Template: ssh/new_config Type: boolean Default: true _Description: Generate new configuration file This version of OpenSSH has a considerably changed configuration file from the version shipped in Debian 'Potato', which you appear to be upgrading from. I can now generate you a new configuration file (/etc/ssh/sshd.config), which will work with the new server version, but will not contain any customisations you made with the old version. . Please note that this new configuration file will set the value of 'PermitRootLogin' to yes (meaning that anyone knowing the root password can ssh directly in as root). It is the opinion of the maintainer that this is the correct default (see README.Debian for more details), but you can always edit sshd_config and set it to no if you wish. . It is strongly recommended that you let me generate a new configuration file for you. Template: ssh/protocol2_only Type: boolean Default: true _Description: Allow SSH protocol 2 only This version of OpenSSH supports version 2 of the ssh protocol, which is much more secure. Disabling ssh 1 is encouraged, however this will slow things down on low end machines and might prevent older clients from connecting (the ssh client shipped with "potato" is affected). . Also please note that keys used for protocol 1 are different so you will not be able to use them if you only allow protocol 2 connections. . If you later change your mind about this setting, README.Debian has instructions on what to do to your sshd_config file. Template: ssh/ssh2_keys_merged Type: note _Description: ssh2 keys merged in configuration files As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 keys. This means the authorized_keys2 and known_hosts2 files are no longer needed. They will still be read in order to maintain backwards compatibility Template: ssh/use_old_init_script Type: boolean Default: false _Description: Do you want to continue (and risk killing active ssh sessions)? The version of /etc/init.d/ssh that you have installed, is likely to kill all running sshd instances. If you are doing this upgrade via an ssh session, that would be a Bad Thing(tm). . You can fix this by adding "--pidfile /var/run/sshd.pid" to the start-stop-daemon line in the stop section of the file. Template: ssh/forward_warning Type: note _Description: NOTE: Forwarding of X11 and Authorization disabled by default. For security reasons, the Debian version of ssh has ForwardX11 and ForwardAgent set to ``off'' by default. . You can enable it for servers you trust, either in one of the configuration files, or with the -X command line option. . More details can be found in /usr/share/doc/ssh/README.Debian Template: ssh/insecure_rshd Type: note _Description: Warning: rsh-server is installed --- probably not a good idea having rsh-server installed undermines the security that you were probably wanting to obtain by installing ssh. I'd advise you to remove that package. Template: ssh/insecure_telnetd Type: note _Description: Warning: telnetd is installed --- probably not a good idea I'd advise you to either remove the telnetd package (if you don't actually need to offer telnet access) or install telnetd-ssl so that there is at least some chance that telnet sessions will not be sending unencrypted login/password and session information over the network. Template: ssh/encrypted_host_key_but_no_keygen Type: note _Description: Warning: you must create a new host key There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH can not handle this host key file, and I can't find the ssh-keygen utility from the old (non-free) SSH installation. . You will need to generate a new host key. Template: ssh/SUID_client Type: boolean Default: true _Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? You have the option of installing the ssh-keysign helper with the SUID bit set. . If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 host-based authentication. . If in doubt, I suggest you install it with SUID. If it causes problems you can change your mind later by running: dpkg-reconfigure ssh Template: ssh/run_sshd Type: boolean Default: true _Description: Do you want to run the sshd server? This package contains both the ssh client, and the sshd server. . Normally the sshd Secure Shell Server will be run to allow remote logins via ssh. . If you are only interested in using the ssh client for outbound connections on this machine, and don't want to log into it at all using ssh, then you can disable sshd here. Template: ssh/user_environment_tell Type: note _Description: Environment options on keys have been deprecated This version of OpenSSH disables the environment option for public keys by default, in order to avoid certain attacks (for example, LD_PRELOAD). If you are using this option in an authorized_keys file, beware that the keys in question will no longer work until the option is removed. . To re-enable this option, set "PermitUserEnvironment yes" in /etc/ssh/sshd_config after the upgrade is complete, taking note of the warning in the sshd_config(5) manual page. Template: ssh/disable_cr_auth Type: boolean Default: true _Description: Disable challenge-response authentication? Password authentication appears to be disabled in your current OpenSSH server configuration. In order to prevent users from logging in using passwords (perhaps using only public key authentication instead) with recent versions of OpenSSH, you must disable challenge-response authentication, or else ensure that your PAM configuration does not allow Unix password file authentication. . If you disable challenge-response authentication (the default answer), then users will not be able to log in using passwords. If you leave it enabled, then the 'PasswordAuthentication no' option will have no useful effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.