linux kernel, then privilege
18 separation will not work at all, and your sshd will fail to start
19 unless you explicitly turn privilege separation off.
20Description-pl: Separacja uprawnieЯ
21 Ta wersja OpenSSH zawiera now╠ opcjЙ separacji uprawnieЯ. Znacz╠co
22 zmniejsza ona ilo╤Ф kodu, ktСry jest uruchamiany jako root i co
23 za tym idzie redukuje efekty luk bezpieczeЯstwa w sshd.
24 .
25 Niestety separacja uprawnieЯ ╪le reaguje z PAMem. Jakikolwiek moduЁ
26 sesji PAM, ktСry musi byФ uruchamiany jako root (pam_mkhomedir, na
27 przykЁad) zawiedzie. Nie bЙdzie dziaЁaФ rСwnie© interaktywna
28 autentykacja z klawiatury (keyboard-interactive authentication).
29 .
30 Separacja uprawnieЯ jest domy╤lnie wЁ╠czona, wiЙc je╤li zdecydujesz
31 siЙ j╠ wyЁ╠czyФ, musisz dodaФ "UsePrivilegeSeparation no" do pliku
32 /etc/ssh/sshd_config.
33 .
34 UWAGA! Je©eli u©ywasz j╠dra Linux'a z serii 2.0, to separacja uprawnieЯ
35 w ogСle nie bЙdzie dziaЁaФ i sshd nie wystartuje dopСki wЁasnorЙcznie
36 nie wyЁ╠czysz separacji uprawnieЯ w /etc/ssh/sshd_config.
37
38Template: ssh/privsep_ask
39Type: boolean
40Default: true
41Description: Enable Privilege separation
42 This version of OpenSSH contains the new privilege separation
43 option. This significantly reduces the quantity of code that runs as
44 root, and therefore reduces the impact of security holes in sshd.
45 .
46 Unfortunately, privilege separation interacts badly with PAM. Any
47 PAM session modules that need to run as root (pam_mkhomedir, for
48 example) will fail, and PAM keyboard-interactive authentication
49 won't work.
50 .
51 Since you've opted to have me generate an sshd_config file for you,
52 you can choose whether or not to have Privilege Separation turned on
53 or not. Unless you are running 2.0 (in which case you *must* say no
54 here or your sshd won't start at all) or know you need to use PAM
55 features that won't work with this option, you should say yes here.
56Description-pl: WЁ╠czenie separacji uprawnieЯ
57 Ta wersja OpenSSH zawiera now╠ opcjЙ separacji uprawnieЯ. Znacz╠co
58 zmniejsza ona ilo╤Ф kodu, ktСry jest uruchamiany jako root i co
59 za tym idzie redukuje efekty luk bezpieczeЯstwa w sshd.
60 .
61 Niestety separacja uprawnieЯ ╪le reaguje z PAMem. Jakikolwiek moduЁ
62 sesji PAM, ktСry musi byФ uruchamiany jako root (pam_mkhomedir, na
63 przykЁad) zawiedzie. Nie bЙdzie dziaЁaФ rСwnie© interaktywna
64 autentykacja z klawiatury (keyboard-interactive authentication).
65 .
66 ZdecydowaЁe╤ siЙ na to abym wygenerowaЁ dla ciebie plik sshd_config,
67 i mo©esz wybraФ czy chcesz wЁ╠czyФ SeparacjЙ UprawnieЯ, czy te© nie.
68 Je╤li nie u©ywasz j╠dra z serii 2.0 (w ktСrym to przypadku *musisz*
69 odpowiedzieФ tutaj 'nie' albo sshd w ogСle nie ruszy) i je╤li nie
70 musisz korzystaФ z mo©liwo╤ci PAMa, ktСre nie bЙd╠ dziaЁaЁy z t╠ opcj╠,
71 powiniene╤ odpowiedzieФ tutaj 'tak'.
72
73Template: ssh/new_config
74Type: boolean
75Default: true
76Description: Generate new configuration file
77 This version of OpenSSH has a considerably changed configuration file from
78 the version shipped in Debian 'Potato', which you appear to be upgrading from.
79 I can now generate you a new configuration file (/etc/ssh/sshd.config), which
80 will work with the new server version, but will not contain any customisations
81 you made with the old version.
82 .
83 Please note that this new configuration file will set the value of
84 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
85 ssh directly in as root). It is the opinion of the maintainer that this is
86 the correct default (see README.Debian for more details), but you can always
87 edit sshd_config and set it to no if you wish.
88 .
89 It is strongly recommended that you let me generate a new configuration file
90 for you.
91Description-pl: Wygeneruj nowy plik konfiguracyjny
92 W tej wersji OpenSSH zmieniЁ siЙ plik konfiguracyjny w stosunku do wersji
93 dostarczanej z Debianem 'Potato', ktСr╠ zdajesz siЙ aktualizowaФ. MogЙ teraz
94 wygenerowaФ nowy plik konfiguracyjny (/etc/ssh/sshd.config), ktСry bЙdzie
95 dziaЁaЁ z now╠ wersj╠ serwera, ale nie bЙdzie zawieraЁ ©adnych dokonanych
96 przez ciebie w starej wersji zmian.
97 .
98 Zauwa© proszЙ, ©e nowy plik konfiguracyjny bЙdzie ustawiaЁ warto╤Ф opcji
99 'PermitRootLogin' na 'tak' (co oznacza, ©e ka©dy kto zna hasЁo root'a mo©e
100 zdalnie zalogowaФ siЙ przez ssh jako root). W opinii opiekuna pakietu to
101 jest poprawna warto╤Ф domy╤lna (szczegСЁy w README.Debian), ale mo©esz sobie
102 wyedytowaФ sshd_config i ustawiФ tЙ opcjЙ na 'nie' je╤li siЙ z t╠ opini╠ nie
103 zgadzasz.
104 .
105 Jest bardzo wskazane aby╤ pozwoliЁ mi wygenerowaФ nowy plik konfiguracyjny.
106
107Template: ssh/protocol2_only
108Type: boolean
109Default: true
110Description: Allow SSH protocol 2 only
111 This version of OpenSSH supports version 2 of the ssh protocol, which
112 is much more secure. Disabling ssh 1 is encouraged, however this
113 will slow things down on low end machines and might prevent older
114 clients from connecting (the ssh client shipped with "potato" is affected).
115 .
116 Also please note that keys used for protocol 1 are different so you will
117 not be able to use them if you only allow protocol 2 connections.
118 .
119 If you later change your mind about this setting, README.Debian has
120 instructions on what to do to your sshd_config file.
121Description-pl: Zezwalaj wyЁ╠cznie na wersjЙ 2 protokoЁu SSH
122 Ta wersja OpenSSH wspiera drug╠ wersjЙ protokoЁu ssh, ktСra jest znacznie
123 bardziej bezpieczna. WyЁ╠czenie ssh 1 jest zalecane, choФ spowalnia to
124 dziaЁanie na starych maszynach i mo©e uniemo©liwiФ poЁ╠czenie starszym
125 wersjom klientСw (dotyczy to np. klienta ssh doЁ╠czanego do "potato").
126 .
127 Ponadto, zauwa© proszЙ, ©e klucze u©ywane przez protokСЁ 1 s╠ inne, wiЙc
128 nie bЙdziesz mСgЁ ich u©ywaФ je╤li zezwolisz na korzystanie wyЁ╠cznie z
129 wersji 2 protokoЁu.
130 .
131 Je╤li pС╪niej zmienisz zdanie co do tego ustawienia, to instrukcje co
132 zmieniФ w sshd_config znajduj╠ siЙ w README.Debian.
133
134Template: ssh/ssh2_keys_merged
135Type: note
136Description: ssh2 keys merged in configuration files
137 As of version 3 OpenSSH no longer uses separate files for ssh1 and
138 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
139 are no longer needed. They will still be read in order to maintain
140 backwards compatibility
141Description-pl: klucze ssh2 wЁ╠czone do plikСw konfiguracyjnych
142 Pocz╠wszy od wersji 3 OpenSSH nie u©ywa ju© osobnych plikСw dla kluczy
143 ssh1 i ssh2. Oznacza to, ©e pliki authorized_keys2 i known_hosts2 nie
144 s╠ ju© potrzebne. BЙd╠ one jednak odczytywane aby zachowaФ wsteczn╠
145 kompatybilno╤Ф.
146
147Template: ssh/use_old_init_script
148Type: boolean
149Default: false
150Description: Do you want to continue (and risk killing active ssh sessions) ?
151 The version of /etc/init.d/ssh that you have installed, is likely to kill
152 all running sshd instances. If you are doing this upgrade via an ssh
153 session, that would be a Bad Thing(tm).
154 .
155 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
156 start-stop-daemon line in the stop section of the file.
157Description-pl: Czy chcesz kontynuowaФ (i ryzykowaФ zabicie aktywnych sesji ssh) ?
158 Zainstalowana wЁa╤nie wersja /etc/init.d/ssh mo©e zabiФ wszystkie dziaЁaj╠ce
159 obecnie kopie sshd. Je╤li robisz ten upgrade via ssh, to byЁaby ZЁa Rzecz(tm).
160 .
161 Mo©esz to naprawiФ dodaj╠c "--pidfile /var/run/sshd.pid" do linijki
162 start-stop-daemon w sekcji stop tego pliku.
163
164Template: ssh/forward_warning
165Type: note
166Description: NOTE: Forwarding of X11 and Authorization disabled by default.
167 For security reasons, the Debian version of ssh has ForwardX11 and
168 ForwardAgent set to ``off'' by default.
169 .
170 You can enable it for servers you trust, either
171 in one of the configuration files, or with the -X command line option.
172 .
173 More details can be found in /usr/share/doc/ssh/README.Debian
174Description-pl: UWAGA: Przekazywanie (forwarding) X11 i Autoryzacji jest domy╤lnie wyЁ╠czone.
175 Ze wzglЙdСw bezpieczeЯstwa Debianowa wersja ssh ma ForwardX11 i ForwardAgent
176 ustawione domy╤lnie na 'off'.
177 .
178 Dla zaufanych serwerСw mo©esz wЁ╠czyФ te opcje w pliku konfiguracyjnym lub
179 przy pomocy opcji -X z linii komend.
180 .
181 WiЙcej szczegСЁСw znajdziesz w /usr/share/doc/ssh/README.Debian.
182
183Template: ssh/insecure_rshd
184Type: note
185Description: Warning: rsh-server is installed --- probably not a good idea
186 having rsh-server installed undermines the security that you were probably
187 wanting to obtain by installing ssh. I'd advise you to remove that package.
188Description-pl: Uwaga: serwer rsh jest zainstalowany --- prawdopodobnie nienajlepszy pomysЁ
189 Posiadanie zainstalowanego serwera rsh podminowuje zabezpieczenia, ktСre
190 prawdopodobnie starasz siЙ uzyskaФ instaluj╠c ssh. RadziЁbym usun╠Ф ten
191 pakiet.
192
193Template: ssh/insecure_telnetd
194Type: note
195Description: Warning: telnetd is installed --- probably not a good idea
196 I'd advise you to either remove the telnetd package (if you don't actually
197 need to offer telnet access) or install telnetd-ssl so that there is at
198 least some chance that telnet sessions will not be sending unencrypted
199 login/password and session information over the network.
200Description-pl: Uwaga: telnetd jest zainstalowany --- prawdopodobnie nienajlepszy pomysЁ
201 RadziЁbym albo usun╠Ф pakiet telnetd (je╤li nie potrzebujesz koniecznie
202 udostЙpniaФ telnet'a) albo zainstalowaФ telnetd-ssl aby byЁa choФ szansza,
203 ©e sesje telnet nie bЙd╠ przesyЁaФ niezaszyfrowanego loginu/hasЁa oraz
204 danych sesji przez sieФ.
205
206Template: ssh/encrypted_host_key_but_no_keygen
207Type: note
208Description: Warning: you must create a new host key
209 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
210 OpenSSH can not handle this host key file, and I can't find the
211 ssh-keygen utility from the old (non-free) SSH installation.
212 .
213 You will need to generate a new host key.
214Description-pl: Uwaga: musisz utworzyФ nowy klucz hosta
215 Istnieje stary /etc/ssh/ssh_host_key, ktСry jest zaszyfrowany przez
216 IDEA. OpenSSH nie umie korzystaФ z tak zaszyfrowanego klucza, a nie
217 mo©e znale╪Ф polecenia ssh-keygen ze starego SSH (non-free).
218 .
219 BЙdziesz musiaЁ wygenerowaФ nowy klucz hosta.
220
221Template: ssh/SUID_client
222Type: boolean
223Default: true
224Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
225 You have the option of installing the ssh-keysign helper with the SUID
226 bit set.
227 .
228 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
229 host-based authentication.
230 .
231 If in doubt, I suggest you install it with SUID. If it causes
232 problems you can change your mind later by running: dpkg-reconfigure ssh
233Description-pl: Czy chcesz aby /usr/lib/ssh-keysign byЁ zainstalowany jako SUID root?
234 Masz mo©liwo╤Ф zainstalowania pomocniczego programu ssh-keysign z wЁ╠czonym
235 bitem SETUID.
236 .
237 Je╤li uczynisz ssh-keysign SUIDowym, bЙdziesz mСgЁ u©ywaФ opartej na hostach
238 autentykacji drugiej wersji protokoЁu SSH.
239 .
240 Je╤li masz w╠tpliwo╤ci, radzЙ zainstalowaФ go z SUIDem. Je╤li to sprawia
241 problemy, mo©esz zmieniФ swoje zdanie uruchamiaj╠c pС╪niej polecenie:
242 dpkg-reconfigure ssh
243
244Template: ssh/run_sshd
245Type: boolean
246Default: true
247Description: Do you want to run the sshd server ?
248 This package contains both the ssh client, and the sshd server.
249 .
250 Normally the sshd Secure Shell Server will be run to allow remote
251 logins via ssh.
252 .
253 If you are only interested in using the ssh client for outbound
254 connections on this machine, and don't want to log into it at all
255 using ssh, then you can disable sshd here.
256Description-pl: Czy chcesz uruchamiaФ serwer sshd ?
257 Ten pakiet zawiera zarСwno klienta ssh, jak i serwer sshd.
258 .
259 Normalnie serwer sshd (Secure Shell Server) bЙdzie uruchomiony aby
260 umo©liwiФ zdalny dostЙp przez ssh.
261 .
262 Je╤li jeste╤ zainteresowny u©ywaniem wyЁ╠cznie klienta ssh dla poЁ╠czeЯ
263 wychodz╠cych z tej maszyny, i nie chcesz siЙ na ni╠ logowaФ przy pomocy
264 ssh, to mo©esz teraz wyЁ╠czyФ serwer sshd.
diff --git a/debian/templates.pt_BR b/debian/templates.pt_BR
new file mode 100644
index 000000000..2d0b3e1e7
--- /dev/null
+++ b/debian/templates.pt_BR
@@ -0,0 +1,181 @@
1Template: ssh/upgrade_to_openssh
2Type: boolean
3Description: Are you sure you want to upgrade to OpenSSH?
4 This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible
5 drop in replacement for the original (non-free) implemetation.
6 .
7 If you find that it is not, please report the problem as a bug.
8 .
9 You can still find the old version of ssh in the ssh-nonfree package
10 (although the only reason you are likely to want that is if you also
11 want to install the ssh2 package).
12 .
13 NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at
14 least one other ssh session running as root, and once this is installed,
15 check that you can still log in (with a third session), before logging out.
16Description-pt_BR: VocЙ tem certeza que quer atualizar para o OpenSSH ?
17 Esta versЦo do ssh (tambИm conhecida como OpenSSH) И supostamente um
18 substituto 100% compatМvel para a implementaГЦo original (non-free).
19 .
20 Caso vocЙ ache que nЦo И, por favor reporte o problema como um bug.
21 .
22 VocЙ continuarА a encontrar a versЦo antiga do ssh no pacote ssh-nonfree
23 (embora a Зnica razЦo pela qual vocЙ queira isso И se vocЙ tambИm quer
24 instalar o pacote ssh2).
25 .
26 NOTA: Se vocЙ estА atualizando uma mАquina remotamente, via ssh,
27 certifique-se que vocЙ possui pelo menos outra sessЦo ssh executando como
28 root e, uma vez que o pacote esteja instalado, verifique se vocЙ continua
29 podendo se logar (com uma terceira sessЦo) antes de se desconectar
30 (logging out).
31
32Template: ssh/ancient_version
33Type: note
34Description: You are trying to upgrade from an ancient version of non-free ssh
35 This is bound to be using IDEA encryption for your identity files.
36 You should upgrade to a vaguely contemporary (1.2.15 or later) version of
37 non-free ssh, and then upgrade all your key files using ssh-keygen -u
38 before attempting to migrate to OpenSSH.
39 .
40 Alternatively, you could just forget about that, and generate new keys.
41Description-pt_BR: VocЙ estА tentando atualizar a partir de uma versЦo antiga do ssh non-free
42 Isto estА ligado a estar usando encriptaГЦo IDEA para seus arquivos de
43 identidade. VocЙ deverА atualizar para uma versЦo vagamente contemporБnea
44 (1.2.15 ou superior) do ssh non-free, e entЦo atualizar todos seus
45 arquivos de chaves usando ssh-keygen -u antes de tentar migrar para
46 OpenSSH.
47 .
48 Alternativamente, vocЙ poderia somente esquecer tudo isso e gerar
49 novas chaves.
50
51Template: ssh/use_old_init_script
52Type: boolean
53Description: Do you want to continue (and risk killing active ssh sessions) ?
54 The version of /etc/init.d/ssh that you have installed, is likely to kill
55 all running sshd instances. If you are doing this upgrade via an ssh
56 session, that would be a Bad Thing(tm).
57 .
58 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
59 start-stop-daemon line in the stop section of the file.
60Description-pt_BR: VocЙ quer continuar (e arriscar matar sessУes ssh ativas) ?
61 A versЦo de /etc/init.d/ssh que vocЙ possui instalada estА prestes a
62 matar todas as instБncias sshd sendo executadas. Se vocЙ estА fazendo
63 esta atualizaГЦo atravИs de uma sessЦo ssh, isto seria uma Coisa
64 Ruim(tm).
65 .
66 VocЙ pode corrigir isto adicionando "--pidfile /var/run/sshd.pid" na
67 linha start-stop-daemon na seГЦo stop deste arquivo.
68
69Template: ssh/forward_warning
70Type: note
71Description: NOTE: Forwarding of X11 and Authorization disabled by default.
72 For security reasons, the Debian version of ssh has ForwardX11 and
73 ForwardAgent set to ``off'' by default.
74 .
75 You can enable it for servers you trust, either
76 in one of the configuration files, or with the -X command line option.
77 .
78 More details can be found in /usr/share/doc/ssh/README.Debian
79Description-pt_BR: NOTA: Forwarding de X11 e Authorization desabilitados por padrЦo.
80 Por razТes de seguranГa, a versЦo Debian do ssh tem as opГУes ForwardX11
81 e ForwardAgent definidas como ``off'' por padrЦo.
82 .
83 VocЙ pode habilitar isso para servidores que vocЙ confia, ou em um dos
84 arquivos de configuraГЦo, ou com a opГЦo de linha de comando -X.
85 .
86 Maiores detalhes podem ser encontrados em
87 /usr/share/doc/ssh/README.Debian.
88
89Template: ssh/insecure_rshd
90Type: note
91Description: Warning: rsh-server is installed --- probably not a good idea
92 having rsh-server installed undermines the security that you were probably
93 wanting to obtain by installing ssh. I'd advise you to remove that package.
94Description-pt_BR: Aviso: rsh-server estА instalado --- provavelmente nЦo И uma boa idИia
95 Possuir o rsh-server instalado minarА a seguranГa que vocЙ estava
96 provavelmente querendo obter instalando o ssh. Eu recomendaria a vocЙ
97 remover este pacote.
98
99Template: ssh/insecure_telnetd
100Type: note
101Description: Warning: telnetd is installed --- probably not a good idea
102 I'd advise you to either remove the telnetd package (if you don't actually
103 need to offer telnet access) or install telnetd-ssl so that there is at
104 least some chance that telnet sessions will not be sending unencrypted
105 login/password and session information over the network.
106Description-pt_BR: Aviso: telnetd estА instalado --- provavelmente nЦo И uma boa idИia
107 Eu recomendaria a vocЙ ou remover o pacote telnetd (se vocЙ atualmente
108 nЦo precisa oferecer acesso telnet) ou instalar telnetd-ssl. Assim existe
109 pelo menos uma chance das sessУes telnet nЦo enviarem login/senha nЦo
110 encriptados e informaГУes de sessЦo atravИs da rede.
111
112Template: ssh/encrypted_host_key_but_no_keygen
113Type: note
114Description: Warning: you must create a new host key
115 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
116 OpenSSH can not handle this host key file, and I can't find the
117 ssh-keygen utility from the old (non-free) SSH installation.
118 .
119 You will need to generate a new host key.
120Description-pt_BR: Aviso: vocЙ deve criar uma nova host key
121 Existe uma antiga /etc/ssh/ssh_host_key, a qual И encriptada usando IDEA.
122 O OpenSSH nЦo pode gerenciar este arquivo host key e eu nЦo consigo
123 encontrar o utilitАrio ssh-keygen da antiga (non-free) instalaГЦo SSH.
124 .
125 VocЙ precisarА gerar uma nova host key.
126
127Template: ssh/SUID_client
128Type: boolean
129Default: false
130Description: Do you want /usr/bin/ssh to be installed SUID root?
131 You have the option of installing the ssh client with the SUID bit set.
132 .
133 If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
134 authentication, but will not be able to use socks via the LD_PRELOAD
135 trick. This is the traditional approach.
136 .
137 If you do not make ssh SUID, you will be able to use socks, but
138 Rhosts/RhostsRSA authentication will stop working, which may stop you
139 logging in to remote systems. It will also mean that the source
140 port will be above 1024, which may confound firewall rules you've set up.
141 .
142 If in doubt, I suggest you install it without SUID. If it causes
143 problems you can change your mind later by running: dpkg-reconfigure ssh
144Description-pt_BR: VocЙ quer que /usr/bin/ssh seja instalado SUID root ?
145 VocЙ tem a opГЦo de instalar o cliente ssh com o bit SUID setado.
146 .
147 Se vocЙ fizer o ssh SUID, vocЙ conseguirА usar autenticaГЦo
148 Rhosts/RhostsRSA, mas nЦo serА capaz de usar socks atravИs do truque
149 LD_PRELOAD. Isto И o tradicional.
150 .
151 Se vocЙ nЦo fizer o ssh SUID, vocЙ poderА usar socks, mas a autenticaГЦo
152 Rhosts/RhostsRSA irА parar de funcionar, o que poderА lhe impedir de
153 logar em sistemas remotos. Isto significarА tambИm que a porta fonte
154 estarА acima de 1024, o que poderА confundir regras de firewall que vocЙ
155 tenha definido.
156 .
157 Caso esteja em dЗvida, eu sugiro a vocЙ instalar sem SUID. Se isso causar
158 problemas vocЙ pode mudar sua escolha posteriormente executando:
159 dpkg-reconfigure ssh.
160
161Template: ssh/run_sshd
162Type: boolean
163Default: true
164Description: Do you want to run the sshd server ?
165 This package contains both the ssh client, and the sshd server.
166 .
167 Normally the sshd Secure Shell Server will be run to allow remote
168 logins via ssh.
169 .
170 If you are only interested in using the ssh client for outbound
171 connections on this machine, and don't want to log into it at all
172 using ssh, then you can disable sshd here.
173Description-pt_BR: VocЙ quer executar o servidor sshd ?
174 Este pacote contИm ambos o cliente ssh e o servidor sshd.
175 .
176 Normalmente o sshd Secure Shell Server serА executado para permitir
177 logins remotos via ssh.
178 .
179 Se vocЙ estА interessado somente em usar o cliente ssh para conexУes
180 para fora desta mАquina, e nЦo quer logar na mesma usando ssh, entЦo vocЙ
181 pode desabilitar o sshd aqui.
diff --git a/debian/templates.ru b/debian/templates.ru
new file mode 100644
index 000000000..39038ff22
--- /dev/null
+++ b/debian/templates.ru
@@ -0,0 +1,207 @@
1Template: ssh/upgrade_to_openssh
2Type: boolean
3Description: Are you sure you want to upgrade to OpenSSH?
4 This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible
5 drop in replacement for the original (non-free) implemetation.
6 .
7 If you find that it is not, please report the problem as a bug.
8 .
9 You can still find the old version of ssh in the ssh-nonfree package
10 (although the only reason you are likely to want that is if you also
11 want to install the ssh2 package).
12 .
13 NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at
14 least one other ssh session running as root, and once this is installed,
15 check that you can still log in (with a third session), before logging out.
16Description-ru: Вы уверены, что хотите обновить OpenSSH?
17 Эта версия ssh(он же OpenSSH) является 100%-совместимой с оригинальной
18 (несвободной) реализацией.
19 .
20 Если вы обнаружили различие, то, пожалуйста, сообщите об этой ошибке.
21 .
22 Вы можете по прежнему найти старую версию ssh в пакете ssh-nonfree
23 (хотя действительно необходимо его использовать только, если вы хотите
24 установить еще и пакет ssh2).
25 .
26 Примечание: Если вы удаленно обновляете машину через ssh, то убедитесь
27 что как минимум еще одна сессия ssh запущена от root, и как только
28 процесс обновления закончится, убедитесь, что вы сможете войти в
29 систему (установив третью сессию), перед тем как отсоединяться.
30
31Template: ssh/protocol2_default
32Type: note
33Description: SSH uses protocol 2 by default.
34 This version of SSH (unlike previous ones) uses ssh
35 protocol version 2 by default. The key file formats have changed
36 between the protocol versions, so your old key files will not be
37 useful. You may either pass the '-1' option to ssh to force it to use
38 the older protocol (and your old keys), or generate new keys. Protocol
39 version 2 is thought to be more secure, so this is the preferred
40 course of action. See README.Debian for a little more information
41 .
42 Also, due to problems with IPv4 and IPv6 interoperation, IPv4 is now
43 the default (this is a change from previous versions). Passing ssh the
44 -6 flag will cause IPv6 addresses to be used. Once the current issues
45 with using IPv6 on machines with IPv4 addresses have been solved, the
46 previous default will be restored
47Description-ru: SSH использует по умолчанию протокол версии 2.
48 Эта версия SSH (в отличии от предыдущих) использует по умолчанию
49 протокол версии 2. В этой версии протокола изменен формат файлов
50 ключей, так что ваши старые ключи станут бесполезными. Вы можете либо
51 указывать опцию '-1' для ssh, чтобы принудительно использовать более
52 старую версию протокола, либо сгенерируйте новый ключи. Протокол
53 версии 2 более защищенный, и поэтому предопределен по умолчанию. См.
54 подробности в файле README.Debian.
55 .
56 Также из-за проблем взаимосоответствия IPv4 и IPv6, сейчас по
57 умолчанию по умолчанию используется IPv4 (в отличии от предыдущих
58 версий). Чтобы использовать IPv6, надо задать флаг -6. Как только все
59 сложности с использованием IPv6 на машинах с адресами IPv4 будут
60 решены, то прежнее поведение по умолчанию будет восстановлено.
61
62Template: ssh/ancient_version
63Type: note
64Description: You are trying to upgrade from an ancient version of non-free ssh
65 This is bound to be using IDEA encryption for your identity files.
66 You should upgrade to a vaguely contemporary (1.2.15 or later) version of
67 non-free ssh, and then upgrade all your key files using ssh-keygen -u
68 before attempting to migrate to OpenSSH.
69 .
70 Alternatively, you could just forget about that, and generate new keys.
71Description-ru: Вы пытаетесь обновить древнюю версию коммерческого ssh
72 Она ограничена использованием шифрования IDEA для ваших файлов
73 идентификации. Рекомендуется обновить более современные версии (1.2.15
74 или более поздние) коммерческого ssh, и потом обновить ваши ключевые
75 файлы командой `ssh-keygen -u` перед попыткой перейти на OpenSSH.
76 .
77 Как вариант, можете забыть обо всем этом и сгенерировать новые ключи.
78
79Template: ssh/use_old_init_script
80Type: boolean
81Description: Do you want to continue (and risk killing active ssh sessions) ?
82 The version of /etc/init.d/ssh that you have installed, is likely to kill
83 all running sshd instances. If you are doing this upgrade via an ssh
84 session, that would be a Bad Thing(tm).
85 .
86 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
87 start-stop-daemon line in the stop section of the file.
88Description-ru: Вы хотите продолжить (рискуя потерять активные ssh-соединения)?
89 Версия /etc/init.d/ssh, которую вы устанавливаете, может убить все
90 запущенные процессы ssh. Если вы осуществляете это обновление через
91 ssh сессию, то это Плохая Вещь (tm).
92 .
93 Это можно исправить добавлением "--pidfile /var/run/sshd.pid" в строке
94 start-stop-daemon в разделе stop этого файла.
95
96Template: ssh/forward_warning
97Type: note
98Description: NOTE: Forwarding of X11 and Authorization disabled by default.
99 For security reasons, the Debian version of ssh has ForwardX11 and
100 ForwardAgent set to ``off'' by default.
101 .
102 You can enable it for servers you trust, either
103 in one of the configuration files, or with the -X command line option.
104 .
105 More details can be found in /usr/share/doc/ssh/README.Debian
106Description-ru: ПРИМЕЧАНИЕ: Форвардинг X11 и Authorization запрещен по умолчанию.
107 По причинам безопасности, в версии для Debian ssh имеет ForwardX11 и
108 ForwardAgent установленными в ``off'' по умолчанию.
109 .
110 Вы можете разрешить их для серверов, которым доверяете либо в одном из
111 настроечных файлов, или параметром командной строки -X.
112 .
113 Дополнительую информацию можно найти в /usr/share/doc/ssh/README.Debian
114
115Template: ssh/insecure_rshd
116Type: note
117Description: Warning: rsh-server is installed --- probably not a good idea
118 having rsh-server installed undermines the security that you were probably
119 wanting to obtain by installing ssh. I'd advise you to remove that package.
120Description-ru: Предупреждение: установлен rsh-server --- видимо, не очень хорошо
121 Установленный rsh-server снижает безопасность, которую вы вероятно
122 хотите повысить устанавливая ssh. Рекомендуется удалить этот пакет.
123
124Template: ssh/insecure_telnetd
125Type: note
126Description: Warning: telnetd is installed --- probably not a good idea
127 I'd advise you to either remove the telnetd package (if you don't actually
128 need to offer telnet access) or install telnetd-ssl so that there is at
129 least some chance that telnet sessions will not be sending unencrypted
130 login/password and session information over the network.
131Description-ru: Предупреждение: установлен telnetd --- видимо, не очень хорошо
132 Я рекомендовал бы вам удалить пакет telnetd (если вам действительно не
133 нужен доступ telnet) или установить telnet-ssl, чтобы иметь хотя бы
134 возможность не передавать по сети незашифрованные имена и пароли
135 пользователей и прочую информацию в telnet-сессиях.
136
137Template: ssh/encrypted_host_key_but_no_keygen
138Type: note
139Description: Warning: you must create a new host key
140 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
141 OpenSSH can not handle this host key file, and I can't find the
142 ssh-keygen utility from the old (non-free) SSH installation.
143 .
144 You will need to generate a new host key.
145Description-ru: Предупреждение: вы должны создать новый ключ машины.
146 Есть старый /etc/ssh/ssh_host_key, который зашифрован IDEA. OpenSSH не
147 может работать с этим ключом машины, и я не могу найти утилиту
148 ssh-keygen от старой (несвободной) инсталляции SSH.
149 .
150 Вам надо будет сгенерировать новый ключ хоста.
151
152Template: ssh/SUID_client
153Type: boolean
154Default: true
155Description: Do you want /usr/bin/ssh to be installed SUID root?
156 You have the option of installing the ssh client with the SUID bit set.
157 .
158 If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
159 authentication, but will not be able to use socks via the LD_PRELOAD
160 trick. This is the traditional approach.
161 .
162 If you do not make ssh SUID, you will be able to use socks, but
163 Rhosts/RhostsRSA authentication will stop working, which may stop you
164 logging in to remote systems. It will also mean that the source
165 port will be above 1024, which may confound firewall rules you've set up.
166 .
167 If in doubt, I suggest you install it with SUID. If it causes
168 problems you can change your mind later by running: dpkg-reconfigure ssh
169Description-ru: Хотите установить /usr/bin/ssh как SUID root?
170 Вы имеете возможность установить /usr/bin/ssh с установленным битом
171 SUID.
172 .
173 Если вы делаете ssh SUID, то вы сможете использовать аутентификацию
174 Rhosts/RhostsRSA, но не сможете использовать socks через LD_PRELOAD.
175 Это традиционное поведение.
176 .
177 Если вы сделаете ssh SUID, то вы сможете использовать socks, но зато
178 аутентификация Rhosts/RhostsRSA не будет работать, что может сделать
179 невозможным вашу регистрацию на удаленных системах. Также это означает
180 что номер источникового порта будет больше 1024, что может не нарушить
181 работу установленных вами правил файрвола.
182 .
183 Если вы не знаете, что решить, то рекомендуется установить его с битом
184 SUID. Если вы потом передумаете, то эту установку можно будет изменить
185 командой: "dpkg-reconfigure ssh".
186
187Template: ssh/run_sshd
188Type: boolean
189Default: true
190Description: Do you want to run the sshd server ?
191 This package contains both the ssh client, and the sshd server.
192 .
193 Normally the sshd Secure Shell Server will be run to allow remote
194 logins via ssh.
195 .
196 If you are only interested in using the ssh client for outbound
197 connections on this machine, and don't want to log into it at all
198 using ssh, then you can disable sshd here.
199Description-ru: Хотите запустить сервер sshd?
200 Этот пакет содержит и ssh-клиент, и ssh-сервер.
201 .
202 Обычно sshd Secure Shell Server запускается для удаленного входа в
203 регистрации в системе через ssh.
204 .
205 Если вас интересует только использование ssh-клиента для исходящих
206 соединений с этой машины, и вы не хотите входить в ее систему через
207 ssh, то вы можете сейчас запретить sshd.