Please find, for review, the debconf templates of openssh. See some rationale at the end of this mail. This review will last from Sunday, April 08, 2007 to Wednesday, April 18, 2007. Please send reviews as unified diffs (diff -u) against the original files. Comments about your proposed changes will be appreciated. Your review should be sent as an answer to this mail. When appropriate, I will send intermediate requests for review, with "[RFRn]" (n>=2) as a subject tag. When we will reach a consensus, I send a "Last Chance For Comments" mail with "[LCFC]" as a subject tag. Finally, the reviewed templates will be sent to the package maintainer as a bug report, and a mail will be sent to this list with "[BTS]" as a subject tag. Rationale: Most texts have been written by a very skilled English speaker/writer. So, most of my proposed changes are more intended for overall consistency among packages. I changed some spelling in templates from en_GB to en_US as the review project will propose to make the use of en_US. I know you'll probably don't like this very much, Colin..:-)...and we'll leave up to you to make the final decision for openssh. We also agreed to avoid the use of double spaces after full stops. That review implements this. Other changes are proposed rewordings for clarity and sometimes reflect my own views....Feel free to comment Finally in debian/control, I removed all initial capitals in short descriptions as recommended by the developer's reference. --
Template: ssh/new_config Type: boolean Default: true _Description: Generate a new configuration file for OpenSSH? This version of OpenSSH has a considerably changed configuration file from the version shipped in Debian 'Potato', which you appear to be upgrading from. This package can now generate a new configuration file (/etc/ssh/sshd.config), which will work with the new server version, but will not contain any customizations you made with the old version. . Please note that this new configuration file will set the value of 'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password can ssh directly in as root). Please read the README.Debian files for more details about this design choice. . It is strongly recommended that choose to generate a new configuration file now. Template: ssh/use_old_init_script Type: boolean Default: false _Description: Do you want to risk killing active SSH sessions? The currently installed version of /etc/init.d/ssh is likely to kill all running sshd instances. If you are doing this upgrade via an SSH session, you're likely to be disconnected and leave the upgrade procedure unfinished. . This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to the start-stop-daemon line in the stop section of the file. Template: ssh/encrypted_host_key_but_no_keygen Type: note _Description: New host key mandatory The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA algorithm. OpenSSH can not handle this host key file, and the ssh-keygen utility from the old (non-free) SSH installation does not appear to be available. . You need to manually generate a new host key. Template: ssh/disable_cr_auth Type: boolean Default: false _Description: Disable challenge-response authentication? Password authentication appears to be disabled in the current OpenSSH server configuration. In order to prevent users from logging in using passwords (perhaps using only public key authentication instead) with recent versions of OpenSSH, you must disable challenge-response authentication, or else ensure that your PAM configuration does not allow Unix password file authentication. . If you disable challenge-response authentication, then users will not be able to log in using passwords. If you leave it enabled (the default answer), then the 'PasswordAuthentication no' option will have no useful effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
--- ../openssh.old/debian/openssh-server.templates.master 2007-03-29 06:13:05.523673024 +0200 +++ debian/openssh-server.templates.master 2007-04-08 09:22:36.284815041 +0200 @@ -1,47 +1,48 @@ Template: ssh/new_config Type: boolean Default: true -_Description: Generate new configuration file? +_Description: Generate a new configuration file for OpenSSH? This version of OpenSSH has a considerably changed configuration file from the version shipped in Debian 'Potato', which you appear to be upgrading from. This package can now generate a new configuration file (/etc/ssh/sshd.config), which will work with the new server version, but - will not contain any customisations you made with the old version. + will not contain any customizations you made with the old version. . Please note that this new configuration file will set the value of - 'PermitRootLogin' to yes (meaning that anyone knowing the root password - can ssh directly in as root). It is the opinion of the maintainer that - this is the correct default (see README.Debian for more details), but you - can always edit sshd_config and set it to no if you wish. + 'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password + can ssh directly in as root). Please read the README.Debian files for + more details about this design choice. . - It is strongly recommended that you let this package generate a new + It is strongly recommended that choose to generate a new configuration file now. Template: ssh/use_old_init_script Type: boolean Default: false -_Description: Do you want to continue (and risk killing active ssh sessions)? - The version of /etc/init.d/ssh that you have installed, is likely to kill - all running sshd instances. If you are doing this upgrade via an ssh - session, that would be a Bad Thing(tm). +_Description: Do you want to risk killing active SSH sessions? + The currently installed version of /etc/init.d/ssh is likely to kill + all running sshd instances. If you are doing this upgrade via an SSH + session, you're likely to be disconnected and leave the upgrade + procedure unfinished. . - You can fix this by adding "--pidfile /var/run/sshd.pid" to the - start-stop-daemon line in the stop section of the file. + This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to + the start-stop-daemon line in the stop section of the file. Template: ssh/encrypted_host_key_but_no_keygen Type: note -_Description: Warning: you must create a new host key - There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH - can not handle this host key file, and the ssh-keygen utility from the old - (non-free) SSH installation does not appear to be available. +_Description: New host key mandatory + The current host key, in /etc/ssh/ssh_host_key, is encrypted with the + IDEA algorithm. OpenSSH can not handle this host key file, and the + ssh-keygen utility from the old (non-free) SSH installation does not + appear to be available. . - You will need to generate a new host key. + You need to manually generate a new host key. Template: ssh/disable_cr_auth Type: boolean Default: false _Description: Disable challenge-response authentication? - Password authentication appears to be disabled in your current OpenSSH + Password authentication appears to be disabled in the current OpenSSH server configuration. In order to prevent users from logging in using passwords (perhaps using only public key authentication instead) with recent versions of OpenSSH, you must disable challenge-response --- ../openssh.old/debian/control 2007-03-29 06:13:05.315671355 +0200 +++ debian/control 2007-04-08 09:25:20.126113743 +0200 @@ -13,7 +13,7 @@ Replaces: ssh, ssh-krb5 Suggests: ssh-askpass, xbase-clients Provides: rsh-client, ssh-client -Description: Secure shell client, an rlogin/rsh/rcp replacement +Description: secure shell client, an rlogin/rsh/rcp replacement This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. @@ -21,7 +21,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted - hosts over an insecure network. X11 connections and arbitrary TCP/IP + hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide applications with a secure communication channel. @@ -30,8 +30,6 @@ and ssh-add programs to make public key authentication more convenient, and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities. . - -------------------------------------------------------------------- - . In some countries it may be illegal to use any encryption at all without a special permit. @@ -43,7 +41,7 @@ Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 Suggests: ssh-askpass, xbase-clients, rssh, molly-guard Provides: ssh-server -Description: Secure shell server, an rshd replacement +Description: secure shell server, an rshd replacement This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. @@ -51,15 +49,13 @@ Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted - hosts over an insecure network. X11 connections and arbitrary TCP/IP + hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide applications with a secure communication channel. . This package provides the sshd server. . - -------------------------------------------------------------------- - . In some countries it may be illegal to use any encryption at all without a special permit. @@ -67,7 +63,7 @@ Priority: extra Architecture: all Depends: openssh-client, openssh-server -Description: Secure shell client and server (transitional package) +Description: secure shell client and server (transitional package) This is a transitional package depending on both the OpenSSH client and the OpenSSH server, which are now in separate packages. You may remove it once the upgrade is complete and nothing depends on it. @@ -76,10 +72,10 @@ Priority: extra Architecture: all Depends: openssh-client, openssh-server -Description: Secure shell client and server (transitional package) +Description: secure shell client and server (transitional package) This is a transitional package depending on the regular Debian OpenSSH - client and server, which now support GSSAPI natively. It will add the - necessary GSSAPI options to the server configuration file. You can + client and server, which now support GSSAPI natively. It will add the + necessary GSSAPI options to the server configuration file. You can remove it once the upgrade is complete and nothing depends on it. Package: ssh-askpass-gnome @@ -89,7 +85,7 @@ Depends: ${shlibs:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5 Replaces: ssh (<< 1:3.5p1-3) Provides: ssh-askpass -Description: under X, asks user for a passphrase for ssh-add +Description: interactive X program to prompt users for a passphrase for ssh-add This has been split out of the main ssh package, so that the ssh will not need to depend upon the Gnome libraries. . @@ -103,7 +99,7 @@ Architecture: any Depends: ${shlibs:Depends}, libnss-files-udeb XB-Installer-Menu-Item: 999 -Description: Secure shell client for the Debian installer +Description: secure shell client for the Debian installer This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. @@ -116,7 +112,7 @@ Priority: optional Architecture: any Depends: ${shlibs:Depends}, libnss-files-udeb -Description: Secure shell server for the Debian installer +Description: secure shell server for the Debian installer This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group.
Source: openssh Section: net Priority: standard Maintainer: Matthew Vernon <matthew@debian.org> Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev Standards-Version: 3.7.2 Uploaders: Colin Watson <cjwatson@debian.org> Package: openssh-client Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) Replaces: ssh, ssh-krb5 Suggests: ssh-askpass, xbase-clients Provides: rsh-client, ssh-client Description: secure shell client, an rlogin/rsh/rcp replacement This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. . Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide applications with a secure communication channel. . This package provides the ssh, scp and sftp clients, the ssh-agent and ssh-add programs to make public key authentication more convenient, and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities. . In some countries it may be illegal to use any encryption at all without a special permit. Package: openssh-server Priority: optional Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 Suggests: ssh-askpass, xbase-clients, rssh, molly-guard Provides: ssh-server Description: secure shell server, an rshd replacement This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. . Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide applications with a secure communication channel. . This package provides the sshd server. . In some countries it may be illegal to use any encryption at all without a special permit. Package: ssh Priority: extra Architecture: all Depends: openssh-client, openssh-server Description: secure shell client and server (transitional package) This is a transitional package depending on both the OpenSSH client and the OpenSSH server, which are now in separate packages. You may remove it once the upgrade is complete and nothing depends on it. Package: ssh-krb5 Priority: extra Architecture: all Depends: openssh-client, openssh-server Description: secure shell client and server (transitional package) This is a transitional package depending on the regular Debian OpenSSH client and server, which now support GSSAPI natively. It will add the necessary GSSAPI options to the server configuration file. You can remove it once the upgrade is complete and nothing depends on it. Package: ssh-askpass-gnome Section: gnome Priority: optional Architecture: any Depends: ${shlibs:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5 Replaces: ssh (<< 1:3.5p1-3) Provides: ssh-askpass Description: interactive X program to prompt users for a passphrase for ssh-add This has been split out of the main ssh package, so that the ssh will not need to depend upon the Gnome libraries. . You probably want the ssh-askpass package instead, but this is provided to add to your choice and/or confusion. Package: openssh-client-udeb XC-Package-Type: udeb Section: debian-installer Priority: optional Architecture: any Depends: ${shlibs:Depends}, libnss-files-udeb XB-Installer-Menu-Item: 999 Description: secure shell client for the Debian installer This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. . This package provides the ssh client for use in debian-installer. Package: openssh-server-udeb XC-Package-Type: udeb Section: debian-installer Priority: optional Architecture: any Depends: ${shlibs:Depends}, libnss-files-udeb Description: secure shell server for the Debian installer This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. . This package provides the sshd server for use in debian-installer. Since it is expected to be used in specialized situations (e.g. S/390 installs with no console), it does not provide any configuration.
Attachment:
signature.asc
Description: Digital signature