summaryrefslogtreecommitdiff
path: root/debian/templates.master
blob: 3f0ccd079db82ca402bf1eae2b0b705b002e0819 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
Template: ssh/privsep_tell
Type: note
_Description: Privilege separation
 This version of OpenSSH contains the new privilege separation option. This
 significantly reduces the quantity of code that runs as root, and
 therefore reduces the impact of security holes in sshd.
 .
 Unfortunately, privilege separation interacts badly with PAM. Any PAM
 session modules that need to run as root (pam_mkhomedir, for example) will
 fail, and PAM keyboard-interactive authentication won't work.
 .
 Privilege separation is turned on by default, so if you decide you want it
 turned off, you need to add "UsePrivilegeSeparation no" to
 /etc/ssh/sshd_config.
 .
 NB! If you are running a 2.0 series Linux kernel, then privilege
 separation will not work at all, and your sshd will fail to start unless
 you explicitly turn privilege separation off.

Template: ssh/privsep_ask
Type: boolean
Default: true
_Description: Enable Privilege separation
 This version of OpenSSH contains the new privilege separation option. This
 significantly reduces the quantity of code that runs as root, and
 therefore reduces the impact of security holes in sshd.
 .
 Unfortunately, privilege separation interacts badly with PAM. Any PAM
 session modules that need to run as root (pam_mkhomedir, for example) will
 fail, and PAM keyboard-interactive authentication won't work.
 .
 Since you've opted to have me generate an sshd_config file for you, you
 can choose whether or not to have Privilege Separation turned on or not.
 Unless you are running 2.0 (in which case you *must* say no here or your
 sshd won't start at all) or know you need to use PAM features that won't
 work with this option, you should say yes here.

Template: ssh/new_config
Type: boolean
Default: true
_Description: Generate new configuration file
 This version of OpenSSH has a considerably changed configuration file from
 the version shipped in Debian 'Potato', which you appear to be upgrading
 from. I can now generate you a new configuration file
 (/etc/ssh/sshd.config), which will work with the new server version, but
 will not contain any customisations you made with the old version.
 .
 Please note that this new configuration file will set the value of
 'PermitRootLogin' to yes (meaning that anyone knowing the root password
 can ssh directly in as root). It is the opinion of the maintainer that
 this is the correct default (see README.Debian for more details), but you
 can always edit sshd_config and set it to no if you wish.
 .
 It is strongly recommended that you let me generate a new configuration
 file for you.

Template: ssh/protocol2_only
Type: boolean
Default: true
_Description: Allow SSH protocol 2 only
 This version of OpenSSH supports version 2 of the ssh protocol, which is
 much more secure.  Disabling ssh 1 is encouraged, however this will slow
 things down on low end machines and might prevent older clients from
 connecting (the ssh client shipped with "potato" is affected).
 .
 Also please note that keys used for protocol 1 are different so you will
 not be able to use them if you only allow protocol 2 connections.
 .
 If you later change your mind about this setting, README.Debian has
 instructions on what to do to your sshd_config file.

Template: ssh/ssh2_keys_merged
Type: note
_Description: ssh2 keys merged in configuration files
 As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
 keys. This means the authorized_keys2 and known_hosts2 files are no longer
 needed. They will still be read in order to maintain backwards
 compatibility

Template: ssh/use_old_init_script
Type: boolean
Default: false
_Description: Do you want to continue (and risk killing active ssh sessions) ?
 The version of /etc/init.d/ssh that you have installed, is likely to kill
 all running sshd instances.  If you are doing this upgrade via an ssh
 session, that would be a Bad Thing(tm).
 .
 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
 start-stop-daemon line in the stop section of the file.

Template: ssh/forward_warning
Type: note
_Description: NOTE: Forwarding of X11 and Authorization disabled by default.
 For security reasons, the Debian version of ssh has ForwardX11 and
 ForwardAgent set to ``off'' by default.
 .
 You can enable it for servers you trust, either in one of the
 configuration files, or with the -X command line option.
 .
 More details can be found in /usr/share/doc/ssh/README.Debian

Template: ssh/insecure_rshd
Type: note
_Description: Warning: rsh-server is installed --- probably not a good idea
 having rsh-server installed undermines the security that you were probably
 wanting to obtain by installing ssh.  I'd advise you to remove that
 package.

Template: ssh/insecure_telnetd
Type: note
_Description: Warning: telnetd is installed --- probably not a good idea
 I'd advise you to either remove the telnetd package (if you don't actually
 need to offer telnet access) or install telnetd-ssl so that there is at
 least some chance that telnet sessions will not be sending unencrypted
 login/password and session information over the network.

Template: ssh/encrypted_host_key_but_no_keygen
Type: note
_Description: Warning: you must create a new host key
 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
 can not handle this host key file, and I can't find the ssh-keygen utility
 from the old (non-free) SSH installation.
 .
 You will need to generate a new host key.

Template: ssh/SUID_client
Type: boolean
Default: true
_Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
 You have the option of installing the ssh-keysign helper with the SUID bit
 set.
 .
 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
 host-based authentication.
 .
 If in doubt, I suggest you install it with SUID.  If it causes problems
 you can change your mind later by running:   dpkg-reconfigure ssh

Template: ssh/run_sshd
Type: boolean
Default: true
_Description: Do you want to run the sshd server ?
 This package contains both the ssh client, and the sshd server.
 .
 Normally the sshd Secure Shell Server will be run to allow remote logins
 via ssh.
 .
 If you are only interested in using the ssh client for outbound
 connections on this machine, and don't want to log into it at all using
 ssh, then you can disable sshd here.

Template: ssh/user_environment_tell
Type: note
_Description: Environment options on keys have been deprecated
 This version of OpenSSH disables the environment option for public keys by
 default, in order to avoid certain attacks (for example, LD_PRELOAD). If
 you are using this option in an authorized_keys file, beware that the keys
 in question will no longer work until the option is removed.
 .
 To re-enable this option, set "PermitUserEnvironment yes" in
 /etc/ssh/sshd_config after the upgrade is complete, taking note of the
 warning in the sshd_config(5) manual page.