diff options
Diffstat (limited to 'debian')
32 files changed, 4673 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..13d005ac0 --- /dev/null +++ b/debian/README.Debian | |||
@@ -0,0 +1,209 @@ | |||
1 | OpenSSH for Debian | ||
2 | ------------------ | ||
3 | |||
4 | Although this package is widely referred to as OpenSSH, it is actually | ||
5 | a branch of an early version of ssh which has been tidied up by the | ||
6 | OpenBSD folks. | ||
7 | |||
8 | It has been decided that this version should have the privilege of | ||
9 | carrying the ``ssh'' name in Debian, since it is the only version of | ||
10 | ssh that is going to make it into Debian proper, being the only one | ||
11 | that complies with the Debian Free Software Guidelines. | ||
12 | |||
13 | If you were expecting to get the non-free version of ssh (1.2.27 or | ||
14 | whatever) when you installed this package, then you're out of luck, as | ||
15 | Debian don't ship it. | ||
16 | |||
17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
18 | |||
19 | Privilege Separation | ||
20 | -------------------- | ||
21 | |||
22 | As of 3.3, openssh has employed privilege separation to reduce the | ||
23 | quantity of code that runs as root, thereby reducing the impact of | ||
24 | some security holes in sshd. | ||
25 | |||
26 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
27 | session modules that need to run as root (pam_mkhomedir, for example) | ||
28 | will fail, and PAM keyboard-interactive authentication won't work. | ||
29 | |||
30 | Privilege separation is turned on by default, so if you decide you | ||
31 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
32 | /etc/ssh/sshd_config | ||
33 | |||
34 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
35 | separation will not work at all, and your sshd will fail to start | ||
36 | unless you explicity turn privilege separation off. | ||
37 | |||
38 | |||
39 | PermitRootLogin set to yes | ||
40 | -------------------------- | ||
41 | |||
42 | This is now the default setting (in line with upstream), and people | ||
43 | who asked for an automatically-generated configuration file when | ||
44 | upgrading from potato (or on a new install) will have this setting in | ||
45 | their /etc/ssh/sshd_config file. | ||
46 | |||
47 | Should you wish to change this setting, edit /etc/ssh/sshd_config, and | ||
48 | change: | ||
49 | PermitRootLogin yes | ||
50 | to: | ||
51 | PermitRootLogin no | ||
52 | |||
53 | Having PermitRootLogin set to yes means that an attacker that knows | ||
54 | the root password can ssh in directly (without having to go via a user | ||
55 | account). If you set it to no, then they must compromise a normal user | ||
56 | account. In the vast majority of cases, this does not give added | ||
57 | security; remember that any account you su to root from is equivalent | ||
58 | to root - compromising this account gives an attacker access to root | ||
59 | easily. If you only ever log in as root from the physical console, | ||
60 | then you probably want to set this value to no. | ||
61 | |||
62 | As an aside, PermitRootLogin can also be set to "without-password" or | ||
63 | "forced-commands-only" - see sshd(8) for more details. | ||
64 | |||
65 | DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! | ||
66 | |||
67 | The argument above is somewhat condensed; I have had this discussion | ||
68 | at great length with many people. If you think the default is | ||
69 | incorrect, and feel strongly enough to want to argue with me about it, | ||
70 | then send me email to matthew@debian.org. I will close bug reports | ||
71 | claiming the default is incorrect. | ||
72 | |||
73 | SSH now uses protocol 2 by default | ||
74 | ---------------------------------- | ||
75 | |||
76 | This means all your keyfiles you used for protocol version 1 need to | ||
77 | be re-generated. The server keys are done automatically, but for RSA | ||
78 | authentication, please read the ssh-keygen manpage. | ||
79 | |||
80 | If you have an automatically generated configuration file, and decide | ||
81 | at a later stage that you do want to support protocol version 1 (not | ||
82 | recommended, but note that the ssh client shipped with Debian potato | ||
83 | only supported protocol version 1), then you need to do the following: | ||
84 | |||
85 | Change /etc/ssh/sshd_config such that: | ||
86 | Protocol 2 | ||
87 | becomes: | ||
88 | Protocol 2,1 | ||
89 | Also add the line: | ||
90 | HostKey /etc/ssh/ssh_host_key | ||
91 | |||
92 | (you may need to generate a host key if you do not already have one) | ||
93 | |||
94 | /usr/bin/ssh not SUID: | ||
95 | ---------------------- | ||
96 | If you have not installed debconf, you'll have missed the chance to | ||
97 | install ssh SUID, which means you won't be able to do Rhosts | ||
98 | authentication. If that upsets you, use: | ||
99 | |||
100 | dpkg-statoverride | ||
101 | |||
102 | or if that's also missing, use this: | ||
103 | |||
104 | chown root.root /usr/bin/ssh | ||
105 | chmod 04755 /usr/bin/ssh | ||
106 | |||
107 | X11 Forwarding: | ||
108 | --------------- | ||
109 | ssh's default for ForwardX11 has been changed to ``no'' because it has | ||
110 | been pointed out that logging into remote systems administered by | ||
111 | untrusted people is likely to open you up to X11 attacks, so you | ||
112 | should have to actively decide that you trust the remote machine's | ||
113 | root, before enabling X11. I strongly recommend that you do this on a | ||
114 | machine-by-machine basis, rather than just enabling it in the default | ||
115 | host settings. | ||
116 | |||
117 | In order for X11 forwarding to work, you need to install xauth on the | ||
118 | server. In Debian this is in the xbase-clients package. | ||
119 | |||
120 | Authorization Forwarding: | ||
121 | ------------------------- | ||
122 | Similarly, root on a remote server could make use of your ssh-agent | ||
123 | (while you're logged into their machine) to obtain access to machines | ||
124 | which trust your keys. This feature is therefore disabled by default. | ||
125 | You should only re-enable it for those hosts (in your ~/.ssh/config or | ||
126 | /etc/ssh/ssh_config) where you are confident that the remote machine | ||
127 | is not a threat. | ||
128 | |||
129 | Fallback to RSH: | ||
130 | ---------------- | ||
131 | The default for this setting has been changed from Yes to No, for | ||
132 | security reasons, and to stop the delay attempting to rsh to machines | ||
133 | that don't offer the service. Simply switch it back on in either | ||
134 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
135 | it for. | ||
136 | |||
137 | Problems logging in with RSA authentication: | ||
138 | -------------------------------------------- | ||
139 | If you have trouble logging in with RSA authentication then the | ||
140 | problem is probably caused by the fact that you have your home | ||
141 | directory writable by group, as well as user (this is the default on | ||
142 | Debian systems). | ||
143 | |||
144 | Depending upon other settings on your system (i.e. other users being | ||
145 | in your group) this could open a security hole, so you will need to | ||
146 | make your home directory writable only by yourself. Run this command, | ||
147 | as yourself: | ||
148 | |||
149 | chmod g-w ~/ | ||
150 | |||
151 | to remove group write permissions. If you use ssh-copy-id to install your | ||
152 | keys, it does this for you. | ||
153 | |||
154 | -L option of ssh nonfree: | ||
155 | ------------------------- | ||
156 | non-free ssh supported the usage of the option -L to use a non privileged | ||
157 | port for scp. This option will not be supported by scp from openssh. | ||
158 | |||
159 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | ||
160 | manpage to scp itself. | ||
161 | |||
162 | Problem logging in because of TCP-Wrappers: | ||
163 | ------------------------------------------- | ||
164 | ssh is compiled with support for tcp-wrappers. So if you can no longer | ||
165 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | ||
166 | are configured so that ssh is not blocked. | ||
167 | |||
168 | Kerberos Authentication: | ||
169 | ------------------------ | ||
170 | ssh is compiled without support for kerberos authentication, and there are | ||
171 | no current plans to support this. Thus the KerberosAuthentication and | ||
172 | KerberosTgtPassing options will not be recognised. | ||
173 | |||
174 | Setgid ssh-agent and environment variables: | ||
175 | ------------------------------------------- | ||
176 | ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace() | ||
177 | attacks retrieving private key material. This has the side-effect of causing | ||
178 | glibc to remove certain environment variables which might have security | ||
179 | implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and | ||
180 | TMPDIR. | ||
181 | |||
182 | If you need to set any of these environment variables, you will need to do | ||
183 | so in the program exec()ed by ssh-agent. This may involve creating a small | ||
184 | wrapper script. | ||
185 | |||
186 | Symlink Hostname invocation: | ||
187 | ---------------------------- | ||
188 | This version of ssh no longer includes support for invoking ssh with the | ||
189 | hostname as the name of the file run. People wanting this support should | ||
190 | use the ssh-argv0 script. | ||
191 | |||
192 | Interoperability between scp and the ssh.com SSH server: | ||
193 | -------------------------------------------------------- | ||
194 | In version 2 and greater of the commercial SSH server produced by SSH | ||
195 | Communications Security, scp was changed to use SFTP (SSH2's file transfer | ||
196 | protocol) instead of the traditional rcp-over-ssh, thereby breaking | ||
197 | compatibility. The OpenSSH developers regard this as a bug in the ssh.com | ||
198 | server, and do not currently intend to change OpenSSH's scp to match. | ||
199 | |||
200 | Workarounds for this problem are to install scp1 on the server (scp2 will | ||
201 | fall back to it), to use sftp, or to use some other transfer mechanism such | ||
202 | as rsync-over-ssh or tar-over-ssh. | ||
203 | |||
204 | -- | ||
205 | Matthew Vernon | ||
206 | <matthew@debian.org> | ||
207 | and | ||
208 | Colin Watson | ||
209 | <cjwatson@debian.org> | ||
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..532567f8d --- /dev/null +++ b/debian/changelog | |||
@@ -0,0 +1,1114 @@ | |||
1 | openssh (1:3.6p1-1) unstable; urgency=low | ||
2 | |||
3 | * New upstream release. | ||
4 | - Workaround applied upstream for a bug in the interaction of glibc's | ||
5 | getaddrinfo() with the Linux 2.2 kernel (closes: #155814). | ||
6 | - As such, it should now be safe to remove --with-ipv4-default, so | ||
7 | starting sshd with -6 is no longer necessary (closes: #79861 and lots | ||
8 | of other merged bugs). | ||
9 | - ssh-copy-id prints usage when run without arguments (closes: #71376). | ||
10 | - scp exits 1 if ssh fails (closes: #138400). | ||
11 | - sshd writes to utmp's ut_addr_v6 field in IPv6 mode (closes: #167867). | ||
12 | - 'ssh-add -c' causes ssh-agent to ask the user each time a key is used | ||
13 | (closes: #109795). | ||
14 | * Install /etc/default/ssh non-executable (closes: #185537). | ||
15 | |||
16 | -- Colin Watson <cjwatson@debian.org> Mon, 31 Mar 2003 23:00:59 +0100 | ||
17 | |||
18 | openssh (1:3.5p1-5) unstable; urgency=low | ||
19 | |||
20 | * Add /etc/default/ssh (closes: #161049). | ||
21 | * Run the init script under 'set -e' (closes: #175010). | ||
22 | * Change the default superuser path to include /sbin, /usr/sbin, and | ||
23 | /usr/local/sbin (closes: #128235, #151267). Using login.defs would be | ||
24 | nice, but that belongs to another package. Without a defined API to | ||
25 | retrieve its settings, parsing it is off-limits. | ||
26 | * Build ssh-askpass-gnome with GNOME 2. The source package should still | ||
27 | support building on stable with GNOME 1, using the alternate | ||
28 | libgnome-dev build-dependency (thanks, Colin Walters; closes: #167582). | ||
29 | |||
30 | -- Colin Watson <cjwatson@debian.org> Sun, 9 Mar 2003 20:12:10 +0000 | ||
31 | |||
32 | openssh (1:3.5p1-4) unstable; urgency=low | ||
33 | |||
34 | * Point rlogin and rcp alternatives at slogin and scp respectively rather | ||
35 | than ssh (closes: #121103, #151666). Fix alternative removal to match; | ||
36 | previously it was completely wrong anyway. | ||
37 | * Find out whether /etc/ssh/sshd_not_to_be_run exists and set the debconf | ||
38 | question's default using that information, rather than using debconf as | ||
39 | a registry. Other solutions may be better in the long run, but this is | ||
40 | at least correct (thanks, Matthew Woodcraft; closes: #84725). | ||
41 | * Stop using pam_lastlog, as it doesn't currently work well as a session | ||
42 | module when privilege separation is enabled; it can usually read | ||
43 | /var/log/lastlog but can't write to it. Instead, just use sshd's | ||
44 | built-in support, already enabled by default (closes: #151297, #169938). | ||
45 | * Use 'ssh-keygen -q' rather than redirecting output to /dev/null. | ||
46 | * Add a "this may take some time" warning when creating host keys on | ||
47 | installation (part of #110094). | ||
48 | * When restarting via the init script, check for sshd_not_to_be_run after | ||
49 | stopping sshd (idea from Tomas Pospisek; closes: #149850). | ||
50 | * Append /usr/sbin:/sbin to the init script's $PATH, just in case of | ||
51 | strangeness (closes: #115138). | ||
52 | * Fix a dpkg-statoverride call to redirect stdout to /dev/null, not | ||
53 | stderr. | ||
54 | * Correct copyright file typo: "orignal" -> "original" (closes: #176490). | ||
55 | * Rebuild with libssl0.9.7 (closes: #176983). | ||
56 | * We're up to policy version 3.5.6. DEB_BUILD_OPTIONS stuff still needs to | ||
57 | be looked at. | ||
58 | |||
59 | -- Colin Watson <cjwatson@debian.org> Sat, 18 Jan 2003 01:37:23 +0000 | ||
60 | |||
61 | openssh (1:3.5p1-3) unstable; urgency=low | ||
62 | |||
63 | * Happy new year! | ||
64 | * Use getent rather than id to find out whether the sshd user exists | ||
65 | (closes: #150974). | ||
66 | * Remove some duplication from the postinst's ssh-keysign setuid code. | ||
67 | * Replace db_text with db_input throughout debian/config. (db_text has | ||
68 | been a compatibility wrapper since debconf 0.1.5.) | ||
69 | * Warn about PermitUserEnvironment on upgrade (closes: #167895). | ||
70 | * Use 'make install-nokeys', and disable unused debhelper commands, | ||
71 | thereby forward-porting the last pieces of Zack Weinberg's patch | ||
72 | (closes: #68341). | ||
73 | * Move the man page for gnome-ssh-askpass from the ssh package to | ||
74 | ssh-askpass-gnome (closes: #174449). | ||
75 | * Build with -DLOGIN_NO_ENDOPT, since Debian's /bin/login doesn't accept | ||
76 | '--' to terminate the list of options (closes: #171554). | ||
77 | * Add Jonathan Amery's ssh-argv0 script (closes: #111341). | ||
78 | * Update Danish debconf template (thanks, Morten Brix Pedersen; | ||
79 | closes: #174757). | ||
80 | * Document setgid ssh-agent's effect on certain environment variables in | ||
81 | README.Debian (closes: #167974). | ||
82 | * Document interoperability problems between scp and ssh.com's server in | ||
83 | README.Debian, and suggest some workarounds (closes: #174662). | ||
84 | |||
85 | -- Colin Watson <cjwatson@debian.org> Wed, 1 Jan 2003 14:18:30 +0000 | ||
86 | |||
87 | openssh (1:3.5p1-2) unstable; urgency=low | ||
88 | |||
89 | * Mention in the ssh package description that it provides both ssh and | ||
90 | sshd (closes: #99680). | ||
91 | * Create a system group for ssh-agent, not a user group (closes: #167669). | ||
92 | |||
93 | -- Colin Watson <cjwatson@debian.org> Mon, 4 Nov 2002 13:43:53 +0000 | ||
94 | |||
95 | openssh (1:3.5p1-1) unstable; urgency=low | ||
96 | |||
97 | * New upstream release. | ||
98 | - Fixes typo in ssh-add usage (closes: #152239). | ||
99 | - Fixes 'PermitRootLogin forced-commands-only' (closes: #166184). | ||
100 | - ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys | ||
101 | are deprecated for security reasons and will eventually go away. For | ||
102 | now they can be re-enabled by setting 'PermitUserEnvironment yes' in | ||
103 | sshd_config. | ||
104 | - ssh-agent is installed setgid to prevent ptrace() attacks. The group | ||
105 | actually doesn't matter, as it drops privileges immediately, but to | ||
106 | avoid confusion the postinst creates a new 'ssh' group for it. | ||
107 | * Obsolete patches: | ||
108 | - Solar Designer's privsep+compression patch for Linux 2.2 (see | ||
109 | 1:3.3p1-0.0woody1). | ||
110 | - Hostbased auth ssh-keysign backport (see 1:3.4p1-4). | ||
111 | |||
112 | * Remove duplicated phrase in ssh_config(5) (closes: #152404). | ||
113 | * Source the debconf confmodule at the top of the postrm rather than at | ||
114 | the bottom, to avoid making future non-idempotency problems worse (see | ||
115 | #151035). | ||
116 | * Debconf templates: | ||
117 | - Add Polish (thanks, Grzegorz Kusnierz). | ||
118 | - Update French (thanks, Denis Barbier; closes: #132509). | ||
119 | - Update Spanish (thanks, Carlos Valdivia YagЭe; closes: #164716). | ||
120 | * Write a man page for gnome-ssh-askpass, and link it to ssh-askpass.1 if | ||
121 | this is the selected ssh-askpass alternative (closes: #67775). | ||
122 | |||
123 | -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 | ||
124 | |||
125 | openssh (1:3.4p1-4) unstable; urgency=low | ||
126 | |||
127 | * Allow ssh-krb5 in ssh-askpass-gnome's dependencies (closes: #129532). | ||
128 | * Restore Russia to list of countries where encryption is problematic (see | ||
129 | #148951 and http://www.average.org/freecrypto/). | ||
130 | * Drop ssh-askpass-gnome's priority to optional, per the override file. | ||
131 | * Drop the PAM special case for hurd-i386 (closes: #99157). | ||
132 | * s/dile/idle/ in ssh_config(5) (closes: #118331). | ||
133 | * Note in README.Debian that you need xauth from xbase-clients on the | ||
134 | server for X11 forwarding (closes: #140269). | ||
135 | * Use correct path to upstream README in copyright file (closes: #146037). | ||
136 | * Document the units for ProtocolKeepAlives (closes: #159479). | ||
137 | * Backport upstream patch to fix hostbased auth (closes: #117114). | ||
138 | * Add -g to CFLAGS. | ||
139 | |||
140 | -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 18:58:53 +0100 | ||
141 | |||
142 | openssh (1:3.4p1-3) unstable; urgency=low | ||
143 | |||
144 | * Add myself to Uploaders: and begin acting as temporary maintainer, at | ||
145 | Matthew's request. (Normal service will resume in some months' time.) | ||
146 | * Add sharutils to Build-Depends (closes: #138465). | ||
147 | * Stop creating the /usr/doc/ssh symlink. | ||
148 | |||
149 | * Fix some debconf template typos (closes: #160358). | ||
150 | * Split debconf templates into one file per language. | ||
151 | * Add debconf template translations: | ||
152 | - Brazilian Portuguese (thanks, Andre Luis Lopes; closes: #106173). | ||
153 | - Danish (thanks, Claus Hindsgaul; closes: #126607). | ||
154 | - Japanese (thanks, Tomohiro KUBOTA; closes: #137427). | ||
155 | - Russian (thanks, Ilgiz Kalmetev; closes: #136610). | ||
156 | - Spanish (thanks, Carlos Valdivia YagЭe; closes: #129041). | ||
157 | * Update debconf template translations: | ||
158 | - French (thanks, Igor Genibel; closes: #151361). | ||
159 | - German (thanks, Axel Noetzold; closes: #147069). | ||
160 | * Some of these translations are fuzzy. Please send updates. | ||
161 | |||
162 | -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 14:09:57 +0100 | ||
163 | |||
164 | openssh (1:3.4p1-2) unstable; urgency=high | ||
165 | |||
166 | * Get a security-fixed version into unstable | ||
167 | * Also tidy README.Debian up a little | ||
168 | |||
169 | -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 17:20:59 +0100 | ||
170 | |||
171 | openssh (1:3.4p1-1) testing; urgency=high | ||
172 | |||
173 | * Extend my tendrils back into this package (Closes: #150915, #151098) | ||
174 | * thanks to the security team for their work | ||
175 | * no thanks to ISS/Theo de Raadt for their handling of these bugs | ||
176 | * save old sshd_configs to sshd_config.dpkg-old when auto-generating a | ||
177 | new one | ||
178 | * tell/ask the user about PriviledgeSeparation | ||
179 | * /etc/init.d/ssh run will now create the chroot empty dir if necessary | ||
180 | * Remove our previous statoverride on /usr/bin/ssh (only for people | ||
181 | upgrading from a version where we'd put one in ourselves!) | ||
182 | * Stop slandering Russia, since someone asked so nicely (Closes: #148951) | ||
183 | * Reduce the sleep time in /etc/init.d/ssh during a restart | ||
184 | |||
185 | -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 15:52:10 +0100 | ||
186 | |||
187 | openssh (1:3.4p1-0.0woody1) testing-security; urgency=high | ||
188 | |||
189 | * NMU by the security team. | ||
190 | * New upstream version | ||
191 | |||
192 | -- Michael Stone <mstone@debian.org> Wed, 26 Jun 2002 15:40:38 -0400 | ||
193 | |||
194 | openssh (1:3.3p1-0.0woody4) testing-security; urgency=high | ||
195 | |||
196 | * NMU by the security team. | ||
197 | * fix error when /etc/ssh/sshd_config exists on new install | ||
198 | * check that user doesn't exist before running adduser | ||
199 | * use openssl internal random unconditionally | ||
200 | |||
201 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 19:44:39 -0400 | ||
202 | |||
203 | openssh (1:3.3p1-0.0woody3) testing-security; urgency=high | ||
204 | |||
205 | * NMU by the security team. | ||
206 | * use correct home directory when sshd user is created | ||
207 | |||
208 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
209 | |||
210 | openssh (1:3.3p1-0.0woody2) testing-security; urgency=high | ||
211 | |||
212 | * NMU by the security team. | ||
213 | * Fix rsa1 key creation (Closes: #150949) | ||
214 | * don't fail if sshd user removal fails | ||
215 | * depends: on adduser (Closes: #150907) | ||
216 | |||
217 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
218 | |||
219 | openssh (1:3.3p1-0.0woody1) testing-security; urgency=high | ||
220 | |||
221 | * NMU by the security team. | ||
222 | * New upstream version. | ||
223 | - Enable privilege separation by default. | ||
224 | * Include patch from Solar Designer for privilege separation and | ||
225 | compression on 2.2.x kernels. | ||
226 | * Remove --disable-suid-ssh from configure. | ||
227 | * Support setuid ssh-keysign binary instead of setuid ssh client. | ||
228 | * Check sshd configuration before restarting. | ||
229 | |||
230 | -- Daniel Jacobowitz <dan@debian.org> Mon, 24 Jun 2002 13:43:44 -0400 | ||
231 | |||
232 | openssh (1:3.0.2p1-9) unstable; urgency=high | ||
233 | |||
234 | * Thanks to those who NMUd | ||
235 | * The only change in this version is to debian/control - I've removed | ||
236 | the bit that says you can't export it from the US - it would look | ||
237 | pretty daft to say this about a package in main! Also, it's now OK | ||
238 | to use crypto in France, so I've edited that comment slightly | ||
239 | * Correct a path in README.Debian too (Closes: #138634) | ||
240 | |||
241 | -- Matthew Vernon <matthew@debian.org> Sun, 4 Apr 2002 09:52:59 +0100 | ||
242 | |||
243 | openssh (1:3.0.2p1-8.3) unstable; urgency=medium | ||
244 | |||
245 | * NMU | ||
246 | * Really set urgency to medium this time (oops) | ||
247 | * Fix priority to standard per override while I'm at it | ||
248 | |||
249 | -- Aaron M. Ucko <ucko@debian.org> Sun, 24 Mar 2002 09:00:08 -0500 | ||
250 | |||
251 | openssh (1:3.0.2p1-8.2) unstable; urgency=low | ||
252 | |||
253 | * NMU with maintainer's permission | ||
254 | * Prepare for upcoming ssh-nonfree transitional packages per | ||
255 | <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html> | ||
256 | * Urgency medium because it would really be good to get this into woody | ||
257 | before it releases | ||
258 | * Fix sections to match override file | ||
259 | * Reissued due to clash with non-US -> main move | ||
260 | |||
261 | -- Aaron M. Ucko <ucko@debian.org> Sat, 23 Mar 2002 21:21:52 -0500 | ||
262 | |||
263 | openssh (1:3.0.2p1-8.1) unstable; urgency=low | ||
264 | |||
265 | * NMU | ||
266 | * Move from non-US to mani | ||
267 | |||
268 | -- LaMont Jones <lamont@debian.org> Thu, 21 Mar 2002 09:33:50 -0700 | ||
269 | |||
270 | openssh (1:3.0.2p1-8) unstable; urgency=critical | ||
271 | |||
272 | * Security fix - patch from upstream (Closes: #137209, #137210) | ||
273 | * Undo the changes in the unreleased -7, since they appear to break | ||
274 | things here. Accordingly, the code change is minimal, and I'm | ||
275 | happy to get it into testing ASAP | ||
276 | |||
277 | -- Matthew Vernon <matthew@debian.org> Thu, 7 Mar 2002 14:25:23 +0000 | ||
278 | |||
279 | openssh (1:3.0.2p1-7) unstable; urgency=high | ||
280 | |||
281 | * Build to support IPv6 and IPv4 by default again | ||
282 | |||
283 | -- Matthew Vernon <matthew@debian.org> Sat, 2 Mar 2002 00:25:05 +0000 | ||
284 | |||
285 | openssh (1:3.0.2p1-6) unstable; urgency=high | ||
286 | |||
287 | * Correct error in the clean target (Closes: #130868) | ||
288 | |||
289 | -- Matthew Vernon <matthew@debian.org> Sat, 26 Jan 2002 00:32:00 +0000 | ||
290 | |||
291 | openssh (1:3.0.2p1-5) unstable; urgency=medium | ||
292 | |||
293 | * Include the Debian version in our identification, to make it easier to | ||
294 | audit networks for patched versions in future | ||
295 | |||
296 | -- Matthew Vernon <matthew@debian.org> Mon, 21 Jan 2002 17:16:10 +0000 | ||
297 | |||
298 | openssh (1:3.0.2p1-4) unstable; urgency=medium | ||
299 | |||
300 | * If we're asked to not run sshd, stop any running sshd's first | ||
301 | (Closes: #129327) | ||
302 | |||
303 | -- Matthew Vernon <matthew@debian.org> Wed, 16 Jan 2002 21:24:16 +0000 | ||
304 | |||
305 | openssh (1:3.0.2p1-3) unstable; urgency=high | ||
306 | |||
307 | * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913) | ||
308 | * Remove extra debconf suggestion (Closes: #128094) | ||
309 | * Mmm. speedy bug-fixing :-) | ||
310 | |||
311 | -- Matthew Vernon <matthew@debian.org> Sat, 12 Jan 2002 17:23:58 +0000 | ||
312 | |||
313 | openssh (1:3.0.2p1-2) unstable; urgency=high | ||
314 | |||
315 | * Fix postinst to not automatically overwrite sshd_config (!) | ||
316 | (Closes: #127842, #127867) | ||
317 | * Add section in README.Debian about the PermitRootLogin setting | ||
318 | |||
319 | -- Matthew Vernon <matthew@debian.org> Sat, 5 Jan 2003 05:26:30 +0000 | ||
320 | |||
321 | openssh (1:3.0.2p1-1) unstable; urgency=high | ||
322 | |||
323 | * Incorporate fix from Colin's NMU | ||
324 | * New upstream version (fixes the bug Wichert fixed) (Closes: #124035) | ||
325 | * Capitalise IETF (Closes: #125379) | ||
326 | * Refer to the correct sftp-server location (Closes: #126854, #126224) | ||
327 | * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247) | ||
328 | * Ask people upgrading from potato if they want a new conffile | ||
329 | (Closes: #125642) | ||
330 | * Fix a typo in postinst (Closes: #122192, #122410, #123440) | ||
331 | * Frob the default config a little (Closes: #122284, #125827, #125696, | ||
332 | #123854) | ||
333 | * Make /etc/init.d/ssh be more clear about ssh not running (Closes: | ||
334 | #123552) | ||
335 | * Fix typo in templates file (Closes: #123411) | ||
336 | |||
337 | -- Matthew Vernon <matthew@debian.org> Fri, 4 Jan 2002 16:01:52 +0000 | ||
338 | |||
339 | openssh (1:3.0.1p1-1.2) unstable; urgency=high | ||
340 | |||
341 | * Non-maintainer upload | ||
342 | * Prevent local users from passing environment variables to the login | ||
343 | process when UseLogin is enabled | ||
344 | |||
345 | -- Wichert Akkerman <wakkerma@debian.org> Mon, 3 Dec 2001 19:34:45 +0100 | ||
346 | |||
347 | openssh (1:3.0.1p1-1.1) unstable; urgency=low | ||
348 | |||
349 | * Non-maintainer upload, at Matthew's request. | ||
350 | * Remove sa_restorer assignment to fix compilation on alpha, hppa, and | ||
351 | ia64 (closes: #122086). | ||
352 | |||
353 | -- Colin Watson <cjwatson@debian.org> Sun, 2 Dec 2001 18:54:16 +0000 | ||
354 | |||
355 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
356 | |||
357 | * New upstream version (Closes: #113646, #113513, #114707, #118564) | ||
358 | * Building with a libc that works (!) (Closes: #115228) | ||
359 | * Patches forward-ported are -1/-2 options for scp, the improvement to | ||
360 | 'waiting for forwarded connections to terminate...' | ||
361 | * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228) | ||
362 | * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst | ||
363 | * Remove suidregister leftover from postrm | ||
364 | * Mention key we are making in the postinst | ||
365 | * Default to not enable SSH protocol 1 support, since protocol 2 is | ||
366 | much safer anyway. | ||
367 | * New version of the vpn-fixes patch, from Ian Jackson | ||
368 | * New handling of -q, and added new -qq option; thanks to Jon Amery | ||
369 | * Experimental smartcard support not enabled, since I have no way of | ||
370 | testing it. | ||
371 | |||
372 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||
373 | |||
374 | openssh (1:2.9p2-6) unstable; urgency=low | ||
375 | |||
376 | * check for correct file in /etc/init.d/ssh (Closes: #110876) | ||
377 | * correct location of version 2 keys in ssh.1 (Closes: #110439) | ||
378 | * call update-alternatives --quiet (Closes: #103314) | ||
379 | * hack ssh-copy-id to chmod go-w (Closes: #95551) | ||
380 | * TEMPORARY fix to provide largefile support using a -D in the cflags | ||
381 | line. long-term, upstream will patch the autoconf stuff | ||
382 | (Closes: #106809, #111849) | ||
383 | * remove /etc/rc references in ssh-keygen.1 (Closes: #68350) | ||
384 | * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054) | ||
385 | * Check for files containing a newline character (Closes: #111692) | ||
386 | |||
387 | -- Matthew Vernon <matthew@debian.org> Thu, 13 Sep 2001 16:47:36 +0100 | ||
388 | |||
389 | openssh (1:2.9p2-5) unstable; urgency=high | ||
390 | |||
391 | * Thanks to all the bug-fixers who helped! | ||
392 | * remove sa_restorer assignment (Closes: #102837) | ||
393 | * patch from Peter Benie to DTRT wrt X forwarding if the server refuses | ||
394 | us access (Closes: #48297) | ||
395 | * patch from upstream CVS to fix port forwarding (Closes: #107132) | ||
396 | * patch from Jonathan Amery to document ssh-keygen behaviour | ||
397 | (Closes:#106643, #107512) | ||
398 | * patch to postinst from Jonathan Amery (Closes: #106411) | ||
399 | * patch to manpage from Jonathan Amery (Closes: #107364) | ||
400 | * patch from Matthew Vernon to make -q emit fatal errors as that is the | ||
401 | documented behaviour (Closes: #64347) | ||
402 | * patch from Ian Jackson to cause us to destroy a file when we scp it | ||
403 | onto itself, rather than dumping bits of our memory into it, which was | ||
404 | a security hole (see #51955) | ||
405 | * patch from Jonathan Amery to document lack of Kerberos support | ||
406 | (Closes: #103726) | ||
407 | * patch from Matthew Vernon to make the 'waiting for connections to | ||
408 | terminate' message more helpful (Closes: #50308) | ||
409 | |||
410 | -- Matthew Vernon <matthew@debian.org> Thu, 23 Aug 2001 02:14:09 +0100 | ||
411 | |||
412 | openssh (1:2.9p2-4) unstable; urgency=high | ||
413 | |||
414 | * Today's build of ssh is strawberry flavoured | ||
415 | * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176) | ||
416 | * Tidy up debconf template (Closes: #106152) | ||
417 | * If called non-setuid, then setgid()'s failure should not be fatal (see | ||
418 | #105854) | ||
419 | |||
420 | -- Matthew Vernon <matthew@debian.org> Sun, 22 Jul 2001 14:19:43 +0100 | ||
421 | |||
422 | openssh (1:2.9p2-3) unstable; urgency=low | ||
423 | |||
424 | * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061) | ||
425 | * Improve the IdentityFile section in the man page (Closes: #106038) | ||
426 | |||
427 | -- Matthew Vernon <matthew@debian.org> Sat, 21 Jul 2001 14:47:27 +0100 | ||
428 | |||
429 | openssh (1:2.9p2-2) unstable; urgency=low | ||
430 | |||
431 | * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868) | ||
432 | * Make PrintLastLog 'no' by default (Closes: #105893) | ||
433 | |||
434 | -- Matthew Vernon <matthew@debian.org> Thu, 19 Jul 2001 18:36:41 +0100 | ||
435 | |||
436 | openssh (1:2.9p2-1) unstable; urgency=low | ||
437 | |||
438 | * new (several..) upstream version (Closes: #96726, #81856, #96335) | ||
439 | * Hopefully, this will close some other bugs too | ||
440 | |||
441 | -- Matthew Vernon <matthew@debian.org> Tue, 17 Jul 2001 19:41:58 +0100 | ||
442 | |||
443 | openssh (1:2.5.2p2-3) unstable; urgency=low | ||
444 | |||
445 | * Taking Over this package | ||
446 | * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991) | ||
447 | * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274) | ||
448 | * Don't fiddle with conf-files any more (Closes: #69501) | ||
449 | |||
450 | -- Matthew Vernon <matthew@debian.org> Tue, 03 Jul 2001 02:58:13 +0100 | ||
451 | |||
452 | openssh (1:2.5.2p2-2.2) unstable; urgency=low | ||
453 | |||
454 | * NMU | ||
455 | * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033) | ||
456 | * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273) | ||
457 | * Patch from Matthew Vernon for BannerTimeOut, batchmode, and | ||
458 | documentation for protocolkeepalives. Makes ssh more generally useful | ||
459 | for scripting uses (Closes: #82877, #99275) | ||
460 | * Set a umask, so ourpidfile isn't world-writable (closes: #100012, | ||
461 | #98286, #97391) | ||
462 | |||
463 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Jun 2001 23:15:42 +0100 | ||
464 | |||
465 | openssh (1:2.5.2p2-2.1) unstable; urgency=low | ||
466 | |||
467 | * NMU | ||
468 | * Remove duplicate Build-Depends for libssl096-dev and change it to | ||
469 | depend on libssl-dev instaed. Also adding in virtual | real package | ||
470 | style build-deps. (Closes: #93793, #75228) | ||
471 | * Removing add-log entry (Closes: #79266) | ||
472 | * This was a pam bug from a while back (Closes: #86908, #88457, #86843) | ||
473 | * pam build-dep already exists (Closes: #93683) | ||
474 | * libgnome-dev build-dep already exists (Closes: #93694) | ||
475 | * No longer in non-free (Closes: #85401) | ||
476 | * Adding in fr debconf translations (Closes: #83783) | ||
477 | * Already suggests xbase-clients (Closes: #79741) | ||
478 | * No need to suggest libpam-pwdb anymore (Closes: #81658) | ||
479 | * Providing rsh-client (Closes: #79437) | ||
480 | * hurd patch was already applied (Closes: #76033) | ||
481 | * default set to no (Closes: #73682) | ||
482 | * Adding in a suggests for dnsutils (Closes: #93265) | ||
483 | * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612) | ||
484 | (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465) | ||
485 | * Adding in debconf dependency | ||
486 | |||
487 | -- Ivan E. Moore II <rkrusty@debian.org> Mon, 16 Apr 2001 14:11:04 +0100 | ||
488 | |||
489 | openssh (1:2.5.2p2-2) unstable; urgency=high | ||
490 | |||
491 | * disable the OpenSSL version check in entropy.c | ||
492 | (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648) | ||
493 | |||
494 | -- Philip Hands <phil@uk.alcove.com> Wed, 11 Apr 2001 20:30:04 +0100 | ||
495 | |||
496 | openssh (1:2.5.2p2-1) unstable; urgency=low | ||
497 | |||
498 | * New upstream release | ||
499 | * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748) | ||
500 | * fix double space indent in german templates (closes: #89493) | ||
501 | * make postinst check for ssh_host_rsa_key | ||
502 | * get rid of the last of the misguided debian/rules NMU debris :-/ | ||
503 | |||
504 | -- Philip Hands <phil@hands.com> Sat, 24 Mar 2001 20:59:33 +0000 | ||
505 | |||
506 | openssh (1:2.5.1p2-2) unstable; urgency=low | ||
507 | |||
508 | * rebuild with new debhelper (closes: #89558, #89536, #90225) | ||
509 | * fix broken dpkg-statoverride test in postinst | ||
510 | (closes: #89612, #90474, #90460, #89605) | ||
511 | * NMU bug fixed but not closed in last upload (closes: #88206) | ||
512 | |||
513 | -- Philip Hands <phil@hands.com> Fri, 23 Mar 2001 16:11:33 +0000 | ||
514 | |||
515 | openssh (1:2.5.1p2-1) unstable; urgency=high | ||
516 | |||
517 | * New upstream release | ||
518 | * fix typo in postinst (closes: #88110) | ||
519 | * revert to setting PAM service name in debian/rules, backing out last | ||
520 | NMU, which also (closes: #88101) | ||
521 | * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config | ||
522 | * restore printlastlog option patch | ||
523 | * revert to using debhelper, which had been partially disabled in NMUs | ||
524 | |||
525 | -- Philip Hands <phil@hands.com> Tue, 13 Mar 2001 01:41:34 +0000 | ||
526 | |||
527 | openssh (1:2.5.1p1-1.8) unstable; urgency=high | ||
528 | |||
529 | * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed | ||
530 | |||
531 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 19:48:01 +0100 | ||
532 | |||
533 | openssh (1:2.5.1p1-1.7) unstable; urgency=high | ||
534 | |||
535 | * And now we mark the correct binary as setuid, when a user requested | ||
536 | to install it setuid. | ||
537 | |||
538 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 07:19:56 +0100 | ||
539 | |||
540 | openssh (1:2.5.1p1-1.6) unstable; urgency=high | ||
541 | |||
542 | * Fixes postinst to handle overrides that are already there. Damn, I | ||
543 | should have noticed the bug earlier. | ||
544 | |||
545 | -- Christian Kurz <shorty@debian.org> Wed, 28 Feb 2001 22:35:00 +0100 | ||
546 | |||
547 | openssh (1:2.5.1p1-1.5) unstable; urgency=high | ||
548 | |||
549 | * Rebuild ssh with pam-support. | ||
550 | |||
551 | -- Christian Kurz <shorty@debian.org> Mon, 26 Feb 2001 21:55:51 +0100 | ||
552 | |||
553 | openssh (1:2.5.1p1-1.4) unstable; urgency=low | ||
554 | |||
555 | * Added Build-Depends on libssl096-dev. | ||
556 | * Fixed sshd_config file to disallow root logins again. | ||
557 | |||
558 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 20:03:55 +0100 | ||
559 | |||
560 | openssh (1:2.5.1p1-1.3) unstable; urgency=low | ||
561 | |||
562 | * Fixed missing manpages for sftp.1 and ssh-keyscan.1 | ||
563 | * Made package policy 3.5.2 compliant. | ||
564 | |||
565 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 15:46:26 +0100 | ||
566 | |||
567 | openssh (1:2.5.1p1-1.2) unstable; urgency=low | ||
568 | |||
569 | * Added Conflict with sftp, since we now provide our own sftp-client. | ||
570 | * Added a fix for our broken dpkg-statoverride call in the | ||
571 | 2.3.0p1-13. | ||
572 | * Fixed some config pathes in the comments of sshd_config. | ||
573 | * Removed ssh-key-exchange-vulnerability-patch since it's not needed | ||
574 | anymore because upstream included the fix. | ||
575 | |||
576 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 13:46:58 +0100 | ||
577 | |||
578 | openssh (1:2.5.1p1-1.1) unstable; urgency=high | ||
579 | |||
580 | * Another NMU to get the new upstream version 2.5.1p1 into | ||
581 | unstable. (Closes: #87123) | ||
582 | * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766) | ||
583 | * Key Exchange patch is already included by upstream. (Closes: #86015) | ||
584 | * Upgrading should be possible now. (Closes: #85525, #85523) | ||
585 | * Added --disable-suid-ssh as compile option, so ssh won't get installed | ||
586 | suid per default. | ||
587 | * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride | ||
588 | is available and the mode of the binary should be 4755. And also added | ||
589 | suggestion for a newer dpkg. | ||
590 | (Closes: #85734, #85741, #86876) | ||
591 | * sftp and ssh-keyscan will also be included from now on. (Closes: #79994) | ||
592 | * scp now understands spaces in filenames (Closes: #53783, #58958, | ||
593 | #66723) | ||
594 | * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623) | ||
595 | * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035) | ||
596 | * ssh supports the usage of other dsa keys via the ssh command line | ||
597 | options. (Closes: #81250) | ||
598 | * Documentation in sshd_config fixed. (Closes: #81088) | ||
599 | * primes file included by upstream and included now. (Closes: #82101) | ||
600 | * scp now allows dots in the username. (Closes: #82477) | ||
601 | * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124) | ||
602 | |||
603 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 10:06:08 +0100 | ||
604 | |||
605 | openssh (1:2.3.0p1-1.13) unstable; urgency=low | ||
606 | |||
607 | * Config should now also be fixed with this hopefully last NMU. | ||
608 | |||
609 | -- Christian Kurz <shorty@debian.org> Sat, 10 Feb 2001 22:56:36 +0100 | ||
610 | |||
611 | openssh (1:2.3.0p1-1.12) unstable; urgency=high | ||
612 | |||
613 | * Added suggest for xbase-clients to control-file. (Closes #85227) | ||
614 | * Applied patch from Markus Friedl to fix a vulnerability in | ||
615 | the rsa keyexchange. | ||
616 | * Fixed position of horizontal line. (Closes: #83613) | ||
617 | * Fixed hopefully the grep problem in the config-file. (Closes: #78802) | ||
618 | * Converted package from suidregister to dpkg-statoverride. | ||
619 | |||
620 | -- Christian Kurz <shorty@debian.org> Fri, 9 Feb 2001 19:43:55 +0100 | ||
621 | |||
622 | openssh (1:2.3.0p1-1.11) unstable; urgency=medium | ||
623 | |||
624 | * Fixed some typos in the german translation of the debconf | ||
625 | template. | ||
626 | |||
627 | -- Christian Kurz <shorty@debian.org> Wed, 24 Jan 2001 18:22:38 +0100 | ||
628 | |||
629 | openssh (1:2.3.0p1-1.10) unstable; urgency=medium | ||
630 | |||
631 | * Fixed double printing of motd. (Closes: #82618) | ||
632 | |||
633 | -- Christian Kurz <shorty@debian.org> Tue, 23 Jan 2001 21:03:43 +0100 | ||
634 | |||
635 | openssh (1:2.3.0p1-1.9) unstable; urgency=high | ||
636 | |||
637 | * And the next NMU which includes the patch from Andrew Bartlett | ||
638 | and Markus Friedl to fix the root privileges handling of openssh. | ||
639 | (Closes: #82657) | ||
640 | |||
641 | -- Christian Kurz <shorty@debian.org> Wed, 17 Jan 2001 22:20:54 +0100 | ||
642 | |||
643 | openssh (1:2.3.0p1-1.8) unstable; urgency=high | ||
644 | |||
645 | * Applied fix from Ryan Murray to allow building on other architectures | ||
646 | since the hurd patch was wrong. (Closes: #82471) | ||
647 | |||
648 | -- Christian Kurz <shorty@debian.org> Tue, 16 Jan 2001 22:45:51 +0100 | ||
649 | |||
650 | openssh (1:2.3.0p1-1.7) unstable; urgency=medium | ||
651 | |||
652 | * Fixed another typo on sshd_config | ||
653 | |||
654 | -- Christian Kurz <shorty@debian.org> Sun, 14 Jan 2001 19:01:31 +0100 | ||
655 | |||
656 | openssh (1:2.3.0p1-1.6) unstable; urgency=high | ||
657 | |||
658 | * Added Build-Dependency on groff (Closes: #81886) | ||
659 | * Added Build-Depencency on debhelper (Closes: #82072) | ||
660 | * Fixed entry for known_hosts in sshd_config (Closes: #82096) | ||
661 | |||
662 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 23:08:16 +0100 | ||
663 | |||
664 | openssh (1:2.3.0p1-1.5) unstable; urgency=high | ||
665 | |||
666 | * Fixed now also the problem with sshd used as default ipv4 and | ||
667 | didn't use IPv6. This should be now fixed. | ||
668 | |||
669 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 21:25:55 +0100 | ||
670 | |||
671 | openssh (1:2.3.0p1-1.4) unstable; urgency=high | ||
672 | |||
673 | * Fixed buggy entry in postinst. | ||
674 | |||
675 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 23:12:16 +0100 | ||
676 | |||
677 | openssh (1:2.3.0p1-1.3) unstable; urgency=high | ||
678 | |||
679 | * After finishing the rewrite of the rules-file I had to notice that | ||
680 | the manpage installation was broken. This should now work again. | ||
681 | |||
682 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 22:11:59 +0100 | ||
683 | |||
684 | openssh (1:2.3.0p1-1.2) unstable; urgency=high | ||
685 | |||
686 | * Fixed the screwed up build-dependency. | ||
687 | * Removed --with-ipv4-default to support ipv6. | ||
688 | * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd. | ||
689 | * Fixed location to sftp-server in config. | ||
690 | * Since debian still relies on /etc/pam.d/ssh instead of moving to | ||
691 | /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name. | ||
692 | * Fixed path to host key in sshd_config. | ||
693 | |||
694 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 08:23:47 +0100 | ||
695 | |||
696 | openssh (1:2.3.0p1-1.1) unstable; urgency=medium | ||
697 | |||
698 | * NMU with permission of Phil Hands. | ||
699 | * New upstream release | ||
700 | * Update Build-Depends to point to new libssl096. | ||
701 | * This upstream release doesn't leak any information depending | ||
702 | on the setting of PermitRootLogin (Closes: #59933) | ||
703 | * New upstream release contains fix against forcing a client to | ||
704 | do X/agent forwarding (Closes: #76788) | ||
705 | * Changed template to contain correct path to the documentation | ||
706 | (Closes: #67245) | ||
707 | * Added --with-4in6 switch as compile option into debian/rules. | ||
708 | * Added --with-ipv4-default as compile option into debian/rules. | ||
709 | (Closes: #75037) | ||
710 | * Changed default path to also contain /usr/local/bin and | ||
711 | /usr/X11R6/bin (Closes: #62472,#54567,#62810) | ||
712 | * Changed path to sftp-server in sshd_config to match the | ||
713 | our package (Closes: #68347) | ||
714 | * Replaced OpenBSDh with OpenBSD in the init-script. | ||
715 | * Changed location to original source in copyright.head | ||
716 | * Changed behaviour of init-script when invoked with the option | ||
717 | restart (Closes: #68706,#72560) | ||
718 | * Added a note about -L option of scp to README.Debian | ||
719 | * ssh won't print now the motd if invoked with -t option | ||
720 | (Closes: #59933) | ||
721 | * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867) | ||
722 | * Added a note about tcp-wrapper support to README.Debian | ||
723 | (Closes: #72807,#22190) | ||
724 | * Removed two unneeded options from building process. | ||
725 | * Added sshd.pam into debian dir and install it. | ||
726 | * Commented out unnecessary call to dh_installinfo. | ||
727 | * Added a line to sshd.pam so that limits will be paid attention | ||
728 | to (Closes: #66904) | ||
729 | * Restart Option has a Timeout of 10 seconds (Closes: 51264) | ||
730 | * scp won't override files anymore (Closes: 51955) | ||
731 | * Removed pam_lastlog module, so that the lastlog is now printed | ||
732 | only once (Closes: #71742, #68335, #69592, #71495, #77781) | ||
733 | * If password is expired, openssh now forces the user to change it. | ||
734 | (Closes: #51747) | ||
735 | * scp should now have no more problems with shell-init-files that | ||
736 | produces ouput (Closes: #56280,#59873) | ||
737 | * ssh now prints the motd correctly (Closes: #66926) | ||
738 | * ssh upgrade should disable ssh daemon only if users has choosen | ||
739 | to do so (Closes: #67478) | ||
740 | * ssh can now be installed suid (Closes: #70879) | ||
741 | * Modified debian/rules to support hurd. | ||
742 | |||
743 | -- Christian Kurz <shorty@debian.org> Wed, 27 Dec 2000 20:06:57 +0100 | ||
744 | |||
745 | openssh (1:2.2.0p1-1.1) unstable; urgency=medium | ||
746 | |||
747 | * Non-Maintainer Upload | ||
748 | * Check for new returns in the new libc | ||
749 | (closes: #72803, #74393, #72797, #71307, #71702) | ||
750 | * Link against libssl095a (closes: #66304) | ||
751 | * Correct check for PermitRootLogin (closes: #69448) | ||
752 | |||
753 | -- Ryan Murray <rmurray@debian.org> Wed, 18 Oct 2000 00:48:18 -0700 | ||
754 | |||
755 | openssh (1:2.2.0p1-1) unstable; urgency=low | ||
756 | |||
757 | * New upstream release | ||
758 | |||
759 | -- Philip Hands <phil@hands.com> Mon, 11 Sep 2000 14:49:43 +0100 | ||
760 | |||
761 | openssh (1:2.1.1p4-3) unstable; urgency=low | ||
762 | |||
763 | * add rsh alternatives | ||
764 | * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097) | ||
765 | * do the IPV4_DEFAULT thing properly this time | ||
766 | |||
767 | -- Philip Hands <phil@hands.com> Fri, 11 Aug 2000 18:14:37 +0100 | ||
768 | |||
769 | openssh (1:2.1.1p4-2) unstable; urgency=low | ||
770 | |||
771 | * reinstate manpage .out patch from 1:1.2.3 | ||
772 | * fix typo in postinst | ||
773 | * only compile ssh with IPV4_DEFAULT | ||
774 | * apply James Troup's patch to add a -o option to scp and updated manpage | ||
775 | |||
776 | -- Philip Hands <phil@hands.com> Sun, 30 Jul 2000 00:12:49 +0100 | ||
777 | |||
778 | openssh (1:2.1.1p4-1) unstable; urgency=low | ||
779 | |||
780 | * New upstream release | ||
781 | |||
782 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 14:46:16 +0100 | ||
783 | |||
784 | openssh (1:1.2.3-10) unstable; urgency=low | ||
785 | |||
786 | * add version to libpam-modules dependency, because old versions of | ||
787 | pam_motd make it impossible to log in. | ||
788 | |||
789 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 13:28:22 +0100 | ||
790 | |||
791 | openssh (1:1.2.3-9) frozen unstable; urgency=low | ||
792 | |||
793 | * force location of /usr/bin/X11/xauth | ||
794 | (closes: #64424, #66437, #66859) *RC* | ||
795 | * typos in config (closes: #66779, #66780) | ||
796 | * sshd_not_to_be_run could be assumed to be true, in error, if the config | ||
797 | script died in an unusual way --- I've reversed this (closes: #66335) | ||
798 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk | ||
799 | (closes: #65981) | ||
800 | * change default for PermitRootLogin to "no" (closes: #66406) | ||
801 | |||
802 | -- Philip Hands <phil@hands.com> Tue, 11 Jul 2000 20:51:18 +0100 | ||
803 | |||
804 | openssh (1:1.2.3-8) frozen unstable; urgency=low | ||
805 | |||
806 | * get rid of Provides: rsh-server (this will mean that rstartd | ||
807 | will need to change it's depends to deal with #63948, which I'm | ||
808 | reopening) (closes: #66257) | ||
809 | Given that this is also a trivial change, and is a reversal of a | ||
810 | change that was mistakenly made after the freeze, I think this should | ||
811 | also go into frozen. | ||
812 | |||
813 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:26:30 +0100 | ||
814 | |||
815 | openssh (1:1.2.3-7) frozen unstable; urgency=low | ||
816 | |||
817 | * check if debconf is installed before calling db_stop in postinst. | ||
818 | This is required to allow ssh to be installed when debconf is not | ||
819 | wanted, which probably makes it an RC upload (hopefully the last of | ||
820 | too many). | ||
821 | |||
822 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:19:47 +0100 | ||
823 | |||
824 | openssh (1:1.2.3-6) frozen unstable; urgency=low | ||
825 | |||
826 | * fixed depressing little bug involving a line wrap looking like | ||
827 | a blank line in the templates file *RC* | ||
828 | (closes: #66090, #66078, #66083, #66182) | ||
829 | |||
830 | -- Philip Hands <phil@hands.com> Mon, 26 Jun 2000 00:45:05 +0100 | ||
831 | |||
832 | openssh (1:1.2.3-5) frozen unstable; urgency=low | ||
833 | |||
834 | * add code to prevent UseLogin exploit, although I think our PAM | ||
835 | conditional code breaks UseLogin in a way that protects us from this | ||
836 | exploit anyway. ;-) (closes: #65495) *RC* | ||
837 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard | ||
838 | grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC* | ||
839 | * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3) | ||
840 | and use db_stop in the postinst to solve that problem instead | ||
841 | (closes: #65104) | ||
842 | * add Provides: rsh-server to ssh (closes: #63948) | ||
843 | * provide config option not to run sshd | ||
844 | |||
845 | -- Philip Hands <phil@hands.com> Mon, 12 Jun 2000 23:05:11 +0100 | ||
846 | |||
847 | openssh (1:1.2.3-4) frozen unstable; urgency=low | ||
848 | |||
849 | * fixes #63436 which is *RC* | ||
850 | * add 10 second pause in init.d restart (closes: #63844) | ||
851 | * get rid of noenv in PAM mail line (closes: #63856) | ||
852 | * fix host key path in make-ssh-known-hosts (closes: #63713) | ||
853 | * change wording of SUID template (closes: #62788, #63436) | ||
854 | |||
855 | -- Philip Hands <phil@hands.com> Sat, 27 May 2000 11:18:06 +0100 | ||
856 | |||
857 | openssh (1:1.2.3-3) frozen unstable; urgency=low | ||
858 | |||
859 | * redirect sshd's file descriptors to /dev/null in init to | ||
860 | prevent debconf from locking up during installation | ||
861 | ** grave bug just submited by me ** | ||
862 | |||
863 | -- Philip Hands <phil@hands.com> Thu, 20 Apr 2000 17:10:59 +0100 | ||
864 | |||
865 | openssh (1:1.2.3-2) frozen unstable; urgency=low | ||
866 | |||
867 | * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC ** | ||
868 | * suggest debconf | ||
869 | * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst | ||
870 | |||
871 | -- Philip Hands <phil@hands.com> Wed, 19 Apr 2000 17:49:15 +0100 | ||
872 | |||
873 | openssh (1:1.2.3-1) frozen unstable; urgency=low | ||
874 | |||
875 | * New upstream release | ||
876 | * patch sshd to create extra xauth key required for localhost | ||
877 | (closes: #49944) *** RC *** | ||
878 | * FallbacktoRsh now defaults to ``no'' to match impression | ||
879 | given in sshd_config | ||
880 | * stop setting suid bit on ssh (closes: #58711, #58558) | ||
881 | This breaks Rhosts authentication (which nobody uses) and allows | ||
882 | the LD_PRELOAD trick to get socks working, so seems like a net benefit. | ||
883 | |||
884 | -- Philip Hands <phil@hands.com> Thu, 13 Apr 2000 20:01:54 +0100 | ||
885 | |||
886 | openssh (1:1.2.2-1.4) frozen unstable; urgency=low | ||
887 | |||
888 | * Recompile for frozen, contains fix for RC bug. | ||
889 | |||
890 | -- Tommi Virtanen <tv@debian.org> Tue, 29 Feb 2000 22:14:58 +0200 | ||
891 | |||
892 | openssh (1:1.2.2-1.3) unstable; urgency=low | ||
893 | |||
894 | * Integrated man page addition for PrintLastLog. | ||
895 | This bug was filed on "openssh", and I ended up | ||
896 | creating my own patch for this (closes: #59054) | ||
897 | * Improved error message when ssh_exchange_identification | ||
898 | gets EOF (closes: #58904) | ||
899 | * Fixed typo (your -> you're) in debian/preinst. | ||
900 | * Added else-clauses to config to make this upgradepath possible: | ||
901 | oldssh -> openssh preinst fails due to upgrade_to_openssh=false | ||
902 | -> ssh-nonfree -> openssh. Without these, debconf remembered | ||
903 | the old answer, config didn't force asking it, and preinst always | ||
904 | aborted (closes: #56596, #57782) | ||
905 | * Moved setting upgrade_to_openssh isdefault flag to the place | ||
906 | where preinst would abort. This means no double question to most | ||
907 | users, people who currently suffer from "can't upgrade" may need | ||
908 | to run apt-get install ssh twice. Did not do the same for | ||
909 | use_old_init_script, as the situation is a bit different, and | ||
910 | less common (closes: #54010, #56224) | ||
911 | * Check for existance of ssh-keygen before attempting to use it in | ||
912 | preinst, added warning for non-existant ssh-keygen in config. This | ||
913 | happens when the old ssh is removed (say, due to ssh-nonfree getting | ||
914 | installed). | ||
915 | |||
916 | -- Tommi Virtanen <tv@debian.org> Sun, 27 Feb 2000 21:36:43 +0200 | ||
917 | |||
918 | openssh (1:1.2.2-1.2) frozen unstable; urgency=low | ||
919 | |||
920 | * Non-maintainer upload. | ||
921 | * Added configuration option PrintLastLog, default off due to PAM | ||
922 | (closes: #54007, #55042) | ||
923 | * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's | ||
924 | Suggests: line more accurate. Also closing related bugs fixed | ||
925 | earlier, when default ssh-askpass moved to /usr/bin. | ||
926 | (closes: #52403, #54741, #50607, #52298, #50967, #51661) | ||
927 | * Patched to call vhangup, with autoconf detection and all | ||
928 | (closes: #55379) | ||
929 | * Added --with-ipv4-default workaround to a glibc bug causing | ||
930 | slow DNS lookups, as per UPGRADING. Use -6 to really use | ||
931 | IPv6 addresses. (closes: #57891, #58744, #58713, #57970) | ||
932 | * Added noenv to PAM pam_mail line. Thanks to Ben Collins. | ||
933 | (closes: #58429) | ||
934 | * Added the UPGRADING file to the package. | ||
935 | * Added frozen to the changelog line and recompiled before | ||
936 | package was installed into the archive. | ||
937 | |||
938 | -- Tommi Virtanen <tv@debian.org> Fri, 25 Feb 2000 22:08:57 +0200 | ||
939 | |||
940 | openssh (1:1.2.2-1.1) frozen unstable; urgency=low | ||
941 | |||
942 | * Non-maintainer upload. | ||
943 | * Integrated scp pipe buffer patch from Ben Collins | ||
944 | <benc@debian.org>, should now work even if reading | ||
945 | a pipe gives less than fstat st_blksize bytes. | ||
946 | Should now work on Alpha and Sparc Linux (closes: #53697, #52071) | ||
947 | * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393) | ||
948 | * Integrated patch from Ben Collins <benc@debian.org> | ||
949 | to do full shadow account locking and expiration | ||
950 | checking (closes: #58165, #51747) | ||
951 | |||
952 | -- Tommi Virtanen <tv@debian.org> Tue, 22 Feb 2000 20:46:12 +0200 | ||
953 | |||
954 | openssh (1:1.2.2-1) frozen unstable; urgency=medium | ||
955 | |||
956 | * New upstream release (closes: #56870, #56346) | ||
957 | * built against new libesd (closes: #56805) | ||
958 | * add Colin Watson <cjw44@cam.ac.uk> =NULL patch | ||
959 | (closes: #49902, #54894) | ||
960 | * use socketpairs as suggested by Andrew Tridgell to eliminate rsync | ||
961 | (and other) lockups | ||
962 | * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/ | ||
963 | (closes: #49902, #55872, #56959) | ||
964 | * uncoment the * line in ssh_config (closes: #56444) | ||
965 | |||
966 | * #54894 & #49902 are release critical, so this should go in frozen | ||
967 | |||
968 | -- Philip Hands <phil@hands.com> Wed, 9 Feb 2000 04:52:04 +0000 | ||
969 | |||
970 | openssh (1:1.2.1pre24-1) unstable; urgency=low | ||
971 | |||
972 | * New upstream release | ||
973 | |||
974 | -- Philip Hands <phil@hands.com> Fri, 31 Dec 1999 02:47:24 +0000 | ||
975 | |||
976 | openssh (1:1.2.1pre23-1) unstable; urgency=low | ||
977 | |||
978 | * New upstream release | ||
979 | * excape ? in /etc/init.d/ssh (closes: #53269) | ||
980 | |||
981 | -- Philip Hands <phil@hands.com> Wed, 29 Dec 1999 16:50:46 +0000 | ||
982 | |||
983 | openssh (1:1.2pre17-1) unstable; urgency=low | ||
984 | |||
985 | * New upstream release | ||
986 | |||
987 | -- Philip Hands <phil@hands.com> Thu, 9 Dec 1999 16:50:40 +0000 | ||
988 | |||
989 | openssh (1:1.2pre16-1) unstable; urgency=low | ||
990 | |||
991 | * New upstream release | ||
992 | * upstream release (1.2pre14) (closes: #50299) | ||
993 | * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776) | ||
994 | * dispose of grep -q broken pipe message in config script (closes: #50855) | ||
995 | * add make-ssh-known-hosts (closes: #50660) | ||
996 | * add -i option to ssh-copy-id (closes: #50657) | ||
997 | * add check for *LK* in password, indicating a locked account | ||
998 | |||
999 | -- Philip Hands <phil@hands.com> Wed, 8 Dec 1999 22:59:38 +0000 | ||
1000 | |||
1001 | openssh (1:1.2pre13-1) unstable; urgency=low | ||
1002 | |||
1003 | * New upstream release | ||
1004 | * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules | ||
1005 | * remove duplicate line in /etc/pam.d/ssh (closes: #50310) | ||
1006 | * mention ssh -A option in ssh.1 & ssh_config | ||
1007 | * enable forwarding to localhost in default ssh_config (closes: #50373) | ||
1008 | * tweak preinst to deal with debconf being `unpacked' | ||
1009 | * use --with-tcp-wrappers (closes: #49545) | ||
1010 | |||
1011 | -- Philip Hands <phil@hands.com> Sat, 20 Nov 1999 14:20:04 +0000 | ||
1012 | |||
1013 | openssh (1:1.2pre11-2) unstable; urgency=low | ||
1014 | |||
1015 | * oops, just realised that I forgot to strip out the unpleasant | ||
1016 | fiddling mentioned below (which turned not to be a fix anyway) | ||
1017 | |||
1018 | -- Philip Hands <phil@hands.com> Mon, 15 Nov 1999 01:35:23 +0000 | ||
1019 | |||
1020 | openssh (1:1.2pre11-1) unstable; urgency=low | ||
1021 | |||
1022 | * New upstream release (closes: #49722) | ||
1023 | * add 2>/dev/null to dispose of spurious message casused by grep -q | ||
1024 | (closes: #49876, #49604) | ||
1025 | * fix typo in debian/control (closes: #49841) | ||
1026 | * Do some unpleasant fiddling with upgraded keys in the preinst, which | ||
1027 | should make the keylength problem go away. (closes: #49676) | ||
1028 | * make pam_start in sshd use ``ssh'' as the service name (closes: #49956) | ||
1029 | * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107) | ||
1030 | * apply Ben Collins <bcollins@debian.org>'s shadow patch | ||
1031 | * disable lastlogin and motd printing if using pam (closes: #49957) | ||
1032 | * add ssh-copy-id script and manpage | ||
1033 | |||
1034 | -- Philip Hands <phil@hands.com> Fri, 12 Nov 1999 01:03:38 +0000 | ||
1035 | |||
1036 | openssh (1:1.2pre9-1) unstable; urgency=low | ||
1037 | |||
1038 | * New upstream release | ||
1039 | * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch | ||
1040 | to channels.c, to make forwarded ports instantly reusable | ||
1041 | * replace Pre-Depend: debconf with some check code in preinst | ||
1042 | * make the ssh-add ssh-askpass failure message more helpful | ||
1043 | * fix the ssh-agent getopts bug (closes: #49426) | ||
1044 | * fixed typo on Suggests: line (closes: #49704, #49571) | ||
1045 | * tidy up ssh package description (closes: #49642) | ||
1046 | * make ssh suid (closes: #49635) | ||
1047 | * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606) | ||
1048 | * disable agent forwarding by default, for the similar reasons as | ||
1049 | X forwarding (closes: #49586) | ||
1050 | |||
1051 | -- Philip Hands <phil@hands.com> Tue, 9 Nov 1999 09:57:47 +0000 | ||
1052 | |||
1053 | openssh (1:1.2pre7-4) unstable; urgency=low | ||
1054 | |||
1055 | * predepend on debconf (>= 0.2.17) should now allow preinst questions | ||
1056 | |||
1057 | -- Philip Hands <phil@hands.com> Sat, 6 Nov 1999 10:31:06 +0000 | ||
1058 | |||
1059 | openssh (1:1.2pre7-3) unstable; urgency=low | ||
1060 | |||
1061 | * add ssh-askpass package using Tommi Virtanen's perl-tk script | ||
1062 | * add ssh-preconfig package cludge | ||
1063 | * add usage hints to ssh-agent.1 | ||
1064 | |||
1065 | -- Philip Hands <phil@hands.com> Fri, 5 Nov 1999 00:38:33 +0000 | ||
1066 | |||
1067 | openssh (1:1.2pre7-2) unstable; urgency=low | ||
1068 | |||
1069 | * use pam patch from Ben Collins <bcollins@debian.org> | ||
1070 | * add slogin symlink to Makefile.in | ||
1071 | * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login | ||
1072 | * sort out debconf usage | ||
1073 | * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass | ||
1074 | |||
1075 | -- Philip Hands <phil@hands.com> Thu, 4 Nov 1999 11:08:54 +0000 | ||
1076 | |||
1077 | openssh (1:1.2pre7-1) unstable; urgency=low | ||
1078 | |||
1079 | * New upstream release | ||
1080 | |||
1081 | -- Philip Hands <phil@hands.com> Tue, 2 Nov 1999 21:02:37 +0000 | ||
1082 | |||
1083 | openssh (1:1.2.0.pre6db1-2) unstable; urgency=low | ||
1084 | |||
1085 | * change the binary package name to ssh (the non-free branch of ssh has | ||
1086 | been renamed to ssh-nonfree) | ||
1087 | * make pam file comply with Debian standards | ||
1088 | * use an epoch to make sure openssh supercedes ssh-nonfree | ||
1089 | |||
1090 | -- Philip Hands <phil@hands.com> Sat, 30 Oct 1999 16:26:05 +0100 | ||
1091 | |||
1092 | openssh (1.2pre6db1-1) unstable; urgency=low | ||
1093 | |||
1094 | * New upstream source | ||
1095 | * sshd accepts logins now! | ||
1096 | |||
1097 | -- Dan Brosemer <odin@linuxfreak.com> Fri, 29 Oct 1999 11:13:38 -0500 | ||
1098 | |||
1099 | openssh (1.2.0.19991028-1) unstable; urgency=low | ||
1100 | |||
1101 | * New upstream source | ||
1102 | * Added test for -lnsl to configure script | ||
1103 | |||
1104 | -- Dan Brosemer <odin@linuxfreak.com> Thu, 28 Oct 1999 18:52:09 -0500 | ||
1105 | |||
1106 | openssh (1.2.0.19991027-3) unstable; urgency=low | ||
1107 | |||
1108 | * Initial release | ||
1109 | |||
1110 | -- Dan Brosemer <odin@linuxfreak.com> Wed, 27 Oct 1999 19:39:46 -0500 | ||
1111 | |||
1112 | Local variables: | ||
1113 | mode: debian-changelog | ||
1114 | End: | ||
diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 000000000..b5c7a47fc --- /dev/null +++ b/debian/conffiles | |||
@@ -0,0 +1,5 @@ | |||
1 | /etc/ssh/ssh_config | ||
2 | /etc/ssh/moduli | ||
3 | /etc/init.d/ssh | ||
4 | /etc/pam.d/ssh | ||
5 | /etc/default/ssh | ||
diff --git a/debian/config b/debian/config new file mode 100644 index 000000000..7b4f85b43 --- /dev/null +++ b/debian/config | |||
@@ -0,0 +1,99 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
7 | version=1.2.27 | ||
8 | cp -a /etc/ssh-nonfree /etc/ssh | ||
9 | fi | ||
10 | |||
11 | # Source debconf library. | ||
12 | . /usr/share/debconf/confmodule | ||
13 | db_version 2.0 | ||
14 | |||
15 | if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1 | ||
16 | then | ||
17 | db_input medium ssh/ssh2_keys_merged | ||
18 | fi | ||
19 | |||
20 | if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh | ||
21 | then | ||
22 | db_fset ssh/use_old_init_script isdefault true | ||
23 | db_input medium ssh/use_old_init_script || true | ||
24 | db_go | ||
25 | |||
26 | db_get ssh/use_old_init_script | ||
27 | [ "$RET" = "false" ] && exit 0 | ||
28 | else | ||
29 | db_set ssh/use_old_init_script true | ||
30 | db_fset ssh/use_old_init_script isdefault false | ||
31 | fi | ||
32 | |||
33 | if [ -z "$version" -a ! -e /etc/ssh/sshd_config ] | ||
34 | then | ||
35 | db_input medium ssh/protocol2_only || true | ||
36 | fi | ||
37 | |||
38 | if [ -e /etc/ssh/sshd_config ] | ||
39 | then | ||
40 | if dpkg --compare-versions "$version" lt-nl 1:1.3 ; | ||
41 | then db_input medium ssh/new_config || true | ||
42 | db_get ssh/new_config | ||
43 | if [ "$RET" = "true" ]; | ||
44 | then db_input medium ssh/protocol2_only ||true | ||
45 | db_input high ssh/privsep_ask ||true | ||
46 | else db_input high ssh/privsep_tell ||true | ||
47 | fi | ||
48 | else db_input high ssh/privsep_tell ||true | ||
49 | fi | ||
50 | else db_input high ssh/privsep_tell ||true | ||
51 | fi | ||
52 | |||
53 | db_input medium ssh/SUID_client || true | ||
54 | |||
55 | # To be correct during initial installation, this relies on the desired | ||
56 | # default for run_sshd being "true". | ||
57 | if [ -e /etc/ssh/sshd_not_to_be_run ] | ||
58 | then | ||
59 | db_set ssh/run_sshd false | ||
60 | else | ||
61 | db_set ssh/run_sshd true | ||
62 | fi | ||
63 | db_input medium ssh/run_sshd || true | ||
64 | |||
65 | if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf | ||
66 | then | ||
67 | if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null | ||
68 | then | ||
69 | db_input low ssh/insecure_telnetd || true | ||
70 | fi | ||
71 | fi | ||
72 | |||
73 | key=/etc/ssh/ssh_host_key | ||
74 | export key | ||
75 | if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] && | ||
76 | dpkg --compare-versions "$version" lt 1.2.28 | ||
77 | then | ||
78 | # make sure that keys get updated to get rid of IDEA; preinst | ||
79 | # actually does the work, but if the old ssh-keygen is not found, | ||
80 | # it can't do that -- thus, we tell the user that he must create | ||
81 | # a new host key. | ||
82 | echo -en '\0\0' | 3<&0 sh -c \ | ||
83 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
84 | # this means that bytes 32&33 of the key were not both zero, in which | ||
85 | # case the key is encrypted, which we need to fix | ||
86 | db_input high ssh/encrypted_host_key_but_no_keygen || true | ||
87 | } | ||
88 | fi | ||
89 | |||
90 | |||
91 | db_input low ssh/forward_warning || true | ||
92 | |||
93 | if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then | ||
94 | db_input high ssh/user_environment_tell || true | ||
95 | fi | ||
96 | |||
97 | db_go | ||
98 | |||
99 | exit 0 | ||
diff --git a/debian/control b/debian/control new file mode 100644 index 000000000..5a69855e2 --- /dev/null +++ b/debian/control | |||
@@ -0,0 +1,48 @@ | |||
1 | Source: openssh | ||
2 | Section: net | ||
3 | Priority: standard | ||
4 | Maintainer: Matthew Vernon <matthew@debian.org> | ||
5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, groff, debhelper (>=1.1.17), sharutils | ||
6 | Standards-Version: 3.5.6 | ||
7 | Uploaders: Colin Watson <cjwatson@debian.org> | ||
8 | |||
9 | Package: ssh | ||
10 | Architecture: any | ||
11 | Depends: ${shlibs:Depends}, libpam-modules (>= 0.72-9), debconf, adduser | ||
12 | Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1) | ||
13 | Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils | ||
14 | Provides: rsh-client | ||
15 | Description: Secure rlogin/rsh/rcp replacement (OpenSSH) | ||
16 | This is the portable version of OpenSSH, a free implementation of | ||
17 | the Secure Shell protocol as specified by the IETF secsh working | ||
18 | group. | ||
19 | . | ||
20 | Ssh (Secure Shell) is a program for logging into a remote machine | ||
21 | and for executing commands on a remote machine. | ||
22 | It provides secure encrypted communications between two untrusted | ||
23 | hosts over an insecure network. X11 connections and arbitrary TCP/IP | ||
24 | ports can also be forwarded over the secure channel. | ||
25 | It is intended as a replacement for rlogin, rsh and rcp, and can be | ||
26 | used to provide applications with a secure communication channel. | ||
27 | . | ||
28 | This package provides both the ssh client and the sshd server. | ||
29 | . | ||
30 | -------------------------------------------------------------------- | ||
31 | . | ||
32 | In some countries, particularly Russia, Iraq, and Pakistan, it may | ||
33 | be illegal to use any encryption at all without a special permit. | ||
34 | |||
35 | Package: ssh-askpass-gnome | ||
36 | Section: x11 | ||
37 | Priority: optional | ||
38 | Architecture: any | ||
39 | Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ssh-krb5 | ||
40 | Replaces: ssh (<< 1:3.5p1-3) | ||
41 | Provides: ssh-askpass | ||
42 | Description: under X, asks user for a passphrase for ssh-add | ||
43 | This has been split out of the main ssh package, so that the ssh will | ||
44 | not need to depend upon the Gnome libraries. | ||
45 | . | ||
46 | You probably want the ssh-askpass package instead, but this is | ||
47 | provided to add to your choice and/or confusion. | ||
48 | |||
diff --git a/debian/copyright.head b/debian/copyright.head new file mode 100644 index 000000000..5bd397447 --- /dev/null +++ b/debian/copyright.head | |||
@@ -0,0 +1,36 @@ | |||
1 | This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999 | ||
2 | (with help from Dan Brosemer <odin@linuxfreak.com>) | ||
3 | |||
4 | It was downloaded from here: | ||
5 | ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz | ||
6 | |||
7 | worldwide mirrors are listed here: | ||
8 | http://www.openssh.com/ftp.html | ||
9 | |||
10 | The Debian specific parts of the package are mostly taken from the | ||
11 | original ssh package, which has since been renamed as ssh-nonfree. | ||
12 | |||
13 | The Debian patch is distributed under the terms of the GPL. | ||
14 | |||
15 | The upstream source for this package is a combination of the ssh | ||
16 | branch that is being maintained by the OpenBSD team (starting from | ||
17 | the last version of SSH that was distributed under a free license), | ||
18 | and porting work by Damien Miller <damien@ibs.com.au> to get it | ||
19 | working on Linux. Other people also contributed to this, and are | ||
20 | credited in /usr/share/doc/ssh/README. | ||
21 | |||
22 | Copyright: | ||
23 | |||
24 | Code in helper.[ch] is Copyright Internet Business Solutions and is | ||
25 | released under a X11-style license (see source file for details). | ||
26 | |||
27 | (A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a | ||
28 | X11-style license (see source file for details). | ||
29 | |||
30 | make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>, | ||
31 | and is distributed under the GPL (see source file for details). | ||
32 | |||
33 | The copyright for the original SSH version follows. It has been | ||
34 | modified with [comments] to reflect the changes that the OpenBSD folks | ||
35 | have made: | ||
36 | |||
diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 000000000..1496845fc --- /dev/null +++ b/debian/dirs | |||
@@ -0,0 +1,8 @@ | |||
1 | usr/bin | ||
2 | usr/sbin | ||
3 | usr/lib | ||
4 | etc/ssh | ||
5 | etc/init.d | ||
6 | etc/default | ||
7 | usr/share/man/man1 | ||
8 | usr/share/man/man8 | ||
diff --git a/debian/gnome-ssh-askpass.1 b/debian/gnome-ssh-askpass.1 new file mode 100644 index 000000000..b74c410a8 --- /dev/null +++ b/debian/gnome-ssh-askpass.1 | |||
@@ -0,0 +1,51 @@ | |||
1 | .TH GNOME-SSH-ASKPASS 1 | ||
2 | .SH NAME | ||
3 | gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME | ||
4 | .SH SYNOPSIS | ||
5 | .B gnome\-ssh\-askpass | ||
6 | .SH DESCRIPTION | ||
7 | .B gnome\-ssh\-askpass | ||
8 | is a GNOME-based passphrase dialog for use with OpenSSH. | ||
9 | It is intended to be called by the | ||
10 | .BR ssh\-add (1) | ||
11 | program and not invoked directly. | ||
12 | It allows | ||
13 | .BR ssh\-add (1) | ||
14 | to obtain a passphrase from a user, even if not connected to a terminal | ||
15 | (assuming that an X display is available). | ||
16 | This happens automatically in the case where | ||
17 | .B ssh\-add | ||
18 | is invoked from one's | ||
19 | .B ~/.xsession | ||
20 | or as one of the GNOME startup programs, for example. | ||
21 | .PP | ||
22 | In order to be called automatically by | ||
23 | .BR ssh\-add , | ||
24 | .B gnome\-ssh\-askpass | ||
25 | should be installed as | ||
26 | .IR /usr/bin/ssh\-askpass . | ||
27 | .SH "ENVIRONMENT VARIABLES" | ||
28 | The following environment variables are recognized: | ||
29 | .TP | ||
30 | .I GNOME_SSH_ASKPASS_GRAB_SERVER | ||
31 | Causes | ||
32 | .B gnome\-ssh\-askpass | ||
33 | to grab the X server before asking for a passphrase. | ||
34 | .TP | ||
35 | .I GNOME_SSH_ASKPASS_GRAB_POINTER | ||
36 | Causes | ||
37 | .B gnome\-ssh\-askpass | ||
38 | to grab the mouse pointer using | ||
39 | .IR gdk_pointer_grab () | ||
40 | before asking for a passphrase. | ||
41 | .PP | ||
42 | Regardless of whether either of these environment variables is set, | ||
43 | .B gnome\-ssh\-askpass | ||
44 | will grab the keyboard using | ||
45 | .IR gdk_keyboard_grab (). | ||
46 | .SH AUTHOR | ||
47 | This manual page was written by Colin Watson <cjwatson@debian.org> | ||
48 | for the Debian system (but may be used by others). | ||
49 | It was based on that for | ||
50 | .B x11\-ssh\-askpass | ||
51 | by Philip Hands. | ||
diff --git a/debian/init b/debian/init new file mode 100644 index 000000000..0eddf722e --- /dev/null +++ b/debian/init | |||
@@ -0,0 +1,73 @@ | |||
1 | #! /bin/sh | ||
2 | set -e | ||
3 | |||
4 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon | ||
5 | |||
6 | test -x /usr/sbin/sshd || exit 0 | ||
7 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
8 | |||
9 | if test -f /etc/default/ssh; then | ||
10 | . /etc/default/ssh | ||
11 | fi | ||
12 | |||
13 | check_for_no_start() { | ||
14 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
15 | if [ -e /etc/ssh/sshd_not_to_be_run ]; then | ||
16 | echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" | ||
17 | exit 0 | ||
18 | fi | ||
19 | } | ||
20 | |||
21 | check_privsep_dir() { | ||
22 | # Create the PrivSep empty dir if necessary | ||
23 | if [ ! -d /var/run/sshd ]; then | ||
24 | mkdir /var/run/sshd | ||
25 | chmod 0755 /var/run/sshd | ||
26 | fi | ||
27 | } | ||
28 | |||
29 | check_config() { | ||
30 | /usr/sbin/sshd -t || exit 1 | ||
31 | } | ||
32 | |||
33 | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" | ||
34 | |||
35 | case "$1" in | ||
36 | start) | ||
37 | check_for_no_start | ||
38 | check_privsep_dir | ||
39 | echo -n "Starting OpenBSD Secure Shell server: sshd" | ||
40 | start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS | ||
41 | echo "." | ||
42 | ;; | ||
43 | stop) | ||
44 | echo -n "Stopping OpenBSD Secure Shell server: sshd" | ||
45 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid | ||
46 | echo "." | ||
47 | ;; | ||
48 | |||
49 | reload|force-reload) | ||
50 | check_for_no_start | ||
51 | check_config | ||
52 | echo -n "Reloading OpenBSD Secure Shell server's configuration" | ||
53 | start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd | ||
54 | echo "." | ||
55 | ;; | ||
56 | |||
57 | restart) | ||
58 | check_config | ||
59 | echo -n "Restarting OpenBSD Secure Shell server: sshd" | ||
60 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid | ||
61 | check_for_no_start | ||
62 | check_privsep_dir | ||
63 | sleep 2 | ||
64 | start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS | ||
65 | echo "." | ||
66 | ;; | ||
67 | |||
68 | *) | ||
69 | echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}" | ||
70 | exit 1 | ||
71 | esac | ||
72 | |||
73 | exit 0 | ||
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..4d3598a31 --- /dev/null +++ b/debian/postinst | |||
@@ -0,0 +1,342 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | test -e /usr/share/debconf/confmodule && { | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | } | ||
10 | |||
11 | umask 022 | ||
12 | |||
13 | if [ "$action" != configure ] | ||
14 | then | ||
15 | exit 0 | ||
16 | fi | ||
17 | |||
18 | |||
19 | |||
20 | check_idea_key() { | ||
21 | #check for old host_key files using IDEA, which openssh does not support | ||
22 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
23 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
24 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
25 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
26 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
27 | fi | ||
28 | fi | ||
29 | } | ||
30 | |||
31 | |||
32 | create_key() { | ||
33 | local msg="$1" | ||
34 | shift | ||
35 | local file="$1" | ||
36 | shift | ||
37 | |||
38 | if [ ! -f "$file" ] ; then | ||
39 | echo -n $msg | ||
40 | ssh-keygen -q -f "$file" -N '' "$@" | ||
41 | echo | ||
42 | fi | ||
43 | } | ||
44 | |||
45 | |||
46 | create_keys() { | ||
47 | RET=true | ||
48 | test -e /usr/share/debconf/confmodule && { | ||
49 | db_get ssh/protocol2_only | ||
50 | } | ||
51 | |||
52 | if [ "$RET" = "false" ] ; then | ||
53 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
54 | /etc/ssh/ssh_host_key -t rsa1 | ||
55 | fi | ||
56 | |||
57 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
58 | /etc/ssh/ssh_host_rsa_key -t rsa | ||
59 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
60 | /etc/ssh/ssh_host_dsa_key -t dsa | ||
61 | } | ||
62 | |||
63 | |||
64 | create_sshdconfig() { | ||
65 | if [ -e /etc/ssh/sshd_config ] ; then | ||
66 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
67 | RET=true | ||
68 | test -e /usr/share/debconf/confmodule && { | ||
69 | db_get ssh/new_config | ||
70 | } | ||
71 | if [ "$RET" = "false" ] ; then return 0; fi | ||
72 | else return 0 | ||
73 | fi | ||
74 | fi | ||
75 | RET=true | ||
76 | test -e /usr/share/debconf/confmodule && { | ||
77 | db_get ssh/protocol2_only | ||
78 | } | ||
79 | |||
80 | #Preserve old sshd_config before generating a new on | ||
81 | if [ -e /etc/ssh/sshd_config ] ; then | ||
82 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
83 | fi | ||
84 | |||
85 | cat <<EOF > /etc/ssh/sshd_config | ||
86 | # Package generated configuration file | ||
87 | # See the sshd(8) manpage for defails | ||
88 | |||
89 | # What ports, IPs and protocols we listen for | ||
90 | Port 22 | ||
91 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
92 | #ListenAddress :: | ||
93 | #ListenAddress 0.0.0.0 | ||
94 | EOF | ||
95 | if [ "$RET" = "false" ]; then | ||
96 | cat <<EOF >> /etc/ssh/sshd_config | ||
97 | Protocol 2,1 | ||
98 | # HostKeys for protocol version 1 | ||
99 | HostKey /etc/ssh/ssh_host_key | ||
100 | # HostKeys for protocol version 2 | ||
101 | HostKey /etc/ssh/ssh_host_rsa_key | ||
102 | HostKey /etc/ssh/ssh_host_dsa_key | ||
103 | EOF | ||
104 | else | ||
105 | cat <<EOF >> /etc/ssh/sshd_config | ||
106 | Protocol 2 | ||
107 | # HostKeys for protocol version 2 | ||
108 | HostKey /etc/ssh/ssh_host_rsa_key | ||
109 | HostKey /etc/ssh/ssh_host_dsa_key | ||
110 | EOF | ||
111 | fi | ||
112 | |||
113 | test -e /usr/share/debconf/confmodule && { | ||
114 | db_get ssh/privsep_ask | ||
115 | } | ||
116 | if [ "$RET" = "false" ]; then | ||
117 | cat <<EOF >> /etc/ssh/sshd_config | ||
118 | #Explicitly set PrivSep off, as requested | ||
119 | UsePrivilegeSeparation no | ||
120 | |||
121 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
122 | # properly interface with the user | ||
123 | PAMAuthenticationViaKbdInt yes | ||
124 | EOF | ||
125 | else | ||
126 | cat <<EOF >> /etc/ssh/sshd_config | ||
127 | #Privilege Separation is turned on for security | ||
128 | UsePrivilegeSeparation yes | ||
129 | |||
130 | # ...but breaks Pam auth via kbdint, so we have to turn it off | ||
131 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
132 | # properly interface with the user (off due to PrivSep) | ||
133 | PAMAuthenticationViaKbdInt no | ||
134 | EOF | ||
135 | fi | ||
136 | |||
137 | cat <<EOF >> /etc/ssh/sshd_config | ||
138 | # Lifetime and size of ephemeral version 1 server key | ||
139 | KeyRegenerationInterval 3600 | ||
140 | ServerKeyBits 768 | ||
141 | |||
142 | # Logging | ||
143 | SyslogFacility AUTH | ||
144 | LogLevel INFO | ||
145 | |||
146 | # Authentication: | ||
147 | LoginGraceTime 600 | ||
148 | PermitRootLogin yes | ||
149 | StrictModes yes | ||
150 | |||
151 | RSAAuthentication yes | ||
152 | PubkeyAuthentication yes | ||
153 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
154 | |||
155 | # rhosts authentication should not be used | ||
156 | RhostsAuthentication no | ||
157 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
158 | IgnoreRhosts yes | ||
159 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
160 | RhostsRSAAuthentication no | ||
161 | # similar for protocol version 2 | ||
162 | HostbasedAuthentication no | ||
163 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
164 | #IgnoreUserKnownHosts yes | ||
165 | |||
166 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
167 | PermitEmptyPasswords no | ||
168 | |||
169 | # Uncomment to disable s/key passwords | ||
170 | #ChallengeResponseAuthentication no | ||
171 | |||
172 | # To disable tunneled clear text passwords, change to no here! | ||
173 | PasswordAuthentication yes | ||
174 | |||
175 | |||
176 | # To change Kerberos options | ||
177 | #KerberosAuthentication no | ||
178 | #KerberosOrLocalPasswd yes | ||
179 | #AFSTokenPassing no | ||
180 | #KerberosTicketCleanup no | ||
181 | |||
182 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
183 | #KerberosTgtPassing yes | ||
184 | |||
185 | X11Forwarding no | ||
186 | X11DisplayOffset 10 | ||
187 | PrintMotd no | ||
188 | PrintLastLog yes | ||
189 | KeepAlive yes | ||
190 | #UseLogin no | ||
191 | |||
192 | #MaxStartups 10:30:60 | ||
193 | #Banner /etc/issue.net | ||
194 | #ReverseMappingCheck yes | ||
195 | |||
196 | Subsystem sftp /usr/lib/sftp-server | ||
197 | |||
198 | EOF | ||
199 | } | ||
200 | |||
201 | |||
202 | fix_rsh_diversion() { | ||
203 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
204 | |||
205 | if [ -L /usr/bin/rsh ] && | ||
206 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
207 | for cmd in rlogin rsh rcp ; do | ||
208 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
209 | dpkg-divert --package ssh --remove --rename \ | ||
210 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
211 | |||
212 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
213 | dpkg-divert --package ssh --remove --rename \ | ||
214 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
215 | done | ||
216 | |||
217 | rmdir /usr/bin/rsh.real | ||
218 | fi | ||
219 | } | ||
220 | |||
221 | |||
222 | fix_statoverride() { | ||
223 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
224 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
225 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
226 | dpkg-statoverride --remove /usr/sbin/sshd | ||
227 | fi | ||
228 | fi | ||
229 | } | ||
230 | |||
231 | |||
232 | create_alternatives() { | ||
233 | # Create alternatives for the various r* tools. | ||
234 | # Make sure we don't change existing alternatives that a user might have | ||
235 | # changed, but clean up after some old alternatives that mistakenly pointed | ||
236 | # rlogin and rcp to ssh. | ||
237 | update-alternatives --quiet --remove rlogin /usr/bin/ssh | ||
238 | update-alternatives --quiet --remove rcp /usr/bin/ssh | ||
239 | for cmd in rsh rlogin rcp; do | ||
240 | scmd="s${cmd#r}" | ||
241 | if ! update-alternatives --display "$cmd" | \ | ||
242 | grep -q "$scmd"; then | ||
243 | update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \ | ||
244 | --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz" | ||
245 | fi | ||
246 | done | ||
247 | } | ||
248 | |||
249 | setup_sshd_user() { | ||
250 | if ! getent passwd | grep -q '^sshd:'; then | ||
251 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
252 | fi | ||
253 | } | ||
254 | |||
255 | set_sshd_permissions() { | ||
256 | suid=false | ||
257 | |||
258 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
259 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
260 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
261 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
262 | fi | ||
263 | fi | ||
264 | fi | ||
265 | |||
266 | [ -e /usr/share/debconf/confmodule ] && { | ||
267 | db_get ssh/SUID_client | ||
268 | suid="$RET" | ||
269 | } | ||
270 | if [ ! -x /usr/sbin/dpkg-statoverride ] || \ | ||
271 | ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then | ||
272 | if [ "$suid" = "false" ] ; then | ||
273 | chmod 0755 /usr/lib/ssh-keysign | ||
274 | elif [ "$suid" = "true" ] ; then | ||
275 | chmod 4755 /usr/lib/ssh-keysign | ||
276 | fi | ||
277 | fi | ||
278 | } | ||
279 | |||
280 | |||
281 | fix_ssh_group() { | ||
282 | # Try to remove non-system group mistakenly created by 1:3.5p1-1. | ||
283 | # set_ssh_agent_permissions() below will re-create it properly. | ||
284 | if getent group | grep -q '^ssh:'; then | ||
285 | delgroup --quiet ssh || true | ||
286 | fi | ||
287 | } | ||
288 | |||
289 | |||
290 | set_ssh_agent_permissions() { | ||
291 | if ! getent group | grep -q '^ssh:'; then | ||
292 | addgroup --system --quiet ssh | ||
293 | fi | ||
294 | if ! [ -x /usr/sbin/dpkg-statoverride ] || \ | ||
295 | ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then | ||
296 | chgrp ssh /usr/bin/ssh-agent | ||
297 | chmod 2755 /usr/bin/ssh-agent | ||
298 | fi | ||
299 | } | ||
300 | |||
301 | |||
302 | setup_startup() { | ||
303 | start=yes | ||
304 | [ -e /usr/share/debconf/confmodule ] && { | ||
305 | db_get ssh/run_sshd | ||
306 | start="$RET" | ||
307 | } | ||
308 | |||
309 | if [ "$start" != "true" ] ; then | ||
310 | /etc/init.d/ssh stop 2>&1 >/dev/null | ||
311 | touch /etc/ssh/sshd_not_to_be_run | ||
312 | else | ||
313 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
314 | fi | ||
315 | } | ||
316 | |||
317 | |||
318 | setup_init() { | ||
319 | if [ -e /etc/init.d/ssh ]; then | ||
320 | update-rc.d ssh defaults >/dev/null | ||
321 | /etc/init.d/ssh restart | ||
322 | fi | ||
323 | } | ||
324 | |||
325 | check_idea_key | ||
326 | create_keys | ||
327 | create_sshdconfig | ||
328 | fix_rsh_diversion | ||
329 | fix_statoverride | ||
330 | create_alternatives | ||
331 | setup_sshd_user | ||
332 | set_sshd_permissions | ||
333 | if [ "$2" = "1:3.5p1-1" ]; then fix_ssh_group; fi | ||
334 | set_ssh_agent_permissions | ||
335 | setup_startup | ||
336 | setup_init | ||
337 | |||
338 | |||
339 | [ -e /usr/share/debconf/confmodule ] && db_stop | ||
340 | |||
341 | exit 0 | ||
342 | |||
diff --git a/debian/postinst.old b/debian/postinst.old new file mode 100644 index 000000000..586da1cc6 --- /dev/null +++ b/debian/postinst.old | |||
@@ -0,0 +1,269 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | test -e /usr/share/debconf/confmodule && { | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | } | ||
10 | |||
11 | |||
12 | if [ "$action" != configure ] | ||
13 | then | ||
14 | exit 0 | ||
15 | fi | ||
16 | |||
17 | |||
18 | |||
19 | check_idea_key() { | ||
20 | #check for old host_key files using IDEA, which openssh does not support | ||
21 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
22 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
23 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
24 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
25 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
26 | fi | ||
27 | fi | ||
28 | } | ||
29 | |||
30 | |||
31 | create_key() { | ||
32 | local file="$1" | ||
33 | shift | ||
34 | |||
35 | if [ ! -f "$file" ] ; then | ||
36 | ( umask 022 ; \ | ||
37 | ssh-keygen -f "$file" -N '' "$@" > /dev/null ) | ||
38 | fi | ||
39 | } | ||
40 | |||
41 | |||
42 | create_keys() { | ||
43 | RET=true | ||
44 | test -e /usr/share/debconf/confmodule && { | ||
45 | db_get ssh/protocol2_only | ||
46 | } | ||
47 | |||
48 | if [ "$RET" = "false" ] ; then | ||
49 | echo "Creating SSH1 key" | ||
50 | create_key /etc/ssh/ssh_host_key | ||
51 | fi | ||
52 | |||
53 | echo "Creating SSH2 RSA key" | ||
54 | create_key /etc/ssh/ssh_host_rsa_key -t rsa | ||
55 | echo "Creating SSH2 DSA key" | ||
56 | create_key /etc/ssh/ssh_host_dsa_key -t dsa | ||
57 | } | ||
58 | |||
59 | |||
60 | create_sshdconfig() { | ||
61 | [ -e /etc/ssh/sshd_config ] && return | ||
62 | |||
63 | RET=true | ||
64 | test -e /usr/share/debconf/confmodule && { | ||
65 | db_get ssh/protocol2_only | ||
66 | } | ||
67 | |||
68 | cat <<EOF > /etc/ssh/sshd_config | ||
69 | # Package generated configuration file | ||
70 | # See the sshd(8) manpage for defails | ||
71 | |||
72 | # What ports, IPs and protocols we listen for | ||
73 | Port 22 | ||
74 | # Uncomment the next entry to accept IPv6 traffic. | ||
75 | #ListenAddress :: | ||
76 | #ListenAddress 0.0.0.0 | ||
77 | EOF | ||
78 | if [ "$RET" = "false" ]; then | ||
79 | cat <<EOF >> /etc/ssh/sshd_config | ||
80 | Protocol 2,1 | ||
81 | # HostKeys for protocol version 1 | ||
82 | HostKey /etc/ssh/ssh_host_key | ||
83 | # HostKeys for protocol version 2 | ||
84 | HostKey /etc/ssh/ssh_host_rsa_key | ||
85 | HostKey /etc/ssh/ssh_host_dsa_key | ||
86 | EOF | ||
87 | else | ||
88 | cat <<EOF >> /etc/ssh/sshd_config | ||
89 | Protocol 2 | ||
90 | # HostKeys for protocol version 2 | ||
91 | HostKey /etc/ssh/ssh_host_rsa_key | ||
92 | HostKey /etc/ssh/ssh_host_dsa_key | ||
93 | EOF | ||
94 | fi | ||
95 | |||
96 | |||
97 | cat <<EOF >> /etc/ssh/sshd_config | ||
98 | # Lifetime and size of ephemeral version 1 server key | ||
99 | KeyRegenerationInterval 3600 | ||
100 | ServerKeyBits 768 | ||
101 | |||
102 | # Logging | ||
103 | SyslogFacility AUTH | ||
104 | LogLevel INFO | ||
105 | |||
106 | # Authentication: | ||
107 | LoginGraceTime 600 | ||
108 | PermitRootLogin no | ||
109 | StrictModes yes | ||
110 | |||
111 | RSAAuthentication yes | ||
112 | PubkeyAuthentication yes | ||
113 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
114 | |||
115 | # rhosts authentication should not be used | ||
116 | RhostsAuthentication no | ||
117 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
118 | IgnoreRhosts yes | ||
119 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
120 | RhostsRSAAuthentication no | ||
121 | # similar for protocol version 2 | ||
122 | HostbasedAuthentication no | ||
123 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
124 | #IgnoreUserKnownHosts yes | ||
125 | |||
126 | # To disable tunneled clear text passwords, change to no here! | ||
127 | PermitEmptyPasswords no | ||
128 | |||
129 | # Uncomment to disable s/key passwords | ||
130 | #ChallengeResponseAuthentication no | ||
131 | |||
132 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
133 | # properly interface with the user | ||
134 | PasswordAuthentication no | ||
135 | PAMAuthenticationViaKbdInt yes | ||
136 | |||
137 | # To change Kerberos options | ||
138 | #KerberosAuthentication no | ||
139 | #KerberosOrLocalPasswd yes | ||
140 | #AFSTokenPassing no | ||
141 | #KerberosTicketCleanup no | ||
142 | |||
143 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
144 | #KerberosTgtPassing yes | ||
145 | |||
146 | X11Forwarding no | ||
147 | X11DisplayOffset 10 | ||
148 | PrintMotd no | ||
149 | #PrintLastLog no | ||
150 | KeepAlive yes | ||
151 | #UseLogin no | ||
152 | |||
153 | #MaxStartups 10:30:60 | ||
154 | #Banner /etc/issue.net | ||
155 | #ReverseMappingCheck yes | ||
156 | |||
157 | Subsystem sftp /usr/libexec/sftp-server | ||
158 | EOF | ||
159 | } | ||
160 | |||
161 | |||
162 | fix_rsh_diversion() { | ||
163 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
164 | |||
165 | if [ -L /usr/bin/rsh ] && | ||
166 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
167 | for cmd in rlogin rsh rcp ; do | ||
168 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
169 | dpkg-divert --package ssh --remove --rename \ | ||
170 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
171 | |||
172 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
173 | dpkg-divert --package ssh --remove --rename \ | ||
174 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
175 | done | ||
176 | |||
177 | rmdir /usr/bin/rsh.real | ||
178 | fi | ||
179 | } | ||
180 | |||
181 | |||
182 | fix_statoverride() { | ||
183 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
184 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
185 | if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then | ||
186 | dpkg-statoverride --remote /usr/sbin/sshd | ||
187 | fi | ||
188 | fi | ||
189 | } | ||
190 | |||
191 | |||
192 | create_alternatives() { | ||
193 | # Create alternatives for the various r* tools | ||
194 | # Make sure we don't change existing alternatives that a user might have | ||
195 | # changed | ||
196 | for cmd in rsh rlogin rcp ; do | ||
197 | if ! update-alternatives --display $cmd | \ | ||
198 | grep -q ssh ; then | ||
199 | update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \ | ||
200 | --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz | ||
201 | fi | ||
202 | done | ||
203 | |||
204 | } | ||
205 | |||
206 | |||
207 | set_sshd_permissions() { | ||
208 | suid=no | ||
209 | |||
210 | [ -e /usr/share/debconf/confmodule ] && { | ||
211 | db_get ssh/SUID_client | ||
212 | suid="$RET" | ||
213 | } | ||
214 | |||
215 | if [ "$suid" = "yes" ] ; then | ||
216 | if [ -x /usr/sbin/dpkg-statoverride ] && \ | ||
217 | ! dpkg-statoverride /usr/bin/ssh ; then | ||
218 | dpkg-statoverride --add root root 04755 /usr/bin/ssh | ||
219 | fi | ||
220 | fi | ||
221 | } | ||
222 | |||
223 | |||
224 | setup_startup() { | ||
225 | start=yes | ||
226 | [ -e /usr/share/debconf/confmodule ] && { | ||
227 | db_get ssh/run_sshd | ||
228 | start="$RET" | ||
229 | } | ||
230 | |||
231 | if [ "$start" != "true" ] ; then | ||
232 | touch /etc/ssh/sshd_not_to_be_run | ||
233 | else | ||
234 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
235 | fi | ||
236 | } | ||
237 | |||
238 | |||
239 | setup_init() { | ||
240 | if [ -e /etc/init.d/ssh ]; then | ||
241 | update-rc.d ssh defaults >/dev/null | ||
242 | /etc/init.d/ssh restart | ||
243 | fi | ||
244 | } | ||
245 | |||
246 | check_idea_key | ||
247 | create_keys | ||
248 | create_sshdconfig | ||
249 | fix_rsh_diversion | ||
250 | fix_statoverride | ||
251 | create_alternatives | ||
252 | set_sshd_permissions | ||
253 | setup_startup | ||
254 | setup_init | ||
255 | |||
256 | |||
257 | # Automatically added by dh_installdocs | ||
258 | if [ "$1" = "configure" ]; then | ||
259 | if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then | ||
260 | ln -sf ../share/doc/ssh /usr/doc/ssh | ||
261 | fi | ||
262 | fi | ||
263 | # End automatically added section | ||
264 | |||
265 | |||
266 | [ -e /usr/share/debconf/confmodule ] && db_stop | ||
267 | |||
268 | exit 0 | ||
269 | |||
diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 000000000..c76f662df --- /dev/null +++ b/debian/postrm | |||
@@ -0,0 +1,19 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | #DEBHELPER# | ||
4 | |||
5 | if [ "$1" = "purge" ] | ||
6 | then | ||
7 | rm -rf /etc/ssh | ||
8 | fi | ||
9 | |||
10 | if [ "$1" = "purge" ] ; then | ||
11 | update-rc.d ssh remove >/dev/null | ||
12 | fi | ||
13 | |||
14 | if [ "$1" = "purge" ] ; then | ||
15 | deluser --quiet sshd > /dev/null || true | ||
16 | delgroup --quiet ssh > /dev/null || true | ||
17 | fi | ||
18 | |||
19 | exit 0 | ||
diff --git a/debian/preinst b/debian/preinst new file mode 100644 index 000000000..320d4df2a --- /dev/null +++ b/debian/preinst | |||
@@ -0,0 +1,79 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
7 | version=1.2.27 | ||
8 | fi | ||
9 | |||
10 | if [ "$action" = upgrade -o "$action" = install ] | ||
11 | then | ||
12 | # check if debconf is missing | ||
13 | if ! test -f /usr/share/debconf/confmodule | ||
14 | then | ||
15 | cat <<EOF | ||
16 | |||
17 | WARNING: ssh's pre-configuration script relies on debconf to tell you | ||
18 | about some problems that might prevent you from logging in if you are | ||
19 | upgrading from the old, Non-free version of ssh. | ||
20 | |||
21 | If this is a new installation, you don't need to worry about this. | ||
22 | Just go ahead and install ssh (make sure to read .../ssh/README.Debian). | ||
23 | |||
24 | If you are upgrading, but you have alternative ways of logging into | ||
25 | the machine (i.e. you're sitting in front of it, or you have telnetd | ||
26 | running), then you also don't need to worry too much, because you can | ||
27 | fix it up afterwards if there's a problem. | ||
28 | |||
29 | If you're upgrading from an older (non-free) version of ssh, and ssh | ||
30 | is the only way you have to access this machine, then you should | ||
31 | probably abort the installation of ssh, install debconf, and then | ||
32 | retry the installation of ssh. | ||
33 | |||
34 | EOF | ||
35 | echo -n "Do you want to install SSH anyway [yN]: " | ||
36 | read input | ||
37 | expr "$input" : '[Yy]' >/dev/null || exit 1 | ||
38 | |||
39 | # work around for missing debconf | ||
40 | db_get() { : ; } | ||
41 | RET=true | ||
42 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
43 | cp -a /etc/ssh-nonfree /etc/ssh | ||
44 | fi | ||
45 | else | ||
46 | # Source debconf library. | ||
47 | . /usr/share/debconf/confmodule | ||
48 | db_version 2.0 | ||
49 | fi | ||
50 | |||
51 | db_get ssh/use_old_init_script | ||
52 | if [ "$RET" = "false" ]; then | ||
53 | echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2 | ||
54 | exit 1 | ||
55 | fi | ||
56 | |||
57 | # deal with upgrading from pre-OpenSSH versions | ||
58 | key=/etc/ssh/ssh_host_key | ||
59 | export key | ||
60 | if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] && | ||
61 | dpkg --compare-versions "$version" lt 1.2.28 | ||
62 | then | ||
63 | # make sure that keys get updated to get rid of IDEA | ||
64 | # | ||
65 | # N.B. this only works because we've still got the old | ||
66 | # nonfree ssh-keygen at this point | ||
67 | # | ||
68 | # First, check if we need to bother | ||
69 | echo -en '\0\0' | 3<&0 sh -c \ | ||
70 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
71 | # this means that bytes 32&33 of the key were not both zero, in which | ||
72 | # case the key is encrypted, which we need to fix | ||
73 | chmod 600 $key | ||
74 | ssh-keygen -u -f $key >/dev/null | ||
75 | } | ||
76 | fi | ||
77 | fi | ||
78 | |||
79 | #DEBHELPER# | ||
diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 000000000..8ed7e07ec --- /dev/null +++ b/debian/prerm | |||
@@ -0,0 +1,44 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove rsh /usr/bin/ssh | ||
21 | update-alternatives --quiet --remove rlogin /usr/bin/slogin | ||
22 | update-alternatives --quiet --remove rcp /usr/bin/scp | ||
23 | if [ -e /etc/init.d/ssh ]; then | ||
24 | /etc/init.d/ssh stop | ||
25 | fi | ||
26 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
27 | ;; | ||
28 | upgrade) | ||
29 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
30 | ;; | ||
31 | failed-upgrade) | ||
32 | ;; | ||
33 | *) | ||
34 | echo "prerm called with unknown argument \`$1'" >&2 | ||
35 | exit 0 | ||
36 | ;; | ||
37 | esac | ||
38 | |||
39 | # dh_installdeb will replace this with shell code automatically | ||
40 | # generated by other debhelper scripts. | ||
41 | |||
42 | #DEBHELPER# | ||
43 | |||
44 | exit 0 | ||
diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..dcf406f24 --- /dev/null +++ b/debian/rules | |||
@@ -0,0 +1,105 @@ | |||
1 | #!/usr/bin/make -f | ||
2 | |||
3 | # Uncomment this to turn on verbose mode. | ||
4 | # export DH_VERBOSE=1 | ||
5 | |||
6 | # This is the debhelper compatability version to use. | ||
7 | export DH_COMPAT=1 | ||
8 | |||
9 | # This has to be exported to make some magic below work. | ||
10 | export DH_OPTIONS | ||
11 | |||
12 | #PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog) | ||
13 | |||
14 | build: build-stamp | ||
15 | build-stamp: | ||
16 | dh_testdir | ||
17 | #Change the version string to include the Debian Version | ||
18 | if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \ | ||
19 | then mv version.h version.h.upstream; mv version.h.new version.h; \ | ||
20 | else echo "Version number change failed"; exit 1; \ | ||
21 | fi | ||
22 | ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \ | ||
23 | --with-privsep-path=/var/run/sshd --without-rand-helper | ||
24 | $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \ | ||
25 | SSH_KEYSIGN='/usr/lib/ssh-keysign' | ||
26 | # Support building on Debian 3.0 (with GNOME 1.4) and later. | ||
27 | if [ -f /usr/include/libgnomeui-2.0/gnome.h ]; then \ | ||
28 | $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc -O2'; \ | ||
29 | elif [ -f /usr/include/gnome-1.0/gnome.h ]; then \ | ||
30 | $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'; \ | ||
31 | fi | ||
32 | |||
33 | touch build-stamp | ||
34 | |||
35 | clean: | ||
36 | dh_testdir | ||
37 | rm -f build-stamp | ||
38 | -$(MAKE) -i distclean | ||
39 | -$(MAKE) -C contrib clean | ||
40 | rm -f config.log | ||
41 | if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \ | ||
42 | fi | ||
43 | dh_clean | ||
44 | |||
45 | install: DH_OPTIONS= | ||
46 | install: build | ||
47 | dh_testdir | ||
48 | dh_testroot | ||
49 | dh_clean -k | ||
50 | dh_installdirs | ||
51 | |||
52 | # Add here commands to install the package into debian/tmp. | ||
53 | $(MAKE) DESTDIR=`pwd`/debian/tmp install-nokeys | ||
54 | |||
55 | rm -f debian/tmp/etc/ssh/sshd_config | ||
56 | #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway. | ||
57 | rm -f debian/tmp/usr/share/Ssh.bin | ||
58 | |||
59 | install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id | ||
60 | install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1 | ||
61 | |||
62 | if [ -f contrib/gnome-ssh-askpass2 ]; then \ | ||
63 | install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass; \ | ||
64 | elif [ -f contrib/gnome-ssh-askpass1 ]; then \ | ||
65 | install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass; \ | ||
66 | fi | ||
67 | install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1 | ||
68 | |||
69 | install -m 755 debian/ssh-argv0 debian/tmp/usr/bin/ssh-argv0 | ||
70 | install -m 644 debian/ssh-argv0.1 debian/tmp/usr/share/man/man1/ssh-argv0.1 | ||
71 | |||
72 | install -o root -g root debian/init debian/tmp/etc/init.d/ssh | ||
73 | install -o root -g root -m 644 debian/ssh.default debian/tmp/etc/default/ssh | ||
74 | |||
75 | install -o root -g root -m 755 -d debian/tmp/var/run/sshd | ||
76 | |||
77 | # Build architecture-independent files here. | ||
78 | binary-indep: build install | ||
79 | # nothing to do | ||
80 | |||
81 | # Build architecture-dependent files here. | ||
82 | binary-arch: build install | ||
83 | dh_testdir | ||
84 | dh_testroot | ||
85 | dh_installdebconf | ||
86 | dh_installdocs OVERVIEW README | ||
87 | cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright | ||
88 | nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC | ||
89 | gzip -9 debian/tmp/usr/share/doc/ssh/RFC | ||
90 | rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz | ||
91 | dh_installpam | ||
92 | dh_installchangelogs ChangeLog | ||
93 | dh_strip | ||
94 | dh_compress | ||
95 | dh_fixperms | ||
96 | dh_installdeb | ||
97 | test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \ | ||
98 | || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles | ||
99 | dh_shlibdeps | ||
100 | dh_gencontrol | ||
101 | dh_md5sums | ||
102 | dh_builddeb | ||
103 | |||
104 | binary: binary-indep binary-arch | ||
105 | .PHONY: build clean binary-indep binary-arch binary install | ||
diff --git a/debian/ssh-argv0 b/debian/ssh-argv0 new file mode 100644 index 000000000..67599aec2 --- /dev/null +++ b/debian/ssh-argv0 | |||
@@ -0,0 +1,30 @@ | |||
1 | #! /bin/sh -e | ||
2 | |||
3 | # Copyright (c) 2001 Jonathan Amery. | ||
4 | # | ||
5 | # Redistribution and use in source and binary forms, with or without | ||
6 | # modification, are permitted provided that the following conditions | ||
7 | # are met: | ||
8 | # 1. Redistributions of source code must retain the above copyright | ||
9 | # notice, this list of conditions and the following disclaimer. | ||
10 | # 2. Redistributions in binary form must reproduce the above copyright | ||
11 | # notice, this list of conditions and the following disclaimer in the | ||
12 | # documentation and/or other materials provided with the distribution. | ||
13 | # | ||
14 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
15 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
16 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
17 | # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
18 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
19 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
20 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
21 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
22 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
23 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
24 | |||
25 | if [ "${0##*/}" = "ssh-argv0" ] | ||
26 | then | ||
27 | echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2 | ||
28 | exit 1 | ||
29 | fi | ||
30 | exec ssh "${0##*/}" "$@" | ||
diff --git a/debian/ssh-argv0.1 b/debian/ssh-argv0.1 new file mode 100644 index 000000000..a36a63d40 --- /dev/null +++ b/debian/ssh-argv0.1 | |||
@@ -0,0 +1,64 @@ | |||
1 | .Dd September 7, 2001 | ||
2 | .Dt SSH-ARGV0 1 | ||
3 | .Os Debian Project | ||
4 | .Sh NAME | ||
5 | .Nm ssh-argv0 | ||
6 | .Nd replaces the old ssh command-name as hostname handling | ||
7 | .Sh SYNOPSIS | ||
8 | .Ar hostname | user@hostname | ||
9 | .Op Fl l Ar login_name | ||
10 | .Op Ar command | ||
11 | .Pp | ||
12 | .Ar hostname | user@hostname | ||
13 | .Op Fl afgknqstvxACNTX1246 | ||
14 | .Op Fl b Ar bind_address | ||
15 | .Op Fl c Ar cipher_spec | ||
16 | .Op Fl e Ar escape_char | ||
17 | .Op Fl i Ar identity_file | ||
18 | .Op Fl l Ar login_name | ||
19 | .Op Fl m Ar mac_spec | ||
20 | .Op Fl o Ar option | ||
21 | .Op Fl p Ar port | ||
22 | .Op Fl F Ar configfile | ||
23 | .Oo Fl L Xo | ||
24 | .Sm off | ||
25 | .Ar port : | ||
26 | .Ar host : | ||
27 | .Ar hostport | ||
28 | .Sm on | ||
29 | .Xc | ||
30 | .Oc | ||
31 | .Oo Fl R Xo | ||
32 | .Sm off | ||
33 | .Ar port : | ||
34 | .Ar host : | ||
35 | .Ar hostport | ||
36 | .Sm on | ||
37 | .Xc | ||
38 | .Oc | ||
39 | .Op Fl D Ar port | ||
40 | .Op Ar command | ||
41 | .Sh DESCRIPTION | ||
42 | .Nm | ||
43 | replaces the old ssh command-name as hostname handling. | ||
44 | If you link to this script with a hostname then executing the link is | ||
45 | equivalent to having executed ssh with that hostname as an argument. | ||
46 | All other arguments are passed to ssh and will be processed normally. | ||
47 | .Sh OPTIONS | ||
48 | See | ||
49 | .Xr ssh 1 . | ||
50 | .Sh FILES | ||
51 | See | ||
52 | .Xr ssh 1 . | ||
53 | .Sh AUTHORS | ||
54 | OpenSSH is a derivative of the original and free | ||
55 | ssh 1.2.12 release by Tatu Ylonen. | ||
56 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | ||
57 | Theo de Raadt and Dug Song | ||
58 | removed many bugs, re-added newer features and | ||
59 | created OpenSSH. | ||
60 | Markus Friedl contributed the support for SSH | ||
61 | protocol versions 1.5 and 2.0. | ||
62 | Jonathan Amery wrote this ssh-argv0 script and the associated documentation. | ||
63 | .Sh SEE ALSO | ||
64 | .Xr ssh 1 | ||
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright new file mode 100644 index 000000000..4a71dda00 --- /dev/null +++ b/debian/ssh-askpass-gnome.copyright | |||
@@ -0,0 +1,44 @@ | |||
1 | This package contains a Gnome based implementation of ssh-askpass | ||
2 | written by Damien Miller. | ||
3 | |||
4 | It is split out from the main package to isolate the dependency on the | ||
5 | Gnome and X11 libraries. | ||
6 | |||
7 | It was packaged for Debian by Philip Hands <phil@hands.com>. | ||
8 | |||
9 | Copyright: | ||
10 | |||
11 | /* | ||
12 | ** | ||
13 | ** GNOME ssh passphrase requestor | ||
14 | ** | ||
15 | ** Damien Miller <djm@ibs.com.au> | ||
16 | ** | ||
17 | ** Copyright 1999 Internet Business Solutions | ||
18 | ** | ||
19 | ** Permission is hereby granted, free of charge, to any person | ||
20 | ** obtaining a copy of this software and associated documentation | ||
21 | ** files (the "Software"), to deal in the Software without | ||
22 | ** restriction, including without limitation the rights to use, copy, | ||
23 | ** modify, merge, publish, distribute, sublicense, and/or sell copies | ||
24 | ** of the Software, and to permit persons to whom the Software is | ||
25 | ** furnished to do so, subject to the following conditions: | ||
26 | ** | ||
27 | ** The above copyright notice and this permission notice shall be | ||
28 | ** included in all copies or substantial portions of the Software. | ||
29 | ** | ||
30 | ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY | ||
31 | ** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE | ||
32 | ** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE | ||
33 | ** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET | ||
34 | ** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
35 | ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | ||
36 | ** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | ||
37 | ** OR OTHER DEALINGS IN THE SOFTWARE. | ||
38 | ** | ||
39 | ** Except as contained in this notice, the name of Internet Business | ||
40 | ** Solutions shall not be used in advertising or otherwise to promote | ||
41 | ** the sale, use or other dealings in this Software without prior | ||
42 | ** written authorization from Internet Business Solutions. | ||
43 | ** | ||
44 | */ | ||
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs new file mode 100644 index 000000000..4d0ee7a32 --- /dev/null +++ b/debian/ssh-askpass-gnome.dirs | |||
@@ -0,0 +1,2 @@ | |||
1 | usr/lib/ssh | ||
2 | usr/share/man/man1 | ||
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst new file mode 100644 index 000000000..7441cca29 --- /dev/null +++ b/debian/ssh-askpass-gnome.postinst | |||
@@ -0,0 +1,53 @@ | |||
1 | #! /bin/sh | ||
2 | # postinst script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <postinst> `configure' <most-recently-configured-version> | ||
10 | # * <old-postinst> `abort-upgrade' <new version> | ||
11 | # * <conflictor's-postinst> `abort-remove' `in-favour' <package> | ||
12 | # <new-version> | ||
13 | # * <deconfigured's-postinst> `abort-deconfigure' `in-favour' | ||
14 | # <failed-install-package> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | # | ||
18 | # quoting from the policy: | ||
19 | # Any necessary prompting should almost always be confined to the | ||
20 | # post-installation script, and should be protected with a conditional | ||
21 | # so that unnecessary prompting doesn't happen if a package's | ||
22 | # installation fails and the `postinst' is called with `abort-upgrade', | ||
23 | # `abort-remove' or `abort-deconfigure'. | ||
24 | |||
25 | case "$1" in | ||
26 | configure) | ||
27 | update-alternatives --quiet \ | ||
28 | --install /usr/bin/ssh-askpass ssh-askpass \ | ||
29 | /usr/lib/ssh/gnome-ssh-askpass 30 \ | ||
30 | --slave /usr/share/man/man1/ssh-askpass.1.gz \ | ||
31 | ssh-askpass.1.gz /usr/share/man/man1/gnome-ssh-askpass.1.gz | ||
32 | |||
33 | |||
34 | ;; | ||
35 | |||
36 | abort-upgrade|abort-remove|abort-deconfigure) | ||
37 | |||
38 | ;; | ||
39 | |||
40 | *) | ||
41 | echo "postinst called with unknown argument \`$1'" >&2 | ||
42 | exit 0 | ||
43 | ;; | ||
44 | esac | ||
45 | |||
46 | # dh_installdeb will replace this with shell code automatically | ||
47 | # generated by other debhelper scripts. | ||
48 | |||
49 | #DEBHELPER# | ||
50 | |||
51 | exit 0 | ||
52 | |||
53 | |||
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm new file mode 100644 index 000000000..6f3f5756d --- /dev/null +++ b/debian/ssh-askpass-gnome.prerm | |||
@@ -0,0 +1,41 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass | ||
21 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
22 | ;; | ||
23 | upgrade) | ||
24 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
25 | ;; | ||
26 | failed-upgrade) | ||
27 | ;; | ||
28 | *) | ||
29 | echo "prerm called with unknown argument \`$1'" >&2 | ||
30 | exit 0 | ||
31 | ;; | ||
32 | esac | ||
33 | |||
34 | # dh_installdeb will replace this with shell code automatically | ||
35 | # generated by other debhelper scripts. | ||
36 | |||
37 | #DEBHELPER# | ||
38 | |||
39 | exit 0 | ||
40 | |||
41 | |||
diff --git a/debian/ssh.default b/debian/ssh.default new file mode 100644 index 000000000..aa03c4e07 --- /dev/null +++ b/debian/ssh.default | |||
@@ -0,0 +1,5 @@ | |||
1 | # Default settings for ssh. This file is sourced by /bin/sh from | ||
2 | # /etc/init.d/ssh. | ||
3 | |||
4 | # Options to pass to sshd | ||
5 | SSHD_OPTS= | ||
diff --git a/debian/ssh.pam b/debian/ssh.pam new file mode 100644 index 000000000..f6fbd3ebc --- /dev/null +++ b/debian/ssh.pam | |||
@@ -0,0 +1,21 @@ | |||
1 | #%PAM-1.0 | ||
2 | auth required pam_nologin.so | ||
3 | auth required pam_unix.so | ||
4 | auth required pam_env.so # [1] | ||
5 | |||
6 | account required pam_unix.so | ||
7 | |||
8 | session required pam_unix.so | ||
9 | session optional pam_motd.so # [1] | ||
10 | session optional pam_mail.so standard noenv # [1] | ||
11 | session required pam_limits.so | ||
12 | |||
13 | password required pam_unix.so | ||
14 | |||
15 | # Alternate strength checking for password. Note that this | ||
16 | # requires the libpam-cracklib package to be installed. | ||
17 | # You will need to comment out the password line above and | ||
18 | # uncomment the next two in order to use this. | ||
19 | # | ||
20 | # password required pam_cracklib.so retry=3 minlen=6 difok=3 | ||
21 | # password required pam_unix.so use_authtok nullok md5 | ||
diff --git a/debian/templates b/debian/templates new file mode 100644 index 000000000..ea8565d29 --- /dev/null +++ b/debian/templates | |||
@@ -0,0 +1,163 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation | ||
5 | option. This significantly reduces the quantity of code that runs as | ||
6 | root, and therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
9 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
10 | example) will fail, and PAM keyboard-interactive authentication | ||
11 | won't work. | ||
12 | . | ||
13 | Privilege separation is turned on by default, so if you decide you | ||
14 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
15 | /etc/ssh/sshd_config. | ||
16 | . | ||
17 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
18 | separation will not work at all, and your sshd will fail to start | ||
19 | unless you explicitly turn privilege separation off. | ||
20 | |||
21 | Template: ssh/privsep_ask | ||
22 | Type: boolean | ||
23 | Default: true | ||
24 | Description: Enable Privilege separation | ||
25 | This version of OpenSSH contains the new privilege separation | ||
26 | option. This significantly reduces the quantity of code that runs as | ||
27 | root, and therefore reduces the impact of security holes in sshd. | ||
28 | . | ||
29 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
30 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
31 | example) will fail, and PAM keyboard-interactive authentication | ||
32 | won't work. | ||
33 | . | ||
34 | Since you've opted to have me generate an sshd_config file for you, | ||
35 | you can choose whether or not to have Privilege Separation turned on | ||
36 | or not. Unless you are running 2.0 (in which case you *must* say no | ||
37 | here or your sshd won't start at all) or know you need to use PAM | ||
38 | features that won't work with this option, you should say yes here. | ||
39 | |||
40 | Template: ssh/new_config | ||
41 | Type: boolean | ||
42 | Default: true | ||
43 | Description: Generate new configuration file | ||
44 | This version of OpenSSH has a considerably changed configuration file from | ||
45 | the version shipped in Debian 'Potato', which you appear to be upgrading from. | ||
46 | I can now generate you a new configuration file (/etc/ssh/sshd.config), which | ||
47 | will work with the new server version, but will not contain any customisations | ||
48 | you made with the old version. | ||
49 | . | ||
50 | Please note that this new configuration file will set the value of | ||
51 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password can | ||
52 | ssh directly in as root). It is the opinion of the maintainer that this is | ||
53 | the correct default (see README.Debian for more details), but you can always | ||
54 | edit sshd_config and set it to no if you wish. | ||
55 | . | ||
56 | It is strongly recommended that you let me generate a new configuration file | ||
57 | for you. | ||
58 | |||
59 | Template: ssh/protocol2_only | ||
60 | Type: boolean | ||
61 | Default: true | ||
62 | Description: Allow SSH protocol 2 only | ||
63 | This version of OpenSSH supports version 2 of the ssh protocol, which | ||
64 | is much more secure. Disabling ssh 1 is encouraged, however this | ||
65 | will slow things down on low end machines and might prevent older | ||
66 | clients from connecting (the ssh client shipped with "potato" is affected). | ||
67 | . | ||
68 | Also please note that keys used for protocol 1 are different so you will | ||
69 | not be able to use them if you only allow protocol 2 connections. | ||
70 | . | ||
71 | If you later change your mind about this setting, README.Debian has | ||
72 | instructions on what to do to your sshd_config file. | ||
73 | |||
74 | Template: ssh/ssh2_keys_merged | ||
75 | Type: note | ||
76 | Description: ssh2 keys merged in configuration files | ||
77 | As of version 3 OpenSSH no longer uses separate files for ssh1 and | ||
78 | ssh2 keys. This means the authorized_keys2 and known_hosts2 files | ||
79 | are no longer needed. They will still be read in order to maintain | ||
80 | backwards compatibility | ||
81 | |||
82 | Template: ssh/use_old_init_script | ||
83 | Type: boolean | ||
84 | Default: false | ||
85 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
86 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
87 | all running sshd instances. If you are doing this upgrade via an ssh | ||
88 | session, that would be a Bad Thing(tm). | ||
89 | . | ||
90 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
91 | start-stop-daemon line in the stop section of the file. | ||
92 | |||
93 | Template: ssh/forward_warning | ||
94 | Type: note | ||
95 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
96 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
97 | ForwardAgent set to ``off'' by default. | ||
98 | . | ||
99 | You can enable it for servers you trust, either | ||
100 | in one of the configuration files, or with the -X command line option. | ||
101 | . | ||
102 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
103 | |||
104 | Template: ssh/insecure_rshd | ||
105 | Type: note | ||
106 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
107 | having rsh-server installed undermines the security that you were probably | ||
108 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
109 | |||
110 | Template: ssh/insecure_telnetd | ||
111 | Type: note | ||
112 | Description: Warning: telnetd is installed --- probably not a good idea | ||
113 | I'd advise you to either remove the telnetd package (if you don't actually | ||
114 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
115 | least some chance that telnet sessions will not be sending unencrypted | ||
116 | login/password and session information over the network. | ||
117 | |||
118 | Template: ssh/encrypted_host_key_but_no_keygen | ||
119 | Type: note | ||
120 | Description: Warning: you must create a new host key | ||
121 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
122 | OpenSSH can not handle this host key file, and I can't find the | ||
123 | ssh-keygen utility from the old (non-free) SSH installation. | ||
124 | . | ||
125 | You will need to generate a new host key. | ||
126 | |||
127 | Template: ssh/SUID_client | ||
128 | Type: boolean | ||
129 | Default: true | ||
130 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
131 | You have the option of installing the ssh-keysign helper with the SUID | ||
132 | bit set. | ||
133 | . | ||
134 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
135 | host-based authentication. | ||
136 | . | ||
137 | If in doubt, I suggest you install it with SUID. If it causes | ||
138 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
139 | |||
140 | Template: ssh/run_sshd | ||
141 | Type: boolean | ||
142 | Default: true | ||
143 | Description: Do you want to run the sshd server ? | ||
144 | This package contains both the ssh client, and the sshd server. | ||
145 | . | ||
146 | Normally the sshd Secure Shell Server will be run to allow remote | ||
147 | logins via ssh. | ||
148 | . | ||
149 | If you are only interested in using the ssh client for outbound | ||
150 | connections on this machine, and don't want to log into it at all | ||
151 | using ssh, then you can disable sshd here. | ||
152 | |||
153 | Template: ssh/user_environment_tell | ||
154 | Type: note | ||
155 | Description: Environment options on keys have been deprecated | ||
156 | This version of OpenSSH disables the environment option for public keys by | ||
157 | default, in order to avoid certain attacks (for example, LD_PRELOAD). If | ||
158 | you are using this option in an authorized_keys file, beware that the keys | ||
159 | in question will no longer work until the option is removed. | ||
160 | . | ||
161 | To re-enable this option, set "PermitUserEnvironment yes" in | ||
162 | /etc/ssh/sshd_config after the upgrade is complete, taking note of the | ||
163 | warning in the sshd_config(5) manual page. | ||
diff --git a/debian/templates.da b/debian/templates.da new file mode 100644 index 000000000..b8fc9be18 --- /dev/null +++ b/debian/templates.da | |||
@@ -0,0 +1,253 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation option. This | ||
5 | significantly reduces the quantity of code that runs as root, and | ||
6 | therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
9 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
10 | fail, and PAM keyboard-interactive authentication won't work. | ||
11 | . | ||
12 | Privilege separation is turned on by default, so if you decide you want it | ||
13 | turned off, you need to add "UsePrivilegeSeparation no" to | ||
14 | /etc/ssh/sshd_config. | ||
15 | . | ||
16 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
17 | separation will not work at all, and your sshd will fail to start unless | ||
18 | you explicitly turn privilege separation off. | ||
19 | Description-da: Privilegie adskillelse | ||
20 | Denne version af OpenSSH indeholder den nye privilegie adskillelses | ||
21 | mulighed. Det reducerer markant mФngden af kode der kЬrer som root, og | ||
22 | derfor reducerer det impakten pЕ sikkerheds huller i sshd. | ||
23 | . | ||
24 | DesvФrre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul | ||
25 | der skal kЬres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM | ||
26 | tastatur-interaktive autentifikationer vil ikke virke. | ||
27 | . | ||
28 | Privilegie adskillelse er slЕet til som standard, sЕ hvis du beslutter at | ||
29 | slЕ det fra, skal du bruge "UsePrivilegeSeparation no" i | ||
30 | /etc/ssh/sshd_config. | ||
31 | |||
32 | Template: ssh/privsep_ask | ||
33 | Type: boolean | ||
34 | Default: true | ||
35 | Description: Enable Privilege separation | ||
36 | This version of OpenSSH contains the new privilege separation option. This | ||
37 | significantly reduces the quantity of code that runs as root, and | ||
38 | therefore reduces the impact of security holes in sshd. | ||
39 | . | ||
40 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
41 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
42 | fail, and PAM keyboard-interactive authentication won't work. | ||
43 | . | ||
44 | Since you've opted to have me generate an sshd_config file for you, you | ||
45 | can choose whether or not to have Privilege Separation turned on or not. | ||
46 | Unless you are running 2.0 (in which case you *must* say no here or your | ||
47 | sshd won't start at all) or know you need to use PAM features that won't | ||
48 | work with this option, you should say yes here. | ||
49 | Description-da: Aktiver Privilegie adskillelse | ||
50 | Denne version af OpenSSH indeholder den nye privilegie adskillelses | ||
51 | mulighed. Det reducerer markant mФngden af kode der kЬrer som root, og | ||
52 | derfor reducerer det impakten pЕ sikkerheds huller i sshd. | ||
53 | . | ||
54 | DesvФrre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul | ||
55 | der skal kЬres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM | ||
56 | tastatur-interaktive autentifikationer vil ikke virke. | ||
57 | . | ||
58 | Siden du har bedt mig om at lave en sshd_config fil til dig, kan du vФlge | ||
59 | om du vil have privilegie adskillelse slЕet til eller ej. Medmindre du | ||
60 | kЬrer 2.0 (i hvilket tilfФlde du *skal* sige nej her, ellers vil din sshd | ||
61 | slet ikke starte) eller ved at du skal bruge PAM funktioner som ikke vil | ||
62 | virke med dette tilvalg, skal du sige ja her. | ||
63 | |||
64 | Template: ssh/new_config | ||
65 | Type: boolean | ||
66 | Default: true | ||
67 | Description: Generate new configuration file | ||
68 | This version of OpenSSH has a considerably changed configuration file from | ||
69 | the version shipped in Debian 'Potato', which you appear to be upgrading | ||
70 | from. I can now generate you a new configuration file | ||
71 | (/etc/ssh/sshd.config), which will work with the new server version, but | ||
72 | will not contain any customisations you made with the old version. | ||
73 | . | ||
74 | Please note that this new configuration file will set the value of | ||
75 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password | ||
76 | can ssh directly in as root). It is the opinion of the maintainer that | ||
77 | this is the correct default (see README.Debian for more details), but you | ||
78 | can always edit sshd_config and set it to no if you wish. | ||
79 | . | ||
80 | It is strongly recommended that you let me generate a new configuration | ||
81 | file for you. | ||
82 | Description-da: Opret ny konfigurations fil | ||
83 | Denne version af OpenSSH har en betydeligt Фndret konfigurations fil fra | ||
84 | den version der kom med Debian 'Potato', som du ser ud til at opgradere fra. | ||
85 | Jeg kan nu oprette en ny konfigurations fil (//etc/ssh/sshd.config), som | ||
86 | vil virke med den nye server version, men det vil ikke beholde eventuelle | ||
87 | Фndringer du lavede med den gamle version. | ||
88 | . | ||
89 | Venligst bemФrk at den nye konfigurations fil vil sФtte vФrdien af | ||
90 | 'PermitRootLogin' til ja (som betyder at alle der kender roots password, | ||
91 | kan tilgЕ maskinen via ssh direkte). Det er vedligeholderens mening, at det | ||
92 | er den korrekte standard-vФrdi (se README.Debian for flere detaljer), men | ||
93 | du kan altid redigere sshd_config og slЕ det fra, hvis du Ьnsker. | ||
94 | . | ||
95 | Du rЕdes stФrkt til at lade mig genere en ny konfigurations fil for dig. | ||
96 | |||
97 | Template: ssh/protocol2_only | ||
98 | Type: boolean | ||
99 | Default: true | ||
100 | Description: Allow SSH protocol 2 only | ||
101 | This version of OpenSSH supports version 2 of the ssh protocol, which is | ||
102 | much more secure. Disabling ssh 1 is encouraged, however this will slow | ||
103 | things down on low end machines and might prevent older clients from | ||
104 | connecting (the ssh client shipped with "potato" is affected). | ||
105 | . | ||
106 | Also please note that keys used for protocol 1 are different so you will | ||
107 | not be able to use them if you only allow protocol 2 connections. | ||
108 | . | ||
109 | If you later change your mind about this setting, README.Debian has | ||
110 | instructions on what to do to your sshd_config file. | ||
111 | Description-da: Tillad kun SSH protokol 2 | ||
112 | Denne udgave af OpenSSH understЬtter version 2 af ssh-protokollen, som er | ||
113 | betydeligt mere sikker. Det anbefales af deaktivere version 1. Dog kan det | ||
114 | slЬve langsomme maskiner, og forhindre Фldre klienter i at opnЕ | ||
115 | forbindelse (ssh klienten der kommer med "potato" er en af dem). | ||
116 | . | ||
117 | Du skal ogsЕ bemФrke at de nЬgler som bliver anvendt til protokol 1 er | ||
118 | forskellige, sЕ du vil ikke Фvre i stand til at bruge dem, hvis du kun | ||
119 | tillader protokol 2 forbindelser. | ||
120 | . | ||
121 | Hvis du senere Фndrer din mening om denne indstilling, har README.Debian | ||
122 | instruktioner pЕ hvad du skal gЬre ved din sshd_config fil. | ||
123 | |||
124 | Template: ssh/ssh2_keys_merged | ||
125 | Type: note | ||
126 | Description: ssh2 keys merged in configuration files | ||
127 | As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
128 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
129 | needed. They will still be read in order to maintain backwards | ||
130 | compatibility | ||
131 | Description-da: ssh2-nЬgler flettet i opsФtningsfilerne | ||
132 | Siden version 3 har OpenSSH ikke lФngere separate filer for ssh1- og | ||
133 | ssh2-nЬgler. Det betyder, at filerne authorized_keys2 og known_hosts2 ikke | ||
134 | lФngere er nЬdvendige. De vil stadig dog stadig blive lФst for | ||
135 | bagudkompatilitetens skyld. | ||
136 | |||
137 | Template: ssh/use_old_init_script | ||
138 | Type: boolean | ||
139 | Default: false | ||
140 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
141 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
142 | all running sshd instances. If you are doing this upgrade via an ssh | ||
143 | session, that would be a Bad Thing(tm). | ||
144 | . | ||
145 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
146 | start-stop-daemon line in the stop section of the file. | ||
147 | Description-da: Vil du fortsФtte (og risikere at afbryde aktive ssh-forbindelser)? | ||
148 | Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis | ||
149 | afbryde alle sshd-dФmoner. Det vil vФre en rigtigt dЕrlig idИ, hvis du er | ||
150 | ved at opgradering via en ssh-forbindelse. | ||
151 | . | ||
152 | Du kan afhjФlpe dette ved at tilfЬje "--pidfile /var/run/sshd.pid" til | ||
153 | 'start-stop-daemon'-linjen i stop-afsnittet af filen. | ||
154 | |||
155 | Template: ssh/forward_warning | ||
156 | Type: note | ||
157 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
158 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
159 | ForwardAgent set to ``off'' by default. | ||
160 | . | ||
161 | You can enable it for servers you trust, either in one of the | ||
162 | configuration files, or with the -X command line option. | ||
163 | . | ||
164 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
165 | Description-da: BEMфRK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret. | ||
166 | Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og | ||
167 | ForwardAgent til 'off' som standard. | ||
168 | . | ||
169 | Du kan aktivere dem for servere, du stoler pЕ i en af opsФtningsfilerne | ||
170 | eller med kommandolinjetilvalget '-X'. | ||
171 | |||
172 | Template: ssh/insecure_rshd | ||
173 | Type: note | ||
174 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
175 | having rsh-server installed undermines the security that you were probably | ||
176 | wanting to obtain by installing ssh. I'd advise you to remove that | ||
177 | package. | ||
178 | Description-da: Advarsel: rsh-serveren er installeret --- sikkert ikke en god idИ | ||
179 | Den sikkerhed, du nok Ьnskede at opnЕ ved at installere ssh undermineres | ||
180 | ved, at du har rsh-server installeret. Jeg vil rЕde dig til at fjerne | ||
181 | pakken rsh-server. | ||
182 | |||
183 | Template: ssh/insecure_telnetd | ||
184 | Type: note | ||
185 | Description: Warning: telnetd is installed --- probably not a good idea | ||
186 | I'd advise you to either remove the telnetd package (if you don't actually | ||
187 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
188 | least some chance that telnet sessions will not be sending unencrypted | ||
189 | login/password and session information over the network. | ||
190 | Description-da: Advarsel: telnetd er installeret --- sikkert ikke en god idИ | ||
191 | Jeg vil rЕde dig til enten at fjerne pakken telnetd (hvis du i | ||
192 | virkeligheden ikke har brug for at tilbyde telnet-adgang) eller installere | ||
193 | telnetd-ssl, sЕ der i det mindste er en mulighed for, at telnet-sessioner | ||
194 | ikke sender adgangskoder og sessions-oplysninger ukrypteret over | ||
195 | netvФrket. | ||
196 | |||
197 | Template: ssh/encrypted_host_key_but_no_keygen | ||
198 | Type: note | ||
199 | Description: Warning: you must create a new host key | ||
200 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH | ||
201 | can not handle this host key file, and I can't find the ssh-keygen utility | ||
202 | from the old (non-free) SSH installation. | ||
203 | . | ||
204 | You will need to generate a new host key. | ||
205 | Description-da: Advarsel: du skal oprette en ny vФrtsnЬgle | ||
206 | Der ligger en gammel, IDEA-krypteret /etc/ssh/ssh_host_key. OpenSSH kan | ||
207 | ikke hЕndtere sЕdan en vФrtsnЬglefil, og jeg kan ikke finde vФrktЬjet | ||
208 | ssh-keygen fra den gamle (ikke-frie, 'non-free') SSH-installation. | ||
209 | |||
210 | Template: ssh/SUID_client | ||
211 | Type: boolean | ||
212 | Default: true | ||
213 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
214 | You have the option of installing the ssh-keysign helper with the SUID bit | ||
215 | set. | ||
216 | . | ||
217 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
218 | host-based authentication. | ||
219 | . | ||
220 | If in doubt, I suggest you install it with SUID. If it causes problems | ||
221 | you can change your mind later by running: dpkg-reconfigure ssh | ||
222 | Description-da: Vil du have, at /usr/bin/ssh-keysign bliver installeret 'SUID root'? | ||
223 | Du har mulighed for at installere ssh-keysign hjФlperen med SUID-flaget | ||
224 | sat. | ||
225 | . | ||
226 | Hvis du gЬr ssh-keysign SUID, vil du blive i stand til at benytte SSH | ||
227 | protokol 2's vФrtsnavn-baserede autentifikation. | ||
228 | . | ||
229 | Hvis du er i tvivl, vil jeg rЕde dig til at installere den med SUID. Hvis | ||
230 | det skaber problemer, kan du Фndre det tilbage igen ved at kЬre: | ||
231 | dpkg-reconfigure ssh | ||
232 | |||
233 | Template: ssh/run_sshd | ||
234 | Type: boolean | ||
235 | Default: true | ||
236 | Description: Do you want to run the sshd server ? | ||
237 | This package contains both the ssh client, and the sshd server. | ||
238 | . | ||
239 | Normally the sshd Secure Shell Server will be run to allow remote logins | ||
240 | via ssh. | ||
241 | . | ||
242 | If you are only interested in using the ssh client for outbound | ||
243 | connections on this machine, and don't want to log into it at all using | ||
244 | ssh, then you can disable sshd here. | ||
245 | Description-da: Vil du kЬre sshd-serveren? | ||
246 | Denne pakke indeholder bЕde ssh-klienten og sshd-serveren. | ||
247 | . | ||
248 | Normalt vil sshd sikker skalserver ('Secure Shell Server') blive aktiveret | ||
249 | og tillade fjerne brugere i at logge pЕ via ssh. | ||
250 | . | ||
251 | Hvis du udelukkende er interesseret i at bruge ssh-klienten til udgЕende | ||
252 | forbindelser fra denne maskine, og ikke Ьnsker at tilgЕ denne maskine | ||
253 | udefra via ssh, kan du nu deaktivere sshd. | ||
diff --git a/debian/templates.de b/debian/templates.de new file mode 100644 index 000000000..5feb24cd9 --- /dev/null +++ b/debian/templates.de | |||
@@ -0,0 +1,95 @@ | |||
1 | Template: ssh/use_old_init_script | ||
2 | Type: boolean | ||
3 | Default: false | ||
4 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
5 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
6 | all running sshd instances. If you are doing this upgrade via an ssh | ||
7 | session, that would be a Bad Thing(tm). | ||
8 | . | ||
9 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
10 | start-stop-daemon line in the stop section of the file. | ||
11 | Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)? | ||
12 | Die Version von /etc/init.d/ssh, die Sie installiert haben, wird | ||
13 | vermutlich Ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade | ||
14 | via ssh erledigen, dann ist das ein Problem. | ||
15 | . | ||
16 | Sie kЖnnen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid" | ||
17 | an die start-stop-daemon Zeile in dem Bereich stop der Datei | ||
18 | /etc/init.d/ssh ergДnzen. | ||
19 | |||
20 | Template: ssh/forward_warning | ||
21 | Type: note | ||
22 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
23 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
24 | ForwardAgent set to ``off'' by default. | ||
25 | . | ||
26 | You can enable it for servers you trust, either | ||
27 | in one of the configuration files, or with the -X command line option. | ||
28 | . | ||
29 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
30 | Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet. | ||
31 | Aus SicherheitsgrЭnden sind die Debian Pakete von ssh ForwardX11 und | ||
32 | ForwardAgent auf "off" gesetzt. | ||
33 | . | ||
34 | Sie kЖnnen dies fЭr Server, denen Sie trauen, entweder per Eintrag in | ||
35 | die Konfigurations Dateien oder per Kommando-Zeilen Option -X Дndern. | ||
36 | . | ||
37 | Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden. | ||
38 | |||
39 | Template: ssh/insecure_rshd | ||
40 | Type: note | ||
41 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
42 | having rsh-server installed undermines the security that you were probably | ||
43 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
44 | Description-de: Warnung: rsh-server ist installiert --- mЖglicherweise | ||
45 | ist es eine schlechte Idee, den rsh-server installiert zu haben, da er | ||
46 | die Sicherheit untergrДbt. Wir empfehlen, das Paket zu entfernen. | ||
47 | |||
48 | Template: ssh/insecure_telnetd | ||
49 | Type: note | ||
50 | Description: Warning: telnetd is installed --- probably not a good idea | ||
51 | I'd advise you to either remove the telnetd package (if you don't actually | ||
52 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
53 | least some chance that telnet sessions will not be sending unencrypted | ||
54 | login/password and session information over the network. | ||
55 | Description-de: Warnung: telnetd ist installiert --- schlechte Idee | ||
56 | Wir empfehlen das telnetd Paket zu entfernen (falls Sie keinen telnet Zugang | ||
57 | anbieten) oder telnetd-ssl zu installieren, so daъ Sie verhindern kЖnnen, | ||
58 | daъ Login und Password unverschlЭsselt durch das Netz gesendet | ||
59 | werden. | ||
60 | |||
61 | Template: ssh/encrypted_host_key_but_no_keygen | ||
62 | Type: note | ||
63 | Description: Warning: you must create a new host key | ||
64 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
65 | OpenSSH can not handle this host key file, and I can't find the | ||
66 | ssh-keygen utility from the old (non-free) SSH installation. | ||
67 | . | ||
68 | You will need to generate a new host key. | ||
69 | Description-de: Warnung: Sie mЭssen einen neuen Host Key erzeugen | ||
70 | Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche | ||
71 | per IDEA verschlЭsselt ist. OpenSSH kann eine solche Host Key Datei | ||
72 | nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation | ||
73 | kann nicht gefunden werden. | ||
74 | |||
75 | Template: ssh/run_sshd | ||
76 | Type: boolean | ||
77 | Default: true | ||
78 | Description: Do you want to run the sshd server ? | ||
79 | This package contains both the ssh client, and the sshd server. | ||
80 | . | ||
81 | Normally the sshd Secure Shell Server will be run to allow remote | ||
82 | logins via ssh. | ||
83 | . | ||
84 | If you are only interested in using the ssh client for outbound | ||
85 | connections on this machine, and don't want to log into it at all | ||
86 | using ssh, then you can disable sshd here. | ||
87 | Description-de: MЖchten Sie den sshd Server starten? | ||
88 | Das Paket enthДlt sowohl den Client als auch den sshd Server. | ||
89 | . | ||
90 | Normal wird der sshd Secure Shell Server fЭr Remote Logins per ssh | ||
91 | gestartet. | ||
92 | . | ||
93 | Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechnern | ||
94 | zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen, | ||
95 | dann kЖnnen Sie hier den sshd abschalten. | ||
diff --git a/debian/templates.es b/debian/templates.es new file mode 100644 index 000000000..8d7b25a34 --- /dev/null +++ b/debian/templates.es | |||
@@ -0,0 +1,266 @@ | |||
1 | Template: ssh/run_sshd | ||
2 | Type: boolean | ||
3 | Default: true | ||
4 | Description: Do you want to run the sshd server ? | ||
5 | This package contains both the ssh client, and the sshd server. | ||
6 | . | ||
7 | Normally the sshd Secure Shell Server will be run to allow remote logins | ||
8 | via ssh. | ||
9 | . | ||
10 | If you are only interested in using the ssh client for outbound | ||
11 | connections on this machine, and don't want to log into it at all using | ||
12 | ssh, then you can disable sshd here. | ||
13 | Description-es: ©Quiere ejecutar el servidor sshd? | ||
14 | Este paquete contiene el cliente ssh y el servidor sshd. | ||
15 | . | ||
16 | Generalmente, el servidor de ssh (Secure Shell Server) se ejecuta para | ||
17 | permitir el acceso remoto mediante ssh. | ||
18 | . | ||
19 | Si sСlo estА interesado en usar el cliente ssh en conexiones salientes del | ||
20 | sistema y no quiere acceder a Иl mediante ssh, entonces puede desactivar | ||
21 | sshd. | ||
22 | |||
23 | Template: ssh/use_old_init_script | ||
24 | Type: boolean | ||
25 | Default: false | ||
26 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
27 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
28 | all running sshd instances. If you are doing this upgrade via an ssh | ||
29 | session, that would be a Bad Thing(tm). | ||
30 | . | ||
31 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
32 | start-stop-daemon line in the stop section of the file. | ||
33 | Description-es: ©Desea continuar, aЗn a riesgo de matar las sesiones ssh activas? | ||
34 | La versiСn de /etc/init.d/ssh que tiene instalada es muy probable que | ||
35 | mate el demonio ssh. Si estА actualizando a travИs de una sesiСn ssh, | ||
36 | puede que no sea muy buena idea. | ||
37 | . | ||
38 | Puede arreglarlo aЯadiendo "--pidfile /var/run/sshd.pid" a la lМnea | ||
39 | 'start-stop-daemon', en la secciСn 'stop' del fichero. | ||
40 | |||
41 | Template: ssh/SUID_client | ||
42 | Type: boolean | ||
43 | Default: true | ||
44 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
45 | You have the option of installing the ssh-keysign helper with the SUID bit | ||
46 | set. | ||
47 | . | ||
48 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
49 | host-based authentication. | ||
50 | . | ||
51 | If in doubt, I suggest you install it with SUID. If it causes problems | ||
52 | you can change your mind later by running: dpkg-reconfigure ssh | ||
53 | Description-es: ©Quiere instalar /usr/lib/ssh-keysign SUID root? | ||
54 | Puede instalar ssh-keysign con el bit SUID (se ejecutarА con privilegios | ||
55 | de root). | ||
56 | . | ||
57 | Si hace ssh-keysign SUID, podrА usar la autentificiaciСn basada en | ||
58 | servidor de la versiСn 2 del protocolo SSH. | ||
59 | . | ||
60 | Si duda, se recomienda que lo instale SUID. Si surgen problemas puede | ||
61 | cambiar de opiniСn posteriormente ejecutando ╚dpkg-reconfigure ssh╩. | ||
62 | |||
63 | Template: ssh/encrypted_host_key_but_no_keygen | ||
64 | Type: note | ||
65 | Description: Warning: you must create a new host key | ||
66 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH | ||
67 | can not handle this host key file, and I can't find the ssh-keygen utility | ||
68 | from the old (non-free) SSH installation. | ||
69 | . | ||
70 | You will need to generate a new host key. | ||
71 | Description-es: Aviso: debe crear una nueva clave para su servidor | ||
72 | Su sistema tiene un /etc/ssh/ssh_host_key antiguo, que usa cifrado IDEA. | ||
73 | OpenSSH no puede manejar este fichero de claves y tampoco se encuentra la | ||
74 | utilidad ssh-keygen incluida en el paquete ssh no libre. | ||
75 | . | ||
76 | NecesitarА generar una nueva clave para su servidor. | ||
77 | |||
78 | Template: ssh/insecure_telnetd | ||
79 | Type: note | ||
80 | Description: Warning: telnetd is installed --- probably not a good idea | ||
81 | I'd advise you to either remove the telnetd package (if you don't actually | ||
82 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
83 | least some chance that telnet sessions will not be sending unencrypted | ||
84 | login/password and session information over the network. | ||
85 | Description-es: Aviso: tiene telnetd instalado | ||
86 | Es muy aconsejable que borre el paquete telnetd si no necesita realmente | ||
87 | ofrecer acceso mediante telnet o instalar telnetd-ssl para que las | ||
88 | contraseЯas, nombres de usuario y demАs informaciСn de las sesiones telnet | ||
89 | no viajen sin cifrar por la red. | ||
90 | |||
91 | Template: ssh/forward_warning | ||
92 | Type: note | ||
93 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
94 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
95 | ForwardAgent set to ``off'' by default. | ||
96 | . | ||
97 | You can enable it for servers you trust, either in one of the | ||
98 | configuration files, or with the -X command line option. | ||
99 | . | ||
100 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
101 | Description-es: NOTA: ReenvМo de X11 y AutorizaciСn desactivadas por defecto. | ||
102 | Por razones de seguridad, la versiСn de ssh de Debian tiene por defecto | ||
103 | ForwardX11 y ForwardAgent desactivadas. | ||
104 | . | ||
105 | Puede activar estas opciones para los servidores en los que confМe, en los | ||
106 | ficheros de configuraciСn o con la opciСn -X en lМnea de comandos. | ||
107 | . | ||
108 | Puede encontrar mАs detalles en /usr/share/doc/ssh/README.Debian. | ||
109 | |||
110 | Template: ssh/privsep_tell | ||
111 | Type: note | ||
112 | Description: Privilege separation | ||
113 | This version of OpenSSH contains the new privilege separation option. This | ||
114 | significantly reduces the quantity of code that runs as root, and | ||
115 | therefore reduces the impact of security holes in sshd. | ||
116 | . | ||
117 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
118 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
119 | fail, and PAM keyboard-interactive authentication won't work. | ||
120 | . | ||
121 | Privilege separation is turned on by default, so if you decide you want it | ||
122 | turned off, you need to add "UsePrivilegeSeparation no" to | ||
123 | /etc/ssh/sshd_config. | ||
124 | . | ||
125 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
126 | separation will not work at all, and your sshd will fail to start unless | ||
127 | you explicitly turn privilege separation off. | ||
128 | Description-es: SeparaciСn de privilegios | ||
129 | Esta versiСn de OpenSSH incluye una nueva opciСn de separaciСn de | ||
130 | privilegios que reduce significativamente la cantidad de cСdigo que se | ||
131 | ejecuta como root, por lo que reduce el impacto de posibles agujeros de | ||
132 | seguridad en sshd. | ||
133 | . | ||
134 | Desafortunadamente, la separaciСn de privilegios no interactЗa | ||
135 | correctamente con PAM. Cualquier mСdulo PAM que necesite ejecutarse como | ||
136 | root (como, por ejemplo, pam_mkhomedir) y la autentificaciСn interactiva | ||
137 | PAM con teclado no funcionarАn. | ||
138 | . | ||
139 | La separaciСn de privilegios estА activa por defecto, por lo que si decide | ||
140 | desactivarla, tiene que aЯadir "UsePrivilegeSeparation no" al fichero | ||
141 | /etc/ssh/sshd_config. | ||
142 | . | ||
143 | Nota: Si utiliza un nЗcleo Linux de la serie 2.0, la separaciСn de | ||
144 | privilegios fallarА estrepitosamente y sshd no funcionarА a no ser que la | ||
145 | desactive. | ||
146 | |||
147 | Template: ssh/ssh2_keys_merged | ||
148 | Type: note | ||
149 | Description: ssh2 keys merged in configuration files | ||
150 | As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
151 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
152 | needed. They will still be read in order to maintain backwards | ||
153 | compatibility | ||
154 | Description-es: Las claves ssh2 ya se incluyen en los ficheros de configuraciСn | ||
155 | A partir de la versiСn 3, OpenSSH ya no utiliza ficheros diferentes para | ||
156 | las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los | ||
157 | ficheros authorized_keys2 y known_hosts2, aunque aЗn se seguirАn leyendo | ||
158 | para mantener compatibilidad hacia atrАs. | ||
159 | |||
160 | Template: ssh/protocol2_only | ||
161 | Type: boolean | ||
162 | Default: true | ||
163 | Description: Allow SSH protocol 2 only | ||
164 | This version of OpenSSH supports version 2 of the ssh protocol, which is | ||
165 | much more secure. Disabling ssh 1 is encouraged, however this will slow | ||
166 | things down on low end machines and might prevent older clients from | ||
167 | connecting (the ssh client shipped with "potato" is affected). | ||
168 | . | ||
169 | Also please note that keys used for protocol 1 are different so you will | ||
170 | not be able to use them if you only allow protocol 2 connections. | ||
171 | . | ||
172 | If you later change your mind about this setting, README.Debian has | ||
173 | instructions on what to do to your sshd_config file. | ||
174 | Description-es: Permitir sСlo la versiСn 2 del protocolo SSH | ||
175 | Esta versiСn de OpenSSH soporta la versiСn 2 del protocolo ssh, que es | ||
176 | mucho mАs segura que la anterior. Se recomienda desactivar la versiСn 1, | ||
177 | aunque funcionarА mАs lento en mАquinas modestas y puede impedir que se | ||
178 | conecten clientes antiguos, como, por ejemplo, el incluido en "potato". | ||
179 | . | ||
180 | TambiИn tenga en cuenta que las claves utilizadas para el protocolo 1 son | ||
181 | diferentes, por lo que no podrА usarlas si Зnicamente permite conexiones | ||
182 | mediante la versiСn 2 del protocolo. | ||
183 | . | ||
184 | Si mАs tarde cambia de opiniСn, el fichero README.Debian contiene | ||
185 | instrucciones sobre cСmo modificar en el fichero sshd_config. | ||
186 | |||
187 | Template: ssh/insecure_rshd | ||
188 | Type: note | ||
189 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
190 | having rsh-server installed undermines the security that you were probably | ||
191 | wanting to obtain by installing ssh. I'd advise you to remove that | ||
192 | package. | ||
193 | Description-es: Aviso: tiene rsh-server instalado | ||
194 | Tener rsh-server instalado representa un menoscabo de la seguridad que | ||
195 | probablemente desea obtener instalando ssh. Es muy aconsejable que borre | ||
196 | ese paquete. | ||
197 | |||
198 | Template: ssh/privsep_ask | ||
199 | Type: boolean | ||
200 | Default: true | ||
201 | Description: Enable Privilege separation | ||
202 | This version of OpenSSH contains the new privilege separation option. This | ||
203 | significantly reduces the quantity of code that runs as root, and | ||
204 | therefore reduces the impact of security holes in sshd. | ||
205 | . | ||
206 | Unfortunately, privilege separation interacts badly with PAM. Any PAM | ||
207 | session modules that need to run as root (pam_mkhomedir, for example) will | ||
208 | fail, and PAM keyboard-interactive authentication won't work. | ||
209 | . | ||
210 | Since you've opted to have me generate an sshd_config file for you, you | ||
211 | can choose whether or not to have Privilege Separation turned on or not. | ||
212 | Unless you are running 2.0 (in which case you *must* say no here or your | ||
213 | sshd won't start at all) or know you need to use PAM features that won't | ||
214 | work with this option, you should say yes here. | ||
215 | Description-es: Activar separaciСn de privilegios | ||
216 | Esta versiСn de OpenSSH incluye una nueva opciСn de separaciСn de | ||
217 | privilegios que reduce significativamente la cantidad de cСdigo que se | ||
218 | ejecuta como root, por lo que reduce el impacto de posibles agujeros de | ||
219 | seguridad en sshd. | ||
220 | . | ||
221 | Desafortunadamente, la separaciСn de privilegios no interactЗa | ||
222 | correctamente con PAM. Cualquier mСdulo PAM que necesite ejecutarse como | ||
223 | root (como, por ejemplo, pam_mkhomedir) y la autentificaciСn PAM mediante | ||
224 | teclado no funcionarАn. | ||
225 | . | ||
226 | Puesto que ha elegido crear automАticamente el fichero sshd_config, puede | ||
227 | decidir ahora si quiere activar la opciСn de separaciСn de privilegios. A | ||
228 | menos que utilice la versiСn 2.0 (en cuyo caso debe responer no aquМ o | ||
229 | sshd no arrancarА) o sepa que necesita usar ciertas caracterМsticas de PAM | ||
230 | que funcionan con esta opciСn, deberМa responder sМ a esta pregunta. | ||
231 | |||
232 | Template: ssh/new_config | ||
233 | Type: boolean | ||
234 | Default: true | ||
235 | Description: Generate new configuration file | ||
236 | This version of OpenSSH has a considerably changed configuration file from | ||
237 | the version shipped in Debian 'Potato', which you appear to be upgrading | ||
238 | from. I can now generate you a new configuration file | ||
239 | (/etc/ssh/sshd.config), which will work with the new server version, but | ||
240 | will not contain any customisations you made with the old version. | ||
241 | . | ||
242 | Please note that this new configuration file will set the value of | ||
243 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password | ||
244 | can ssh directly in as root). It is the opinion of the maintainer that | ||
245 | this is the correct default (see README.Debian for more details), but you | ||
246 | can always edit sshd_config and set it to no if you wish. | ||
247 | . | ||
248 | It is strongly recommended that you let me generate a new configuration | ||
249 | file for you. | ||
250 | Description-es: Generar un nuevo fichero de configuraciСn | ||
251 | Esta versiСn de OpenSSH tiene un fichero de configuraciСn | ||
252 | considerablemente diferente del incluido en Debian Potato, que es la | ||
253 | versiСn desde la que parece estar actualizando. Puede crear | ||
254 | automАticamente un nuevo fichero de configuraciСn (/etc/ssh/sshd_config), | ||
255 | que funcionarА con la nueva versiСn del servidor, pero no incuirА las | ||
256 | modificaciones que hiciera en la versiСn antigua. | ||
257 | . | ||
258 | AdemАs, recuerde que este nuevo fichero de configuraciСn dirА sМ en la | ||
259 | opciСn 'PermitRootLogin', por lo que cualquiera que conozca la contraseЯa | ||
260 | de root podrА entrar mediante ssh directamente como root. En opiniСn del | ||
261 | mantenedor Иsta es la opciСn predeterminada mАs adecuada (puede leer | ||
262 | README.Debian si quiere conocer mАs detalles), pero siempre puede editar | ||
263 | sshd_config y poner no si lo desea. | ||
264 | . | ||
265 | Es muy recomendable que permita que se genere un nuevo fichero de | ||
266 | configuraciСn ahora. | ||
diff --git a/debian/templates.fr b/debian/templates.fr new file mode 100644 index 000000000..5eee0f92a --- /dev/null +++ b/debian/templates.fr | |||
@@ -0,0 +1,278 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation | ||
5 | option. This significantly reduces the quantity of code that runs as | ||
6 | root, and therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
9 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
10 | example) will fail, and PAM keyboard-interactive authentication | ||
11 | won't work. | ||
12 | . | ||
13 | Privilege separation is turned on by default, so if you decide you | ||
14 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
15 | /etc/ssh/sshd_config. | ||
16 | . | ||
17 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
18 | separation will not work at all, and your sshd will fail to start | ||
19 | unless you explicitly turn privilege separation off. | ||
20 | Description-fr: SИparation des privilХges | ||
21 | Cette version d'OpenSSH est livrИe avec la nouvelle option de | ||
22 | sИparation des privilХges. Cela rИduit de maniХre significative la | ||
23 | quantitИ de code s'exИcutant en tant que super-utilisateur, et donc | ||
24 | rИduit l'impact des trous de sИcuritИ dans sshd. | ||
25 | . | ||
26 | Malheureusement, la sИparation des privilХges interagit mal avec PAM. | ||
27 | Tous les modules de session PAM qui doivent Йtre exИcutИs en tant | ||
28 | que super-utilisateur (pam_mkhomedir, par exemple) ne s'exИcuteront | ||
29 | pas, et l'authentification interactive au clavier ne fonctionnera pas. | ||
30 | . | ||
31 | La sИparation des privilХges est activИe par dИfaut ; si vous | ||
32 | souhaitez la dИsactiver, vous devez ajouter ╚═UsePrivilegeSeparation | ||
33 | no═╩ dans /etc/ssh/sshd_config. | ||
34 | . | ||
35 | NB═! Si vous avez un noyau Linux de la sИrie des 2.0, la sИparation | ||
36 | des privilХges ne fonctionne pas, et votre dИmon sshd ne se lancera | ||
37 | que si vous avez explicitement dИsactivИ la sИparation des privilХges. | ||
38 | |||
39 | Template: ssh/privsep_ask | ||
40 | Type: boolean | ||
41 | Default: true | ||
42 | Description: Enable Privilege separation | ||
43 | This version of OpenSSH contains the new privilege separation | ||
44 | option. This significantly reduces the quantity of code that runs as | ||
45 | root, and therefore reduces the impact of security holes in sshd. | ||
46 | . | ||
47 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
48 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
49 | example) will fail, and PAM keyboard-interactive authentication | ||
50 | won't work. | ||
51 | . | ||
52 | Since you've opted to have me generate an sshd_config file for you, | ||
53 | you can choose whether or not to have Privilege Separation turned on | ||
54 | or not. Unless you are running 2.0 (in which case you *must* say no | ||
55 | here or your sshd won't start at all) or know you need to use PAM | ||
56 | features that won't work with this option, you should say yes here. | ||
57 | Description-fr: Activer la sИparation des privilХges | ||
58 | Cette version d'OpenSSH est livrИe avec la nouvelle option de | ||
59 | sИparation des privilХges. Cela rИduit de maniХre significative la | ||
60 | quantitИ de code s'exИcutant en tant que super-utilisateur, et donc | ||
61 | rИduit l'impact des trous de sИcuritИ dans sshd. | ||
62 | . | ||
63 | Malheureusement, la sИparation des privilХges interagit mal avec PAM. | ||
64 | Tous les modules de session PAM qui doivent Йtre exИcutИs en tant | ||
65 | que super-utilisateur (pam_mkhomedir, par exemple) ne s'exИcuteront | ||
66 | pas, et l'authentification interactive au clavier ne fonctionnera pas. | ||
67 | . | ||
68 | Comme vous souhaitez que je gИnХre le fichier de configuration | ||
69 | sshd_config Ю votre place, vous pouvez choisir d'activer ou non | ||
70 | l'option de sИparation des privilХges. Si vous utilisez un noyau 2.0 | ||
71 | (dans ce cas vous *devez* dИsactiver cette option ou alors sshd ne se | ||
72 | lancera pas) ou bien si vous avez besoin de fonctionnalitИs PAM, cela | ||
73 | ne fonctionnera pas si cette option est activИe, dans le cas contraire | ||
74 | vous devriez l'activer. | ||
75 | |||
76 | Template: ssh/new_config | ||
77 | Type: boolean | ||
78 | Default: true | ||
79 | Description: Generate new configuration file | ||
80 | This version of OpenSSH has a considerably changed configuration file from | ||
81 | the version shipped in Debian 'Potato', which you appear to be upgrading from. | ||
82 | I can now generate you a new configuration file (/etc/ssh/sshd.config), which | ||
83 | will work with the new server version, but will not contain any customisations | ||
84 | you made with the old version. | ||
85 | . | ||
86 | Please note that this new configuration file will set the value of | ||
87 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password can | ||
88 | ssh directly in as root). It is the opinion of the maintainer that this is | ||
89 | the correct default (see README.Debian for more details), but you can always | ||
90 | edit sshd_config and set it to no if you wish. | ||
91 | . | ||
92 | It is strongly recommended that you let me generate a new configuration file | ||
93 | for you. | ||
94 | Description-fr: CrИer un nouveau fichier de configuration | ||
95 | Cette version d'OpenSSH utilise un fichier de configuration qui a | ||
96 | ИnormИment changИ depuis la version contenue dans la distribution | ||
97 | Debian ╚═Potato═╩, depuis laquelle vous semblez faire une mise Ю jour. | ||
98 | Je peux gИnИrer maintenant pour vous un nouveau fichier de | ||
99 | configuration (/etc/ssh/sshd.config) qui marchera avec la nouvelle | ||
100 | version du serveur, mais ne contiendra aucun des rИglages que vous avez | ||
101 | faits sur l'ancienne version. | ||
102 | . | ||
103 | Veuillez noter que ce nouveau fichier de configuration positionnera la | ||
104 | valeur de ╚═PermitRootLogin═╩ Ю ╚═yes═╩ (ce qui signifie que quiconque | ||
105 | connaissant le mot de passe du super-utilisateur peut se connecter | ||
106 | en tant que tel sur la machine). Le responsable du paquet | ||
107 | pense que c'est lЮ un comportement par dИfaut normal (lisez | ||
108 | README.Debian pour plus d'informations), mais vous pouvez toujours | ||
109 | Иditer le fichier sshd_config et changer cela. | ||
110 | . | ||
111 | Il est fortement recommandИ que vous me laissiez gИnИrer le nouveau | ||
112 | fichier de configuration. | ||
113 | |||
114 | Template: ssh/protocol2_only | ||
115 | Type: boolean | ||
116 | Default: true | ||
117 | Description: Allow SSH protocol 2 only | ||
118 | This version of OpenSSH supports version 2 of the ssh protocol, which | ||
119 | is much more secure. Disabling ssh 1 is encouraged, however this | ||
120 | will slow things down on low end machines and might prevent older | ||
121 | clients from connecting (the ssh client shipped with "potato" is affected). | ||
122 | . | ||
123 | Also please note that keys used for protocol 1 are different so you will | ||
124 | not be able to use them if you only allow protocol 2 connections. | ||
125 | . | ||
126 | If you later change your mind about this setting, README.Debian has | ||
127 | instructions on what to do to your sshd_config file. | ||
128 | Description-fr: Permettre seulement la version 2 du protocole SSH | ||
129 | Cette version d'OpenSSH connaНt la version 2 du protocole ssh, qui est | ||
130 | bien plus sШre. DИsactiver ssh 1 est une bonne chose, cependant cela | ||
131 | peut ralentir les machines peu puissantes et pourrait empЙcher ceux qui | ||
132 | utilisent des vieilles versions de la partie cliente de se connecter | ||
133 | (le client ssh de la distribution Debian ╚═Potato═╩ en fait partie). | ||
134 | . | ||
135 | De plus, les clИs utilisИes par la version 1 du protocole sont | ||
136 | diffИrentes et vous ne pourrez pas les utiliser si vous | ||
137 | n'autorisez que les connexions utilisant la version 2 du protocole. | ||
138 | . | ||
139 | Si vous changez d'avis ultИrieurement et dИcidez de modifier ce | ||
140 | rИglage, les instructions fournies dans le fichier README.Debian vous | ||
141 | indiquent comment modifier le fichier sshd_config. | ||
142 | |||
143 | Template: ssh/ssh2_keys_merged | ||
144 | Type: note | ||
145 | Description: ssh2 keys merged in configuration files | ||
146 | As of version 3 OpenSSH no longer uses separate files for ssh1 and | ||
147 | ssh2 keys. This means the authorized_keys2 and known_hosts2 files | ||
148 | are no longer needed. They will still be read in order to maintain | ||
149 | backwards compatibility | ||
150 | Description-fr: ClИs pour ssh2 fusionnИes dans les fichiers de configuration | ||
151 | OpenSSH, depuis sa version 3, n'utilise plus de fichiers distincts pour | ||
152 | les clИs ssh1 et ssh2. Cela signifie que les fichiers authorized_keys2 | ||
153 | et known_hosts2 ne sont plus utiles. Ils seront nИanmoins lus afin de | ||
154 | prИserver la compatibilitИ descendante. | ||
155 | |||
156 | Template: ssh/use_old_init_script | ||
157 | Type: boolean | ||
158 | Default: false | ||
159 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
160 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
161 | all running sshd instances. If you are doing this upgrade via an ssh | ||
162 | session, that would be a Bad Thing(tm). | ||
163 | . | ||
164 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
165 | start-stop-daemon line in the stop section of the file. | ||
166 | Description-fr: Voulez-vous continuer (et risquer de rompre les sessions ssh actives)═? | ||
167 | Il est probable que la version de /etc/init.d/ssh installИe en ce moment | ||
168 | tue toutes les instances de sshd en cours. En cas de mise Ю jour par ssh, | ||
169 | Гa serait une mauvaise idИe. | ||
170 | . | ||
171 | Vous pouvez corriger cela en ajoutant dans /etc/init.d/ssh ╚═--pidfile | ||
172 | /var/run/sshd.pid═╩ Ю la ligne ╚═start-stop-daemon═╩ dans la section | ||
173 | ╚═stop═╩ du fichier. | ||
174 | |||
175 | Template: ssh/forward_warning | ||
176 | Type: note | ||
177 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
178 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
179 | ForwardAgent set to ``off'' by default. | ||
180 | . | ||
181 | You can enable it for servers you trust, either | ||
182 | in one of the configuration files, or with the -X command line option. | ||
183 | . | ||
184 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
185 | Description-fr: NOTE═: suivi de session X11 et d'agent d'autorisation dИsactivИs par dИfaut. | ||
186 | Pour des raisons de sИcuritИ, la version Debian de ssh positionne les | ||
187 | options ForwardX11 et ForwardAgent Ю ╚═Off═╩ par dИfaut. | ||
188 | . | ||
189 | Vous pouvez activer ces options pour les serveurs en qui vous avez | ||
190 | confiance, soit dans un des fichiers de configuration, soit avec l'option | ||
191 | -X de la ligne de commande. | ||
192 | . | ||
193 | Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian. | ||
194 | |||
195 | Template: ssh/insecure_rshd | ||
196 | Type: note | ||
197 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
198 | having rsh-server installed undermines the security that you were probably | ||
199 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
200 | Description-fr: Attention═: rsh-server est installИ -- ce n'est probablement pas une bonne idИe | ||
201 | Avoir un serveur rsh installИ affaiblit la sИcuritИ que vous vouliez | ||
202 | probablement obtenir en installant ssh. Je vous conseille de | ||
203 | supprimer ce paquet. | ||
204 | |||
205 | Template: ssh/insecure_telnetd | ||
206 | Type: note | ||
207 | Description: Warning: telnetd is installed --- probably not a good idea | ||
208 | I'd advise you to either remove the telnetd package (if you don't actually | ||
209 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
210 | least some chance that telnet sessions will not be sending unencrypted | ||
211 | login/password and session information over the network. | ||
212 | Description-fr: Attention═: telnetd est installИ -- ce n'est probablement pas une bonne idИe | ||
213 | Je vous conseille soit d'enlever le paquet telnetd (si ce service | ||
214 | n'est pas nИcessaire), soit de le remplacer par le paquet telnetd-ssl pour | ||
215 | qu'il y ait au moins une chance que les sessions telnet soient chiffrИes | ||
216 | et que les mots de passe et noms d'utilisateurs ne passent pas en clair | ||
217 | sur le rИseau. | ||
218 | |||
219 | Template: ssh/encrypted_host_key_but_no_keygen | ||
220 | Type: note | ||
221 | Description: Warning: you must create a new host key | ||
222 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
223 | OpenSSH can not handle this host key file, and I can't find the | ||
224 | ssh-keygen utility from the old (non-free) SSH installation. | ||
225 | . | ||
226 | You will need to generate a new host key. | ||
227 | Description-fr: Attention═: vous devez crИer une nouvelle clИ d'hТte | ||
228 | Il existe un vieux /etc/ssh/ssh_host_key qui est chiffrИ avec IDEA. | ||
229 | OpenSSH ne peut utiliser ce fichier de clИ, et je ne peux trouver | ||
230 | l'utilitaire ssh-keygen de l'installation prИcИdente (non libre) de SSH. | ||
231 | . | ||
232 | Vous aurez besoin de gИnИrer une nouvelle clИ d'hТte. | ||
233 | |||
234 | Template: ssh/SUID_client | ||
235 | Type: boolean | ||
236 | Default: true | ||
237 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
238 | You have the option of installing the ssh-keysign helper with the SUID | ||
239 | bit set. | ||
240 | . | ||
241 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
242 | host-based authentication. | ||
243 | . | ||
244 | If in doubt, I suggest you install it with SUID. If it causes | ||
245 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
246 | Description-fr: Voulez-vous que /usr/lib/ssh-keysign soit installИ avec le bit SETUID activИ═? | ||
247 | Vous avez la possibilitИ d'installer ssh-keysign avec le bit SETUID | ||
248 | activИ. | ||
249 | . | ||
250 | Si vous mettez ssh-keysign avec le bit SETUID, vous permettrez | ||
251 | l'authentification basИe sur les hТtes, disponible dans la version 2 du | ||
252 | protocole SSH. | ||
253 | . | ||
254 | Dans le doute, je vous suggХre de l'installer avec le bit SETUID | ||
255 | activИ. Si cela vous cause des problХmes, vous pourrez revenir sur | ||
256 | votre dИcision avec ╚═dpkg-reconfigure ssh═╩. | ||
257 | |||
258 | Template: ssh/run_sshd | ||
259 | Type: boolean | ||
260 | Default: true | ||
261 | Description: Do you want to run the sshd server ? | ||
262 | This package contains both the ssh client, and the sshd server. | ||
263 | . | ||
264 | Normally the sshd Secure Shell Server will be run to allow remote | ||
265 | logins via ssh. | ||
266 | . | ||
267 | If you are only interested in using the ssh client for outbound | ||
268 | connections on this machine, and don't want to log into it at all | ||
269 | using ssh, then you can disable sshd here. | ||
270 | Description-fr: Voulez-vous utiliser le serveur sshd═? | ||
271 | Ce paquet contient Ю la fois le client ssh et le serveur sshd. | ||
272 | . | ||
273 | Normalement le serveur sshd est lancИ pour permettre les connexions | ||
274 | distantes via ssh. | ||
275 | . | ||
276 | Si vous dИsirez seulement utiliser le client ssh pour des connexions vers | ||
277 | l'extИrieur, ou si vous ne voulez pas vous connecter sur cette machine | ||
278 | via ssh, vous pouvez dИsactiver sshd maintenant. | ||
diff --git a/debian/templates.ja b/debian/templates.ja new file mode 100644 index 000000000..cdcc829cc --- /dev/null +++ b/debian/templates.ja | |||
@@ -0,0 +1,205 @@ | |||
1 | Template: ssh/new_config | ||
2 | Type: boolean | ||
3 | Default: true | ||
4 | Description: Generate new configuration file | ||
5 | This version of OpenSSH has a considerably changed configuration file from | ||
6 | the version shipped in Debian 'Potato', which you appear to be upgrading from. | ||
7 | I can now generate you a new configuration file (/etc/ssh/sshd.config), which | ||
8 | will work with the new server version, but will not contain any customisations | ||
9 | you made with the old version. | ||
10 | . | ||
11 | Please note that this new configuration file will set the value of | ||
12 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password can | ||
13 | ssh directly in as root). It is the opinion of the maintainer that this is | ||
14 | the correct default (see README.Debian for more details), but you can always | ||
15 | edit sshd_config and set it to no if you wish. | ||
16 | . | ||
17 | It is strongly recommended that you let me generate a new configuration file | ||
18 | for you | ||
19 | Description-ja: ©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓Р╨Н╓Й╓ч╓╧ | ||
20 | OpenSSH ╓н╓Ё╓н╔п║╪╔╦╔Г╔С╓о║╒Debian 'Potato' ╓к╢ч╓ч╓Л╓ф╓╓╓К╔п║╪╔╦╔Г╔С | ||
21 | (╓╓╓ч║╒╓╫╓н╔п║╪╔╦╔Г╔С╓╚╓И╓н╔п║╪╔╦╔Г╔С╔╒╔ц╔в╓Р╩Н╓ъ╓ф╓╓╓К╓х╓Ё╓М) ╓╚╓И║╒ | ||
22 | юъдЙ╔у╔║╔╓╔К╓╛бГиЩ╓кйя╡╫╓╥╓ф╓╓╓ч╓╧║ё╓╓╓ч║╒©╥╓╥╓╓╔п║╪╔╦╔Г╔С╓н╔╣║╪╔п╓г | ||
23 | ╩х╓╕╓Ё╓х╓╛╓г╓╜╓К©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К (/etc/ssh/sshd/config) ╓Р╪╚ф╟ю╦ю╝ | ||
24 | ╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒╓╫╓н╔у╔║╔╓╔К╓о║╒╦е╓╓╔п║╪╔╦╔Г╔С╓нюъдЙ╔у╔║╔╓╔К╓к | ||
25 | ╢ч╓ч╓Л╓К╓╒╓й╓©╓нюъдЙ╓╛а╢╓╞╢ч╓ч╓Л╓ч╓╩╓С║ё | ||
26 | . | ||
27 | ╓Ё╓н©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓о║╒║жPermitRootLogin║в╓Р║жyes║в╓кюъдЙ╓╥╓ч╓╧║ё | ||
28 | (╓д╓ч╓Й║╒root ╓н╔я╔╧╔О║╪╔и╓Рцн╓ц╓ф╓╓╓К©м╓й╓Иц╞╓г╓Бд╬юэ╔М╔╟╔╓╔С╓г╓╜╓ч | ||
29 | ╓╧)║ё╓Ё╓Л╓г╓Х╓╓║╒╓х╓╓╓╕╓н╓╛╓Ё╓н╔я╔ц╔╠║╪╔╦╓н╔А╔С╔ф╔й╓н╟у╦╚╓г╓╧╓╛ (╬э╓╥ | ||
30 | ╓╞╓о README.Debian ╓Рфи╓С╓г╡╪╓╣╓╓)║╒sshd_config ╓Рйт╫╦╓╥╓ф║жno║в╓кюъ | ||
31 | дЙ╓╧╓К╓Ё╓х╓Б╓г╓╜╓ч╓╧║ё | ||
32 | . | ||
33 | ©╥╓╥╓╓юъдЙ╔у╔║╔╓╔К╓Р╪╚ф╟ю╦ю╝╓╧╓К╓Ё╓х╓Р╤╞╓╞╓╙╢╚╓А╓╥╓ч╓╧║ё | ||
34 | |||
35 | Template: ssh/protocol2_only | ||
36 | Type: boolean | ||
37 | Default: true | ||
38 | Description: Allow SSH protocol 2 only | ||
39 | This version of OpenSSH supports version 2 of the ssh protocol, which | ||
40 | is much more secure. Disabling ssh 1 is encouraged, however this | ||
41 | will slow things down on low end machines and might prevent older | ||
42 | clients from connecting (the ssh client shipped with "potato" is affected). | ||
43 | . | ||
44 | Also please note that keys used for protocol 1 are different so you will | ||
45 | not be able to use them if you only allow protocol 2 connections. | ||
46 | . | ||
47 | If you later change your mind about this setting, README.Debian has | ||
48 | instructions on what to do to your sshd_config file. | ||
49 | Description-ja: SSH ╔в╔М╔х╔Ё╔К 2 ╓н╓ъ╓Р╣Ж╡д╓╥╓ч╓╧ | ||
50 | OpenSSH ╓н╓Ё╓н╔п║╪╔╦╔Г╔С╓о║╒╓╨╓ц╓х╟ба╢╓й║╒ssh ╔в╔М╔х╔Ё╔К╓н╔п║╪╔╦╔Г╔С | ||
51 | 2 ╓Р╔╣╔щ║╪╔х╓╥╓ф╓╓╓ч╓╧║ёssh 1 ╓Р╤ь╩ъ╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧╓╛║╒цы╓╓╔ч | ||
52 | ╔╥╔С╓г╓оф╟╨Н╓╛цы╓╞╓й╓ц╓©╓Й║╒╦е╓╓╔╞╔И╔╓╔╒╔С╔х╓╚╓ИюэбЁ╓г╓╜╓й╓╞╓й╓ц╓©╓Й | ||
53 | ╓╥╓ч╓╧ ("potato" ╓н ssh ╔╞╔И╔╓╔╒╔С╔х╓БюэбЁ╓г╓╜╓й╓╞╓й╓Й╓ч╓╧)║ё | ||
54 | . | ||
55 | ╓ч╓©║╒╔в╔М╔х╔Ё╔К 1 ╓г╩х╓╕╔╜║╪╓о╟ш╓й╓К╓©╓А║╒╔в╔М╔х╔Ё╔К 2 ╓Рм╜╦З╓к╓╥╓© | ||
56 | ╓ю╓╠╓г╓о╓╫╓н╔╜║╪╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╩╓С║ё | ||
57 | . | ||
58 | ╓Б╓╥╨ё╦Е╓╒╓й╓©╓╛╧м╓╗╓Рйя╓╗╓©╓И║╒README.Debian ╓Рфи╓Ю╓х sshd_config ╓Р | ||
59 | ╓и╓н╓Х╓╕╓кйя╧╧╓╥╓©╓И╓Х╓╓╓╚╓╛й╛╓╚╓Й╓ч╓╧║ё | ||
60 | |||
61 | Template: ssh/ssh2_keys_merged | ||
62 | Type: note | ||
63 | Description: ssh2 keys merged in configuration files | ||
64 | As of version 3 OpenSSH no longer uses separate files for ssh1 and | ||
65 | ssh2 keys. This means the authorized_keys2 and known_hosts2 files | ||
66 | are no longer needed. They will still be read in order to maintain | ||
67 | backwards compatibility | ||
68 | Description-ja: ssh2 ╔╜║╪╓оюъдЙ╔у╔║╔╓╔К╓кеЩ╧Г╓╣╓Л╓ч╓╧ | ||
69 | OpenSSH ╓н╔п║╪╔╦╔Г╔С 3 ╓о║╒ssh1 ╓х ssh2 ╓н╔╜║╪╓к╦дйл╓н╔у╔║╔╓╔К╓Р╩х╓╓ | ||
70 | ╓ч╓╩╓С║ё╓д╓ч╓Й║╒authorized_keys2 ╔у╔║╔╓╔К╓х known_hosts2 ╔у╔║╔╓╔К╓о╓Б | ||
71 | ╓о╓Дитмв╓х╓й╓Й╓ч╓╥╓©║ё╦ЕйЩ╦ъ╢╧ю╜╓Рйщ╓д╓©╓А╓к╓о╓Ё╓Л╓И╓н╔у╔║╔╓╔К╓╛и╛мв | ||
72 | ╓г╓╧║ё | ||
73 | |||
74 | Template: ssh/use_old_init_script | ||
75 | Type: boolean | ||
76 | Default: false | ||
77 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
78 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
79 | all running sshd instances. If you are doing this upgrade via an ssh | ||
80 | session, that would be a Bad Thing(tm). | ||
81 | . | ||
82 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
83 | start-stop-daemon line in the stop section of the file. | ||
84 | Description-ja: бЁ╓╠╓ф╓╓╓╓╓г╓╧╓╚ (юэбЁцФ╓н ssh ╔╩╔ц╔╥╔Г╔С╓╛юз╓Л╓К╓╚╓Б╓╥╓Л╓ч╓╩╓С) | ||
85 | ╓╓╓ч╔╓╔С╔╧╔х║╪╔К╓╥╓© /etc/init.d/ssh ╓о║╒╓╙╓╫╓И╓╞╪б╧тцФ╓н sshd ╓Ра╢╓ф | ||
86 | дД╩ъ╓╣╓╩╓ч╓╧║ё╓Ё╓н╔п║╪╔╦╔Г╔С╔╒╔ц╔в╓Р ssh ╔╩╔ц╔╥╔Г╔С╓Рмя╓╓╓ф╧т╓╕╓н╓о╢ж | ||
87 | ╟Ц╓ц╓©╓Д╓Й╓╚╓©╓г╓╧║ё | ||
88 | . | ||
89 | ╓Ё╓н╬У╤╥╓Р╫╓ю╣╓╧╓К╓к╓о║╒/etc/init.d/ssh ╓н stop ╔╩╔╞╔╥╔Г╔С╓н | ||
90 | start-stop-daemon ╓н╧т╓к║ж--pidfile /var/run/sshd.pid║в╓хди╡ц╓╥╓ч╓╧║ё | ||
91 | |||
92 | Template: ssh/forward_warning | ||
93 | Type: note | ||
94 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
95 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
96 | ForwardAgent set to ``off'' by default. | ||
97 | . | ||
98 | You can enable it for servers you trust, either | ||
99 | in one of the configuration files, or with the -X command line option. | ||
100 | . | ||
101 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
102 | Description-ja: цМ╟у: X11 ╓хг╖╬з╓н╔у╔╘╔О║╪╔г╔ё╔С╔╟╓о╔г╔у╔╘╔К╔х╓г╓о╤ь╩ъ╓╣╓Л╓ч╓╧ | ||
103 | ╔╩╔╜╔Е╔Й╔ф╔ё╬Е╓нмЩмЁ╓╚╓И║╒Debian ╓н ssh ╓г╓о ForwardX11 ╓х | ||
104 | ForwardAgent ╓о╔г╔у╔╘╔К╔х╓г╓о║жoff║в╓кюъдЙ╓╣╓Л╓ч╓╧║ё | ||
105 | . | ||
106 | юъдЙ╔у╔║╔╓╔К╓Р╩х╓ц╓©╓Й║╒-X ╔Ё╔ч╔С╔и╔И╔╓╔С╔╙╔в╔╥╔Г╔С╓Р╩х╓ц╓©╓Й╓╧╓К | ||
107 | ╓Ё╓х╓г║╒©╝мя╓г╓╜╓К╔╣║╪╔п╓кбп╓╥╓ф╣Ж╡д╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё | ||
108 | . | ||
109 | ╬э╨ы╓о /usr/share/doc/ssh/README.Debian ╓Рфи╓С╓г╡╪╓╣╓╓║ё | ||
110 | |||
111 | Template: ssh/insecure_rshd | ||
112 | Type: note | ||
113 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
114 | having rsh-server installed undermines the security that you were probably | ||
115 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
116 | Description-ja: ╥ы╧П: rsh-server ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓ч╓╧║ё╓©╓ж╓Сни╓╓╧м╓╗╓г╓о╓╒╓Й╓ч╓╩╓С | ||
117 | rsh-server ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓К╓х║╒╓╒╓й╓©╓╛ ssh ╓к╓Х╓ц╓ффю╓©╓╓╓х | ||
118 | ╩в╓ц╓ф╓╓╓К╓г╓╒╓М╓╕╔╩╔╜╔Е╔Й╔ф╔ё╓╛б╩╓й╓О╓Л╓ч╓╧║ё╓╫╓н╔я╔ц╔╠║╪╔╦╓Р╔╒╔С╔╓ | ||
119 | ╔С╔╧╔х║╪╔К╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧║ё | ||
120 | |||
121 | Template: ssh/insecure_telnetd | ||
122 | Type: note | ||
123 | Description: Warning: telnetd is installed --- probably not a good idea | ||
124 | I'd advise you to either remove the telnetd package (if you don't actually | ||
125 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
126 | least some chance that telnet sessions will not be sending unencrypted | ||
127 | login/password and session information over the network. | ||
128 | Description-ja: ╥ы╧П: telnetd ╓╛╔╓╔С╔╧╔х║╪╔К╓╣╓Л╓ф╓╓╓ч╓╧║ё╓©╓ж╓Сни╓╓╧м╓╗╓г╓о╓╒╓Й╓ч╓╩╓С | ||
129 | (╓Б╓╥ telnet ╔╒╔╞╔╩╔╧╓РдС╤║╓╥╓©╓╓╓х╩в╓ц╓ф╓╓╓й╓╓╓н╓г╓╥╓©╓И) telnetd | ||
130 | ╔я╔ц╔╠║╪╔╦╓Р╔╒╔С╔╓╔С╔╧╔х║╪╔К╓╧╓К╓╚║╒╓ч╓©╓о║╒telnetd-ssh ╔я╔ц╔╠║╪╔╦╓Р | ||
131 | ╔╓╔С╔╧╔х║╪╔К╓╥╓ф╬╞╓й╓╞╓х╓Б╔м╔ц╔х╔О║╪╔╞╬Е╓Р╟е╧Ф╡╫╓╣╓Л╓ф╓╓╓й╓╓╔Ф║╪╔╤л╬ | ||
132 | ╓Д╔я╔╧╔О║╪╔и╓Д╔╩╔ц╔╥╔Г╔С╬ПйС╓╛н╝╓Л╓й╓╓╓Х╓╕╓к╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А╓╥╓ч╓╧║ё | ||
133 | |||
134 | Template: ssh/encrypted_host_key_but_no_keygen | ||
135 | Type: note | ||
136 | Description: Warning: you must create a new host key | ||
137 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
138 | OpenSSH can not handle this host key file, and I can't find the | ||
139 | ssh-keygen utility from the old (non-free) SSH installation. | ||
140 | . | ||
141 | You will need to generate a new host key. | ||
142 | Description-ja: ╥ы╧П: ©╥╓╥╓╓╔ш╔╧╔х╔╜║╪╓Р╨Н╓И╓й╓╓╓х╓╓╓╠╓ч╓╩╓С | ||
143 | IDEA ╓г╟е╧Ф╡╫╓╣╓Л╓©╦е╓╓╔╜║╪╓╛ /etc/ssh/ssh_host_key ╓к╓╒╓Й╓ч╓╧║ё | ||
144 | OpenSSH ╓о╓Ё╓н╔ш╔╧╔х╔╜║╪╔у╔║╔╓╔К╓Р╟╥╓╗╓ч╓╩╓С║ё╓ч╓©║╒╨ё╔╓╔С╔╧╔х║╪╔К | ||
145 | ╓╣╓Л╓ф╓╓╓К╦е╓╓ (╔у╔Й║╪╓г╓о╓й╓╓) SSH ╓к╓о ssh-keygen ╔Ф║╪╔ф╔ё╔Й╔ф╔ё | ||
146 | ╓╛╢ч╓ч╓Л╓ф╓╓╓ч╓╩╓С║ё | ||
147 | . | ||
148 | ©╥╓╥╓╓╔ш╔╧╔х╔╜║╪╓Р╨Н╓Ки╛мв╓╛╓╒╓Й╓ч╓╧║ё | ||
149 | |||
150 | Template: ssh/SUID_client | ||
151 | Type: boolean | ||
152 | Default: true | ||
153 | Description: Do you want /usr/bin/ssh to be installed SUID root? | ||
154 | You have the option of installing the ssh client with the SUID bit set. | ||
155 | . | ||
156 | If you make ssh SUID, you will be able to use Rhosts/RhostsRSA | ||
157 | authentication, but will not be able to use socks via the LD_PRELOAD | ||
158 | trick. This is the traditional approach. | ||
159 | . | ||
160 | If you do not make ssh SUID, you will be able to use socks, but | ||
161 | Rhosts/RhostsRSA authentication will stop working, which may stop you | ||
162 | logging in to remote systems. It will also mean that the source | ||
163 | port will be above 1024, which may confound firewall rules you've set up. | ||
164 | . | ||
165 | If in doubt, I suggest you install it with SUID. If it causes | ||
166 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
167 | Description-ja: /usr/bin/ssh ╓Р SUID root ╓г╔╓╔С╔╧╔х║╪╔К╓╥╓ч╓╧╓╚? | ||
168 | ssh ╔╞╔И╔╓╔╒╔С╔х╓Р╔╓╔С╔╧╔х║╪╔К╓╧╓К╨щ║╒SUID ╔с╔ц╔х╓РюъдЙ╓╧╓К╓╚╓╥╓й╓╓╓╚ | ||
169 | ╓Ра╙╓ж╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё | ||
170 | . | ||
171 | SUID ╓РюъдЙ╓╧╓Л╓п║╒Rhosts/RhostsRSA г╖╬з╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒ | ||
172 | LD_PRELOAD ╔х╔Й╔ц╔╞╓Рмя╓╓╓ф socks ╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓й╓╞╓й╓Й╓ч╓╧║ё╓Ё╓Л | ||
173 | ╓оеаеЩе╙╓й╓Д╓Й╓╚╓©╓г╓╧║ё | ||
174 | . | ||
175 | SUID ╓РюъдЙ╓╥╓й╓╠╓Л╓п║╒socks ╓Р╩х╓╕╓Ё╓х╓╛╓г╓╜╓ч╓╧╓╛║╒Rhosts/RhostRSA | ||
176 | г╖╬з╓╛ф╞╓╚╓й╓╞╓й╓Й║╒╔Й╔Б║╪╔х╔╥╔╧╔ф╔Ю╓ь╓н╔М╔╟╔╓╔С╓╛╓г╓╜╓й╓╞╓й╓К╓╚╓Б╓╥ | ||
177 | ╓Л╓ч╓╩╓С║ё╓ч╓©║╒╔╫║╪╔╧╔щ║╪╔х╓╛ 1024 ╟й╬Е╓х╓й╓Й║╒╓╒╓й╓©╓╛юъдЙ╓╥╓©╔у╔║ | ||
178 | ╔╓╔╒╔╕╔╘║╪╔К╓н╔К║╪╔К╓Р╨╝мП╓╣╓╩╓К╓╚╓Б╓╥╓Л╓ч╓╩╓С║ё | ||
179 | . | ||
180 | ╓Б╓╥й╛╓╚╓И╓й╓╠╓Л╓п║╒SUID ╓РюъдЙ╓╥╓©╬Убж╓г╔╓╔С╔╧╔х║╪╔К╓╧╓К╓Ё╓х╓Р╓╙╢╚╓А | ||
181 | ╓╥╓ч╓╧║ё╓╫╓Л╓г╓Б╓╥╡©╓╚лДбЙ╓╛╓╒╓Л╓п║╒dpkg-reconfigure ssh ╓Р╪б╧т╓╧╓К╓Ё | ||
182 | ╓х╓гюъдЙ╓Рйя╧╧╓╧╓К╓Ё╓х╓╛╓г╓╜╓ч╓╧║ё | ||
183 | |||
184 | Template: ssh/run_sshd | ||
185 | Type: boolean | ||
186 | Default: true | ||
187 | Description: Do you want to run the sshd server ? | ||
188 | This package contains both the ssh client, and the sshd server. | ||
189 | . | ||
190 | Normally the sshd Secure Shell Server will be run to allow remote | ||
191 | logins via ssh. | ||
192 | . | ||
193 | If you are only interested in using the ssh client for outbound | ||
194 | connections on this machine, and don't want to log into it at all | ||
195 | using ssh, then you can disable sshd here. | ||
196 | Description-ja: sshd ╔╣║╪╔п╓Р╪б╧т╓╥╓ч╓╧╓╚? | ||
197 | ╓Ё╓н╔я╔ц╔╠║╪╔╦╓о║╒ssh ╔╞╔И╔╓╔╒╔С╔х╓х sshd ╔╣║╪╔п╓нн╬йЩ╓Р╢ч╓С╓г╓╓╓ч╓╧║ё | ||
198 | . | ||
199 | дл╬О║╒sshd ╔╩╔╜╔Е╔╒╔╥╔╖╔К╔╣║╪╔п╓о║╒ssh ╓Рмя╓╓╓©╔Й╔Б║╪╔х╓╚╓И╓н╔М╔╟╔╓╔С | ||
200 | ╓Р╡дг╫╓к╓╧╓К╓©╓А╓к╪б╧т╓╥╓ч╓╧║ё | ||
201 | . | ||
202 | ╓Б╓╥ ssh ╔╞╔И╔╓╔╒╔С╔х╓Р╩х╓ц╓ф╓Ё╓н╔ч╔╥╔С╓╚╓Иб╬╔ч╔╥╔С╓ь╓хюэбЁ╓╧╓К╓ю╓╠╓г | ||
203 | ╓г║╒╓Ё╓н╔ч╔╥╔С╓ь╓х ssh ╓Р╩х╓ц╓ф╔М╔╟╔╓╔С╓╥╓й╓╓╓н╓г╓╥╓©╓И║╒╓Ё╓Ё╓г sshd | ||
204 | ╓Р╪б╧т╓╥╓й╓╓╓г╓╙╓╜╓ч╓╧║ё | ||
205 | |||
diff --git a/debian/templates.pl b/debian/templates.pl new file mode 100644 index 000000000..d4b8fda6d --- /dev/null +++ b/debian/templates.pl | |||
@@ -0,0 +1,264 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation | ||
5 | option. This significantly reduces the quantity of code that runs as | ||
6 | root, and therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
9 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
10 | example) will fail, and PAM keyboard-interactive authentication | ||
11 | won't work. | ||
12 | . | ||
13 | Privilege separation is turned on by default, so if you decide you | ||
14 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
15 | /etc/ssh/sshd_config. | ||
16 | . | ||
17 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
18 | separation will not work at all, and your sshd will fail to start | ||
19 | unless you explicitly turn privilege separation off. | ||
20 | Description-pl: Separacja uprawnieЯ | ||
21 | Ta wersja OpenSSH zawiera now╠ opcjЙ separacji uprawnieЯ. Znacz╠co | ||
22 | zmniejsza ona ilo╤Ф kodu, ktСry jest uruchamiany jako root i co | ||
23 | za tym idzie redukuje efekty luk bezpieczeЯstwa w sshd. | ||
24 | . | ||
25 | Niestety separacja uprawnieЯ ╪le reaguje z PAMem. Jakikolwiek moduЁ | ||
26 | sesji PAM, ktСry musi byФ uruchamiany jako root (pam_mkhomedir, na | ||
27 | przykЁad) zawiedzie. Nie bЙdzie dziaЁaФ rСwnie© interaktywna | ||
28 | autentykacja z klawiatury (keyboard-interactive authentication). | ||
29 | . | ||
30 | Separacja uprawnieЯ jest domy╤lnie wЁ╠czona, wiЙc je╤li zdecydujesz | ||
31 | siЙ j╠ wyЁ╠czyФ, musisz dodaФ "UsePrivilegeSeparation no" do pliku | ||
32 | /etc/ssh/sshd_config. | ||
33 | . | ||
34 | UWAGA! Je©eli u©ywasz j╠dra Linux'a z serii 2.0, to separacja uprawnieЯ | ||
35 | w ogСle nie bЙdzie dziaЁaФ i sshd nie wystartuje dopСki wЁasnorЙcznie | ||
36 | nie wyЁ╠czysz separacji uprawnieЯ w /etc/ssh/sshd_config. | ||
37 | |||
38 | Template: ssh/privsep_ask | ||
39 | Type: boolean | ||
40 | Default: true | ||
41 | Description: Enable Privilege separation | ||
42 | This version of OpenSSH contains the new privilege separation | ||
43 | option. This significantly reduces the quantity of code that runs as | ||
44 | root, and therefore reduces the impact of security holes in sshd. | ||
45 | . | ||
46 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
47 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
48 | example) will fail, and PAM keyboard-interactive authentication | ||
49 | won't work. | ||
50 | . | ||
51 | Since you've opted to have me generate an sshd_config file for you, | ||
52 | you can choose whether or not to have Privilege Separation turned on | ||
53 | or not. Unless you are running 2.0 (in which case you *must* say no | ||
54 | here or your sshd won't start at all) or know you need to use PAM | ||
55 | features that won't work with this option, you should say yes here. | ||
56 | Description-pl: WЁ╠czenie separacji uprawnieЯ | ||
57 | Ta wersja OpenSSH zawiera now╠ opcjЙ separacji uprawnieЯ. Znacz╠co | ||
58 | zmniejsza ona ilo╤Ф kodu, ktСry jest uruchamiany jako root i co | ||
59 | za tym idzie redukuje efekty luk bezpieczeЯstwa w sshd. | ||
60 | . | ||
61 | Niestety separacja uprawnieЯ ╪le reaguje z PAMem. Jakikolwiek moduЁ | ||
62 | sesji PAM, ktСry musi byФ uruchamiany jako root (pam_mkhomedir, na | ||
63 | przykЁad) zawiedzie. Nie bЙdzie dziaЁaФ rСwnie© interaktywna | ||
64 | autentykacja z klawiatury (keyboard-interactive authentication). | ||
65 | . | ||
66 | ZdecydowaЁe╤ siЙ na to abym wygenerowaЁ dla ciebie plik sshd_config, | ||
67 | i mo©esz wybraФ czy chcesz wЁ╠czyФ SeparacjЙ UprawnieЯ, czy te© nie. | ||
68 | Je╤li nie u©ywasz j╠dra z serii 2.0 (w ktСrym to przypadku *musisz* | ||
69 | odpowiedzieФ tutaj 'nie' albo sshd w ogСle nie ruszy) i je╤li nie | ||
70 | musisz korzystaФ z mo©liwo╤ci PAMa, ktСre nie bЙd╠ dziaЁaЁy z t╠ opcj╠, | ||
71 | powiniene╤ odpowiedzieФ tutaj 'tak'. | ||
72 | |||
73 | Template: ssh/new_config | ||
74 | Type: boolean | ||
75 | Default: true | ||
76 | Description: Generate new configuration file | ||
77 | This version of OpenSSH has a considerably changed configuration file from | ||
78 | the version shipped in Debian 'Potato', which you appear to be upgrading from. | ||
79 | I can now generate you a new configuration file (/etc/ssh/sshd.config), which | ||
80 | will work with the new server version, but will not contain any customisations | ||
81 | you made with the old version. | ||
82 | . | ||
83 | Please note that this new configuration file will set the value of | ||
84 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password can | ||
85 | ssh directly in as root). It is the opinion of the maintainer that this is | ||
86 | the correct default (see README.Debian for more details), but you can always | ||
87 | edit sshd_config and set it to no if you wish. | ||
88 | . | ||
89 | It is strongly recommended that you let me generate a new configuration file | ||
90 | for you. | ||
91 | Description-pl: Wygeneruj nowy plik konfiguracyjny | ||
92 | W tej wersji OpenSSH zmieniЁ siЙ plik konfiguracyjny w stosunku do wersji | ||
93 | dostarczanej z Debianem 'Potato', ktСr╠ zdajesz siЙ aktualizowaФ. MogЙ teraz | ||
94 | wygenerowaФ nowy plik konfiguracyjny (/etc/ssh/sshd.config), ktСry bЙdzie | ||
95 | dziaЁaЁ z now╠ wersj╠ serwera, ale nie bЙdzie zawieraЁ ©adnych dokonanych | ||
96 | przez ciebie w starej wersji zmian. | ||
97 | . | ||
98 | Zauwa© proszЙ, ©e nowy plik konfiguracyjny bЙdzie ustawiaЁ warto╤Ф opcji | ||
99 | 'PermitRootLogin' na 'tak' (co oznacza, ©e ka©dy kto zna hasЁo root'a mo©e | ||
100 | zdalnie zalogowaФ siЙ przez ssh jako root). W opinii opiekuna pakietu to | ||
101 | jest poprawna warto╤Ф domy╤lna (szczegСЁy w README.Debian), ale mo©esz sobie | ||
102 | wyedytowaФ sshd_config i ustawiФ tЙ opcjЙ na 'nie' je╤li siЙ z t╠ opini╠ nie | ||
103 | zgadzasz. | ||
104 | . | ||
105 | Jest bardzo wskazane aby╤ pozwoliЁ mi wygenerowaФ nowy plik konfiguracyjny. | ||
106 | |||
107 | Template: ssh/protocol2_only | ||
108 | Type: boolean | ||
109 | Default: true | ||
110 | Description: Allow SSH protocol 2 only | ||
111 | This version of OpenSSH supports version 2 of the ssh protocol, which | ||
112 | is much more secure. Disabling ssh 1 is encouraged, however this | ||
113 | will slow things down on low end machines and might prevent older | ||
114 | clients from connecting (the ssh client shipped with "potato" is affected). | ||
115 | . | ||
116 | Also please note that keys used for protocol 1 are different so you will | ||
117 | not be able to use them if you only allow protocol 2 connections. | ||
118 | . | ||
119 | If you later change your mind about this setting, README.Debian has | ||
120 | instructions on what to do to your sshd_config file. | ||
121 | Description-pl: Zezwalaj wyЁ╠cznie na wersjЙ 2 protokoЁu SSH | ||
122 | Ta wersja OpenSSH wspiera drug╠ wersjЙ protokoЁu ssh, ktСra jest znacznie | ||
123 | bardziej bezpieczna. WyЁ╠czenie ssh 1 jest zalecane, choФ spowalnia to | ||
124 | dziaЁanie na starych maszynach i mo©e uniemo©liwiФ poЁ╠czenie starszym | ||
125 | wersjom klientСw (dotyczy to np. klienta ssh doЁ╠czanego do "potato"). | ||
126 | . | ||
127 | Ponadto, zauwa© proszЙ, ©e klucze u©ywane przez protokСЁ 1 s╠ inne, wiЙc | ||
128 | nie bЙdziesz mСgЁ ich u©ywaФ je╤li zezwolisz na korzystanie wyЁ╠cznie z | ||
129 | wersji 2 protokoЁu. | ||
130 | . | ||
131 | Je╤li pС╪niej zmienisz zdanie co do tego ustawienia, to instrukcje co | ||
132 | zmieniФ w sshd_config znajduj╠ siЙ w README.Debian. | ||
133 | |||
134 | Template: ssh/ssh2_keys_merged | ||
135 | Type: note | ||
136 | Description: ssh2 keys merged in configuration files | ||
137 | As of version 3 OpenSSH no longer uses separate files for ssh1 and | ||
138 | ssh2 keys. This means the authorized_keys2 and known_hosts2 files | ||
139 | are no longer needed. They will still be read in order to maintain | ||
140 | backwards compatibility | ||
141 | Description-pl: klucze ssh2 wЁ╠czone do plikСw konfiguracyjnych | ||
142 | Pocz╠wszy od wersji 3 OpenSSH nie u©ywa ju© osobnych plikСw dla kluczy | ||
143 | ssh1 i ssh2. Oznacza to, ©e pliki authorized_keys2 i known_hosts2 nie | ||
144 | s╠ ju© potrzebne. BЙd╠ one jednak odczytywane aby zachowaФ wsteczn╠ | ||
145 | kompatybilno╤Ф. | ||
146 | |||
147 | Template: ssh/use_old_init_script | ||
148 | Type: boolean | ||
149 | Default: false | ||
150 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
151 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
152 | all running sshd instances. If you are doing this upgrade via an ssh | ||
153 | session, that would be a Bad Thing(tm). | ||
154 | . | ||
155 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
156 | start-stop-daemon line in the stop section of the file. | ||
157 | Description-pl: Czy chcesz kontynuowaФ (i ryzykowaФ zabicie aktywnych sesji ssh) ? | ||
158 | Zainstalowana wЁa╤nie wersja /etc/init.d/ssh mo©e zabiФ wszystkie dziaЁaj╠ce | ||
159 | obecnie kopie sshd. Je╤li robisz ten upgrade via ssh, to byЁaby ZЁa Rzecz(tm). | ||
160 | . | ||
161 | Mo©esz to naprawiФ dodaj╠c "--pidfile /var/run/sshd.pid" do linijki | ||
162 | start-stop-daemon w sekcji stop tego pliku. | ||
163 | |||
164 | Template: ssh/forward_warning | ||
165 | Type: note | ||
166 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
167 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
168 | ForwardAgent set to ``off'' by default. | ||
169 | . | ||
170 | You can enable it for servers you trust, either | ||
171 | in one of the configuration files, or with the -X command line option. | ||
172 | . | ||
173 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
174 | Description-pl: UWAGA: Przekazywanie (forwarding) X11 i Autoryzacji jest domy╤lnie wyЁ╠czone. | ||
175 | Ze wzglЙdСw bezpieczeЯstwa Debianowa wersja ssh ma ForwardX11 i ForwardAgent | ||
176 | ustawione domy╤lnie na 'off'. | ||
177 | . | ||
178 | Dla zaufanych serwerСw mo©esz wЁ╠czyФ te opcje w pliku konfiguracyjnym lub | ||
179 | przy pomocy opcji -X z linii komend. | ||
180 | . | ||
181 | WiЙcej szczegСЁСw znajdziesz w /usr/share/doc/ssh/README.Debian. | ||
182 | |||
183 | Template: ssh/insecure_rshd | ||
184 | Type: note | ||
185 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
186 | having rsh-server installed undermines the security that you were probably | ||
187 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
188 | Description-pl: Uwaga: serwer rsh jest zainstalowany --- prawdopodobnie nienajlepszy pomysЁ | ||
189 | Posiadanie zainstalowanego serwera rsh podminowuje zabezpieczenia, ktСre | ||
190 | prawdopodobnie starasz siЙ uzyskaФ instaluj╠c ssh. RadziЁbym usun╠Ф ten | ||
191 | pakiet. | ||
192 | |||
193 | Template: ssh/insecure_telnetd | ||
194 | Type: note | ||
195 | Description: Warning: telnetd is installed --- probably not a good idea | ||
196 | I'd advise you to either remove the telnetd package (if you don't actually | ||
197 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
198 | least some chance that telnet sessions will not be sending unencrypted | ||
199 | login/password and session information over the network. | ||
200 | Description-pl: Uwaga: telnetd jest zainstalowany --- prawdopodobnie nienajlepszy pomysЁ | ||
201 | RadziЁbym albo usun╠Ф pakiet telnetd (je╤li nie potrzebujesz koniecznie | ||
202 | udostЙpniaФ telnet'a) albo zainstalowaФ telnetd-ssl aby byЁa choФ szansza, | ||
203 | ©e sesje telnet nie bЙd╠ przesyЁaФ niezaszyfrowanego loginu/hasЁa oraz | ||
204 | danych sesji przez sieФ. | ||
205 | |||
206 | Template: ssh/encrypted_host_key_but_no_keygen | ||
207 | Type: note | ||
208 | Description: Warning: you must create a new host key | ||
209 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
210 | OpenSSH can not handle this host key file, and I can't find the | ||
211 | ssh-keygen utility from the old (non-free) SSH installation. | ||
212 | . | ||
213 | You will need to generate a new host key. | ||
214 | Description-pl: Uwaga: musisz utworzyФ nowy klucz hosta | ||
215 | Istnieje stary /etc/ssh/ssh_host_key, ktСry jest zaszyfrowany przez | ||
216 | IDEA. OpenSSH nie umie korzystaФ z tak zaszyfrowanego klucza, a nie | ||
217 | mo©e znale╪Ф polecenia ssh-keygen ze starego SSH (non-free). | ||
218 | . | ||
219 | BЙdziesz musiaЁ wygenerowaФ nowy klucz hosta. | ||
220 | |||
221 | Template: ssh/SUID_client | ||
222 | Type: boolean | ||
223 | Default: true | ||
224 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
225 | You have the option of installing the ssh-keysign helper with the SUID | ||
226 | bit set. | ||
227 | . | ||
228 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
229 | host-based authentication. | ||
230 | . | ||
231 | If in doubt, I suggest you install it with SUID. If it causes | ||
232 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
233 | Description-pl: Czy chcesz aby /usr/lib/ssh-keysign byЁ zainstalowany jako SUID root? | ||
234 | Masz mo©liwo╤Ф zainstalowania pomocniczego programu ssh-keysign z wЁ╠czonym | ||
235 | bitem SETUID. | ||
236 | . | ||
237 | Je╤li uczynisz ssh-keysign SUIDowym, bЙdziesz mСgЁ u©ywaФ opartej na hostach | ||
238 | autentykacji drugiej wersji protokoЁu SSH. | ||
239 | . | ||
240 | Je╤li masz w╠tpliwo╤ci, radzЙ zainstalowaФ go z SUIDem. Je╤li to sprawia | ||
241 | problemy, mo©esz zmieniФ swoje zdanie uruchamiaj╠c pС╪niej polecenie: | ||
242 | dpkg-reconfigure ssh | ||
243 | |||
244 | Template: ssh/run_sshd | ||
245 | Type: boolean | ||
246 | Default: true | ||
247 | Description: Do you want to run the sshd server ? | ||
248 | This package contains both the ssh client, and the sshd server. | ||
249 | . | ||
250 | Normally the sshd Secure Shell Server will be run to allow remote | ||
251 | logins via ssh. | ||
252 | . | ||
253 | If you are only interested in using the ssh client for outbound | ||
254 | connections on this machine, and don't want to log into it at all | ||
255 | using ssh, then you can disable sshd here. | ||
256 | Description-pl: Czy chcesz uruchamiaФ serwer sshd ? | ||
257 | Ten pakiet zawiera zarСwno klienta ssh, jak i serwer sshd. | ||
258 | . | ||
259 | Normalnie serwer sshd (Secure Shell Server) bЙdzie uruchomiony aby | ||
260 | umo©liwiФ zdalny dostЙp przez ssh. | ||
261 | . | ||
262 | Je╤li jeste╤ zainteresowny u©ywaniem wyЁ╠cznie klienta ssh dla poЁ╠czeЯ | ||
263 | wychodz╠cych z tej maszyny, i nie chcesz siЙ na ni╠ logowaФ przy pomocy | ||
264 | ssh, to mo©esz teraz wyЁ╠czyФ serwer sshd. | ||
diff --git a/debian/templates.pt_BR b/debian/templates.pt_BR new file mode 100644 index 000000000..2d0b3e1e7 --- /dev/null +++ b/debian/templates.pt_BR | |||
@@ -0,0 +1,181 @@ | |||
1 | Template: ssh/upgrade_to_openssh | ||
2 | Type: boolean | ||
3 | Description: Are you sure you want to upgrade to OpenSSH? | ||
4 | This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible | ||
5 | drop in replacement for the original (non-free) implemetation. | ||
6 | . | ||
7 | If you find that it is not, please report the problem as a bug. | ||
8 | . | ||
9 | You can still find the old version of ssh in the ssh-nonfree package | ||
10 | (although the only reason you are likely to want that is if you also | ||
11 | want to install the ssh2 package). | ||
12 | . | ||
13 | NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at | ||
14 | least one other ssh session running as root, and once this is installed, | ||
15 | check that you can still log in (with a third session), before logging out. | ||
16 | Description-pt_BR: VocЙ tem certeza que quer atualizar para o OpenSSH ? | ||
17 | Esta versЦo do ssh (tambИm conhecida como OpenSSH) И supostamente um | ||
18 | substituto 100% compatМvel para a implementaГЦo original (non-free). | ||
19 | . | ||
20 | Caso vocЙ ache que nЦo И, por favor reporte o problema como um bug. | ||
21 | . | ||
22 | VocЙ continuarА a encontrar a versЦo antiga do ssh no pacote ssh-nonfree | ||
23 | (embora a Зnica razЦo pela qual vocЙ queira isso И se vocЙ tambИm quer | ||
24 | instalar o pacote ssh2). | ||
25 | . | ||
26 | NOTA: Se vocЙ estА atualizando uma mАquina remotamente, via ssh, | ||
27 | certifique-se que vocЙ possui pelo menos outra sessЦo ssh executando como | ||
28 | root e, uma vez que o pacote esteja instalado, verifique se vocЙ continua | ||
29 | podendo se logar (com uma terceira sessЦo) antes de se desconectar | ||
30 | (logging out). | ||
31 | |||
32 | Template: ssh/ancient_version | ||
33 | Type: note | ||
34 | Description: You are trying to upgrade from an ancient version of non-free ssh | ||
35 | This is bound to be using IDEA encryption for your identity files. | ||
36 | You should upgrade to a vaguely contemporary (1.2.15 or later) version of | ||
37 | non-free ssh, and then upgrade all your key files using ssh-keygen -u | ||
38 | before attempting to migrate to OpenSSH. | ||
39 | . | ||
40 | Alternatively, you could just forget about that, and generate new keys. | ||
41 | Description-pt_BR: VocЙ estА tentando atualizar a partir de uma versЦo antiga do ssh non-free | ||
42 | Isto estА ligado a estar usando encriptaГЦo IDEA para seus arquivos de | ||
43 | identidade. VocЙ deverА atualizar para uma versЦo vagamente contemporБnea | ||
44 | (1.2.15 ou superior) do ssh non-free, e entЦo atualizar todos seus | ||
45 | arquivos de chaves usando ssh-keygen -u antes de tentar migrar para | ||
46 | OpenSSH. | ||
47 | . | ||
48 | Alternativamente, vocЙ poderia somente esquecer tudo isso e gerar | ||
49 | novas chaves. | ||
50 | |||
51 | Template: ssh/use_old_init_script | ||
52 | Type: boolean | ||
53 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
54 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
55 | all running sshd instances. If you are doing this upgrade via an ssh | ||
56 | session, that would be a Bad Thing(tm). | ||
57 | . | ||
58 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
59 | start-stop-daemon line in the stop section of the file. | ||
60 | Description-pt_BR: VocЙ quer continuar (e arriscar matar sessУes ssh ativas) ? | ||
61 | A versЦo de /etc/init.d/ssh que vocЙ possui instalada estА prestes a | ||
62 | matar todas as instБncias sshd sendo executadas. Se vocЙ estА fazendo | ||
63 | esta atualizaГЦo atravИs de uma sessЦo ssh, isto seria uma Coisa | ||
64 | Ruim(tm). | ||
65 | . | ||
66 | VocЙ pode corrigir isto adicionando "--pidfile /var/run/sshd.pid" na | ||
67 | linha start-stop-daemon na seГЦo stop deste arquivo. | ||
68 | |||
69 | Template: ssh/forward_warning | ||
70 | Type: note | ||
71 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
72 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
73 | ForwardAgent set to ``off'' by default. | ||
74 | . | ||
75 | You can enable it for servers you trust, either | ||
76 | in one of the configuration files, or with the -X command line option. | ||
77 | . | ||
78 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
79 | Description-pt_BR: NOTA: Forwarding de X11 e Authorization desabilitados por padrЦo. | ||
80 | Por razТes de seguranГa, a versЦo Debian do ssh tem as opГУes ForwardX11 | ||
81 | e ForwardAgent definidas como ``off'' por padrЦo. | ||
82 | . | ||
83 | VocЙ pode habilitar isso para servidores que vocЙ confia, ou em um dos | ||
84 | arquivos de configuraГЦo, ou com a opГЦo de linha de comando -X. | ||
85 | . | ||
86 | Maiores detalhes podem ser encontrados em | ||
87 | /usr/share/doc/ssh/README.Debian. | ||
88 | |||
89 | Template: ssh/insecure_rshd | ||
90 | Type: note | ||
91 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
92 | having rsh-server installed undermines the security that you were probably | ||
93 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
94 | Description-pt_BR: Aviso: rsh-server estА instalado --- provavelmente nЦo И uma boa idИia | ||
95 | Possuir o rsh-server instalado minarА a seguranГa que vocЙ estava | ||
96 | provavelmente querendo obter instalando o ssh. Eu recomendaria a vocЙ | ||
97 | remover este pacote. | ||
98 | |||
99 | Template: ssh/insecure_telnetd | ||
100 | Type: note | ||
101 | Description: Warning: telnetd is installed --- probably not a good idea | ||
102 | I'd advise you to either remove the telnetd package (if you don't actually | ||
103 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
104 | least some chance that telnet sessions will not be sending unencrypted | ||
105 | login/password and session information over the network. | ||
106 | Description-pt_BR: Aviso: telnetd estА instalado --- provavelmente nЦo И uma boa idИia | ||
107 | Eu recomendaria a vocЙ ou remover o pacote telnetd (se vocЙ atualmente | ||
108 | nЦo precisa oferecer acesso telnet) ou instalar telnetd-ssl. Assim existe | ||
109 | pelo menos uma chance das sessУes telnet nЦo enviarem login/senha nЦo | ||
110 | encriptados e informaГУes de sessЦo atravИs da rede. | ||
111 | |||
112 | Template: ssh/encrypted_host_key_but_no_keygen | ||
113 | Type: note | ||
114 | Description: Warning: you must create a new host key | ||
115 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
116 | OpenSSH can not handle this host key file, and I can't find the | ||
117 | ssh-keygen utility from the old (non-free) SSH installation. | ||
118 | . | ||
119 | You will need to generate a new host key. | ||
120 | Description-pt_BR: Aviso: vocЙ deve criar uma nova host key | ||
121 | Existe uma antiga /etc/ssh/ssh_host_key, a qual И encriptada usando IDEA. | ||
122 | O OpenSSH nЦo pode gerenciar este arquivo host key e eu nЦo consigo | ||
123 | encontrar o utilitАrio ssh-keygen da antiga (non-free) instalaГЦo SSH. | ||
124 | . | ||
125 | VocЙ precisarА gerar uma nova host key. | ||
126 | |||
127 | Template: ssh/SUID_client | ||
128 | Type: boolean | ||
129 | Default: false | ||
130 | Description: Do you want /usr/bin/ssh to be installed SUID root? | ||
131 | You have the option of installing the ssh client with the SUID bit set. | ||
132 | . | ||
133 | If you make ssh SUID, you will be able to use Rhosts/RhostsRSA | ||
134 | authentication, but will not be able to use socks via the LD_PRELOAD | ||
135 | trick. This is the traditional approach. | ||
136 | . | ||
137 | If you do not make ssh SUID, you will be able to use socks, but | ||
138 | Rhosts/RhostsRSA authentication will stop working, which may stop you | ||
139 | logging in to remote systems. It will also mean that the source | ||
140 | port will be above 1024, which may confound firewall rules you've set up. | ||
141 | . | ||
142 | If in doubt, I suggest you install it without SUID. If it causes | ||
143 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
144 | Description-pt_BR: VocЙ quer que /usr/bin/ssh seja instalado SUID root ? | ||
145 | VocЙ tem a opГЦo de instalar o cliente ssh com o bit SUID setado. | ||
146 | . | ||
147 | Se vocЙ fizer o ssh SUID, vocЙ conseguirА usar autenticaГЦo | ||
148 | Rhosts/RhostsRSA, mas nЦo serА capaz de usar socks atravИs do truque | ||
149 | LD_PRELOAD. Isto И o tradicional. | ||
150 | . | ||
151 | Se vocЙ nЦo fizer o ssh SUID, vocЙ poderА usar socks, mas a autenticaГЦo | ||
152 | Rhosts/RhostsRSA irА parar de funcionar, o que poderА lhe impedir de | ||
153 | logar em sistemas remotos. Isto significarА tambИm que a porta fonte | ||
154 | estarА acima de 1024, o que poderА confundir regras de firewall que vocЙ | ||
155 | tenha definido. | ||
156 | . | ||
157 | Caso esteja em dЗvida, eu sugiro a vocЙ instalar sem SUID. Se isso causar | ||
158 | problemas vocЙ pode mudar sua escolha posteriormente executando: | ||
159 | dpkg-reconfigure ssh. | ||
160 | |||
161 | Template: ssh/run_sshd | ||
162 | Type: boolean | ||
163 | Default: true | ||
164 | Description: Do you want to run the sshd server ? | ||
165 | This package contains both the ssh client, and the sshd server. | ||
166 | . | ||
167 | Normally the sshd Secure Shell Server will be run to allow remote | ||
168 | logins via ssh. | ||
169 | . | ||
170 | If you are only interested in using the ssh client for outbound | ||
171 | connections on this machine, and don't want to log into it at all | ||
172 | using ssh, then you can disable sshd here. | ||
173 | Description-pt_BR: VocЙ quer executar o servidor sshd ? | ||
174 | Este pacote contИm ambos o cliente ssh e o servidor sshd. | ||
175 | . | ||
176 | Normalmente o sshd Secure Shell Server serА executado para permitir | ||
177 | logins remotos via ssh. | ||
178 | . | ||
179 | Se vocЙ estА interessado somente em usar o cliente ssh para conexУes | ||
180 | para fora desta mАquina, e nЦo quer logar na mesma usando ssh, entЦo vocЙ | ||
181 | pode desabilitar o sshd aqui. | ||
diff --git a/debian/templates.ru b/debian/templates.ru new file mode 100644 index 000000000..39038ff22 --- /dev/null +++ b/debian/templates.ru | |||
@@ -0,0 +1,207 @@ | |||
1 | Template: ssh/upgrade_to_openssh | ||
2 | Type: boolean | ||
3 | Description: Are you sure you want to upgrade to OpenSSH? | ||
4 | This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible | ||
5 | drop in replacement for the original (non-free) implemetation. | ||
6 | . | ||
7 | If you find that it is not, please report the problem as a bug. | ||
8 | . | ||
9 | You can still find the old version of ssh in the ssh-nonfree package | ||
10 | (although the only reason you are likely to want that is if you also | ||
11 | want to install the ssh2 package). | ||
12 | . | ||
13 | NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at | ||
14 | least one other ssh session running as root, and once this is installed, | ||
15 | check that you can still log in (with a third session), before logging out. | ||
16 | Description-ru: Вы уверены, что хотите обновить OpenSSH? | ||
17 | Эта версия ssh(он же OpenSSH) является 100%-совместимой с оригинальной | ||
18 | (несвободной) реализацией. | ||
19 | . | ||
20 | Если вы обнаружили различие, то, пожалуйста, сообщите об этой ошибке. | ||
21 | . | ||
22 | Вы можете по прежнему найти старую версию ssh в пакете ssh-nonfree | ||
23 | (хотя действительно необходимо его использовать только, если вы хотите | ||
24 | установить еще и пакет ssh2). | ||
25 | . | ||
26 | Примечание: Если вы удаленно обновляете машину через ssh, то убедитесь | ||
27 | что как минимум еще одна сессия ssh запущена от root, и как только | ||
28 | процесс обновления закончится, убедитесь, что вы сможете войти в | ||
29 | систему (установив третью сессию), перед тем как отсоединяться. | ||
30 | |||
31 | Template: ssh/protocol2_default | ||
32 | Type: note | ||
33 | Description: SSH uses protocol 2 by default. | ||
34 | This version of SSH (unlike previous ones) uses ssh | ||
35 | protocol version 2 by default. The key file formats have changed | ||
36 | between the protocol versions, so your old key files will not be | ||
37 | useful. You may either pass the '-1' option to ssh to force it to use | ||
38 | the older protocol (and your old keys), or generate new keys. Protocol | ||
39 | version 2 is thought to be more secure, so this is the preferred | ||
40 | course of action. See README.Debian for a little more information | ||
41 | . | ||
42 | Also, due to problems with IPv4 and IPv6 interoperation, IPv4 is now | ||
43 | the default (this is a change from previous versions). Passing ssh the | ||
44 | -6 flag will cause IPv6 addresses to be used. Once the current issues | ||
45 | with using IPv6 on machines with IPv4 addresses have been solved, the | ||
46 | previous default will be restored | ||
47 | Description-ru: SSH использует по умолчанию протокол версии 2. | ||
48 | Эта версия SSH (в отличии от предыдущих) использует по умолчанию | ||
49 | протокол версии 2. В этой версии протокола изменен формат файлов | ||
50 | ключей, так что ваши старые ключи станут бесполезными. Вы можете либо | ||
51 | указывать опцию '-1' для ssh, чтобы принудительно использовать более | ||
52 | старую версию протокола, либо сгенерируйте новый ключи. Протокол | ||
53 | версии 2 более защищенный, и поэтому предопределен по умолчанию. См. | ||
54 | подробности в файле README.Debian. | ||
55 | . | ||
56 | Также из-за проблем взаимосоответствия IPv4 и IPv6, сейчас по | ||
57 | умолчанию по умолчанию используется IPv4 (в отличии от предыдущих | ||
58 | версий). Чтобы использовать IPv6, надо задать флаг -6. Как только все | ||
59 | сложности с использованием IPv6 на машинах с адресами IPv4 будут | ||
60 | решены, то прежнее поведение по умолчанию будет восстановлено. | ||
61 | |||
62 | Template: ssh/ancient_version | ||
63 | Type: note | ||
64 | Description: You are trying to upgrade from an ancient version of non-free ssh | ||
65 | This is bound to be using IDEA encryption for your identity files. | ||
66 | You should upgrade to a vaguely contemporary (1.2.15 or later) version of | ||
67 | non-free ssh, and then upgrade all your key files using ssh-keygen -u | ||
68 | before attempting to migrate to OpenSSH. | ||
69 | . | ||
70 | Alternatively, you could just forget about that, and generate new keys. | ||
71 | Description-ru: Вы пытаетесь обновить древнюю версию коммерческого ssh | ||
72 | Она ограничена использованием шифрования IDEA для ваших файлов | ||
73 | идентификации. Рекомендуется обновить более современные версии (1.2.15 | ||
74 | или более поздние) коммерческого ssh, и потом обновить ваши ключевые | ||
75 | файлы командой `ssh-keygen -u` перед попыткой перейти на OpenSSH. | ||
76 | . | ||
77 | Как вариант, можете забыть обо всем этом и сгенерировать новые ключи. | ||
78 | |||
79 | Template: ssh/use_old_init_script | ||
80 | Type: boolean | ||
81 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
82 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
83 | all running sshd instances. If you are doing this upgrade via an ssh | ||
84 | session, that would be a Bad Thing(tm). | ||
85 | . | ||
86 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
87 | start-stop-daemon line in the stop section of the file. | ||
88 | Description-ru: Вы хотите продолжить (рискуя потерять активные ssh-соединения)? | ||
89 | Версия /etc/init.d/ssh, которую вы устанавливаете, может убить все | ||
90 | запущенные процессы ssh. Если вы осуществляете это обновление через | ||
91 | ssh сессию, то это Плохая Вещь (tm). | ||
92 | . | ||
93 | Это можно исправить добавлением "--pidfile /var/run/sshd.pid" в строке | ||
94 | start-stop-daemon в разделе stop этого файла. | ||
95 | |||
96 | Template: ssh/forward_warning | ||
97 | Type: note | ||
98 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
99 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
100 | ForwardAgent set to ``off'' by default. | ||
101 | . | ||
102 | You can enable it for servers you trust, either | ||
103 | in one of the configuration files, or with the -X command line option. | ||
104 | . | ||
105 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
106 | Description-ru: ПРИМЕЧАНИЕ: Форвардинг X11 и Authorization запрещен по умолчанию. | ||
107 | По причинам безопасности, в версии для Debian ssh имеет ForwardX11 и | ||
108 | ForwardAgent установленными в ``off'' по умолчанию. | ||
109 | . | ||
110 | Вы можете разрешить их для серверов, которым доверяете либо в одном из | ||
111 | настроечных файлов, или параметром командной строки -X. | ||
112 | . | ||
113 | Дополнительую информацию можно найти в /usr/share/doc/ssh/README.Debian | ||
114 | |||
115 | Template: ssh/insecure_rshd | ||
116 | Type: note | ||
117 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
118 | having rsh-server installed undermines the security that you were probably | ||
119 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
120 | Description-ru: Предупреждение: установлен rsh-server --- видимо, не очень хорошо | ||
121 | Установленный rsh-server снижает безопасность, которую вы вероятно | ||
122 | хотите повысить устанавливая ssh. Рекомендуется удалить этот пакет. | ||
123 | |||
124 | Template: ssh/insecure_telnetd | ||
125 | Type: note | ||
126 | Description: Warning: telnetd is installed --- probably not a good idea | ||
127 | I'd advise you to either remove the telnetd package (if you don't actually | ||
128 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
129 | least some chance that telnet sessions will not be sending unencrypted | ||
130 | login/password and session information over the network. | ||
131 | Description-ru: Предупреждение: установлен telnetd --- видимо, не очень хорошо | ||
132 | Я рекомендовал бы вам удалить пакет telnetd (если вам действительно не | ||
133 | нужен доступ telnet) или установить telnet-ssl, чтобы иметь хотя бы | ||
134 | возможность не передавать по сети незашифрованные имена и пароли | ||
135 | пользователей и прочую информацию в telnet-сессиях. | ||
136 | |||
137 | Template: ssh/encrypted_host_key_but_no_keygen | ||
138 | Type: note | ||
139 | Description: Warning: you must create a new host key | ||
140 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
141 | OpenSSH can not handle this host key file, and I can't find the | ||
142 | ssh-keygen utility from the old (non-free) SSH installation. | ||
143 | . | ||
144 | You will need to generate a new host key. | ||
145 | Description-ru: Предупреждение: вы должны создать новый ключ машины. | ||
146 | Есть старый /etc/ssh/ssh_host_key, который зашифрован IDEA. OpenSSH не | ||
147 | может работать с этим ключом машины, и я не могу найти утилиту | ||
148 | ssh-keygen от старой (несвободной) инсталляции SSH. | ||
149 | . | ||
150 | Вам надо будет сгенерировать новый ключ хоста. | ||
151 | |||
152 | Template: ssh/SUID_client | ||
153 | Type: boolean | ||
154 | Default: true | ||
155 | Description: Do you want /usr/bin/ssh to be installed SUID root? | ||
156 | You have the option of installing the ssh client with the SUID bit set. | ||
157 | . | ||
158 | If you make ssh SUID, you will be able to use Rhosts/RhostsRSA | ||
159 | authentication, but will not be able to use socks via the LD_PRELOAD | ||
160 | trick. This is the traditional approach. | ||
161 | . | ||
162 | If you do not make ssh SUID, you will be able to use socks, but | ||
163 | Rhosts/RhostsRSA authentication will stop working, which may stop you | ||
164 | logging in to remote systems. It will also mean that the source | ||
165 | port will be above 1024, which may confound firewall rules you've set up. | ||
166 | . | ||
167 | If in doubt, I suggest you install it with SUID. If it causes | ||
168 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
169 | Description-ru: Хотите установить /usr/bin/ssh как SUID root? | ||
170 | Вы имеете возможность установить /usr/bin/ssh с установленным битом | ||
171 | SUID. | ||
172 | . | ||
173 | Если вы делаете ssh SUID, то вы сможете использовать аутентификацию | ||
174 | Rhosts/RhostsRSA, но не сможете использовать socks через LD_PRELOAD. | ||
175 | Это традиционное поведение. | ||
176 | . | ||
177 | Если вы сделаете ssh SUID, то вы сможете использовать socks, но зато | ||
178 | аутентификация Rhosts/RhostsRSA не будет работать, что может сделать | ||
179 | невозможным вашу регистрацию на удаленных системах. Также это означает | ||
180 | что номер источникового порта будет больше 1024, что может не нарушить | ||
181 | работу установленных вами правил файрвола. | ||
182 | . | ||
183 | Если вы не знаете, что решить, то рекомендуется установить его с битом | ||
184 | SUID. Если вы потом передумаете, то эту установку можно будет изменить | ||
185 | командой: "dpkg-reconfigure ssh". | ||
186 | |||
187 | Template: ssh/run_sshd | ||
188 | Type: boolean | ||
189 | Default: true | ||
190 | Description: Do you want to run the sshd server ? | ||
191 | This package contains both the ssh client, and the sshd server. | ||
192 | . | ||
193 | Normally the sshd Secure Shell Server will be run to allow remote | ||
194 | logins via ssh. | ||
195 | . | ||
196 | If you are only interested in using the ssh client for outbound | ||
197 | connections on this machine, and don't want to log into it at all | ||
198 | using ssh, then you can disable sshd here. | ||
199 | Description-ru: Хотите запустить сервер sshd? | ||
200 | Этот пакет содержит и ssh-клиент, и ssh-сервер. | ||
201 | . | ||
202 | Обычно sshd Secure Shell Server запускается для удаленного входа в | ||
203 | регистрации в системе через ssh. | ||
204 | . | ||
205 | Если вас интересует только использование ssh-клиента для исходящих | ||
206 | соединений с этой машины, и вы не хотите входить в ее систему через | ||
207 | ssh, то вы можете сейчас запретить sshd. | ||