1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
Template: ssh/privsep_tell
Type: note
Description: Privilege separation
This version of OpenSSH contains the new privilege separation
option. This significantly reduces the quantity of code that runs as
root, and therefore reduces the impact of security holes in sshd.
.
Unfortunately, privilege separation interacts badly with PAM. Any
PAM session modules that need to run as root (pam_mkhomedir, for
example) will fail, and PAM keyboard-interactive authentication
won't work.
.
Privilege separation is turned on by default, so if you decide you
want it turned off, you need to add "UsePrivilegeSeparation no" to
/etc/ssh/sshd_config
.
NB! If you are running a 2.0 series Linux kernel, then privilege
separation will not work at all, and your sshd will fail to start
unless you explicity turn privilege separation off.
Template: ssh/privsep_ask
Type: boolean
Default: true
Description: Enable Privilege separation
This version of OpenSSH contains the new privilege separation
option. This significantly reduces the quantity of code that runs as
root, and therefore reduces the impact of security holes in sshd.
.
Unfortunately, privilege separation interacts badly with PAM. Any
PAM session modules that need to run as root (pam_mkhomedir, for
example) will fail, and PAM keyboard-interactive authentication
won't work.
.
Since you've opted to have me generate an sshd_config file for you,
you can choose whether or not to have Privilege Separation turned on
or not. Unless you are running 2.0 (in which case you *must* say no
here or your sshd won't start at all) or know you need to use PAM
features that won't work with this option, you should say yes here.
Template: ssh/new_config
Type: boolean
Default: true
Description: Generate new configuration file
This version of OpenSSH has a considerably changed configuration file from
the version shipped in Debian 'Potato', which you appear to be upgrading from.
I can now generate you a new configuration file (/etc/ssh/sshd.config), which
will work with the new server version, but will not contain any customisations
you made with the old version.
.
Please note that this new configuration file will set the value of
'PermitRootLogin' to yes (meaning that anyone knowing the root password can
ssh directly in as root). It is the opinion of the maintainer that this is
the correct default (see README.Debian for more details), but you can always
edit sshd_config and set it to no if you wish.
.
It is strongly recommended that you let me generate a new configuration file
for you
Template: ssh/protocol2_only
Type: boolean
Default: true
Description: Allow SSH protocol 2 only
This version of OpenSSH supports version 2 of the ssh protocol, which
is much more secure. Disabling ssh 1 is encouraged, however this
will slow things down on low end machines and might prevent older
clients from connecting (the ssh client shipped with "potato" is affected).
.
Also please note that keys used for protocol 1 are different so you will
not be able to use them if you only allow protocol 2 connections.
.
If you later change your mind about this setting, README.Debian has
instructions on what to do to your sshd_config file.
Template: ssh/ssh2_keys_merged
Type: note
Description: ssh2 keys merged in configuration files
As of version 3 OpenSSH no longer uses separate files for ssh1 and
ssh2 keys. This means the authorized_keys2 and known_hosts2 files
are no longer needed. They will still be read in order to maintain
backwards compatibility
Template: ssh/use_old_init_script
Type: boolean
Default: false
Description: Do you want to continue (and risk killing active ssh sessions) ?
The version of /etc/init.d/ssh that you have installed, is likely to kill
all running sshd instances. If you are doing this upgrade via an ssh
session, that would be a Bad Thing(tm).
.
You can fix this by adding "--pidfile /var/run/sshd.pid" to the
start-stop-daemon line in the stop section of the file.
Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
Die Version von /etc/init.d/ssh, die sie installiert haben, wird
vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
via ssh erledigen, dann ist das ein Problem.
.
Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
an die start-stop-daemon Zeile in dem Bereich stop der Datei
/etc/init.d/ssh ergaenzen.
Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment
tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une
mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm).
.
Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
Template: ssh/forward_warning
Type: note
Description: NOTE: Forwarding of X11 and Authorization disabled by default.
For security reasons, the Debian version of ssh has ForwardX11 and
ForwardAgent set to ``off'' by default.
.
You can enable it for servers you trust, either
in one of the configuration files, or with the -X command line option.
.
More details can be found in /usr/share/doc/ssh/README.Debian
Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und
ForwardAgent auf "off" gesetzt.
.
Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im
den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern.
.
Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut.
Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les
options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut.
.
Vous pouvez activer ces options pour les serveurs en lesquels vous avez
confiance, soit dans un des fichiers de configuration, soit avec l'option
-X de la ligne de commande.
.
Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
Template: ssh/insecure_rshd
Type: note
Description: Warning: rsh-server is installed --- probably not a good idea
having rsh-server installed undermines the security that you were probably
wanting to obtain by installing ssh. I'd advise you to remove that package.
Description-de: Warnung: rsh-server ist installiert --- moeglicherweise
ist es eine schlechte Idee den rsh-server installiert zu haben, da er
die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen.
Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e
Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez
probablement obtenir en installant ssh. Je vous conseillerais de
d=E9installer ce paquet.
Template: ssh/insecure_telnetd
Type: note
Description: Warning: telnetd is installed --- probably not a good idea
I'd advise you to either remove the telnetd package (if you don't actually
need to offer telnet access) or install telnetd-ssl so that there is at
least some chance that telnet sessions will not be sending unencrypted
login/password and session information over the network.
Description-de: Warnung: telnetd ist installiert --- schlechte Idee
Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang
anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht
dass das Login und Password nicht unverschluesselt durch das Netz gesendet
werden.
Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e
Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl
pour qu'il y ait au moins une chance que les sessions telnet soient
encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur
le r=E9seau.
Template: ssh/encrypted_host_key_but_no_keygen
Type: note
Description: Warning: you must create a new host key
There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
OpenSSH can not handle this host key file, and I can't find the
ssh-keygen utility from the old (non-free) SSH installation.
.
You will need to generate a new host key.
Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen
Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei
nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
kann nicht gefunden werden.
Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te
Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA.
OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver
l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH.
Template: ssh/SUID_client
Type: boolean
Default: true
Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
You have the option of installing the ssh-keysign helper with the SUID
bit set.
.
If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
host-based authentication.
.
If in doubt, I suggest you install it with SUID. If it causes
problems you can change your mind later by running: dpkg-reconfigure ssh
Template: ssh/run_sshd
Type: boolean
Default: true
Description: Do you want to run the sshd server ?
This package contains both the ssh client, and the sshd server.
.
Normally the sshd Secure Shell Server will be run to allow remote
logins via ssh.
.
If you are only interested in using the ssh client for outbound
connections on this machine, and don't want to log into it at all
using ssh, then you can disable sshd here.
Description-de: Wollen Sie den sshd Server starten?
Das Paket enthaelt sowohl den client als auch den sshd server.
.
Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh
gestartet.
.
Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner
zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen,
dann koennen Sie hier den sshd abschalten.
Description-fr: Voulez vous utiliser le serveur sshd ?
Ce paquet contient a la fois le client ssh et le serveur sshd.
.
Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants
via ssh.
.
Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a
distance sur d'autres machines a partir de celle-ci, et que vous ne
voulez pas vous logguer sur cette machine a distance via ssh, alors vous
pouvez d=E9sactiver sshd maintenant.
|