Please find, for review, the debconf templates of openssh. See some rationale at the end of this mail. This review will last from Sunday, April 08, 2007 to Wednesday, April 18, 2007. Please send reviews as unified diffs (diff -u) against the original files. Comments about your proposed changes will be appreciated. Your review should be sent as an answer to this mail. When appropriate, I will send intermediate requests for review, with "[RFRn]" (n>=2) as a subject tag. When we will reach a consensus, I send a "Last Chance For Comments" mail with "[LCFC]" as a subject tag. Finally, the reviewed templates will be sent to the package maintainer as a bug report, and a mail will be sent to this list with "[BTS]" as a subject tag. Rationale: Most texts have been written by a very skilled English speaker/writer. So, most of my proposed changes are more intended for overall consistency among packages. I changed some spelling in templates from en_GB to en_US as the review project will propose to make the use of en_US. I know you'll probably don't like this very much, Colin..:-)...and we'll leave up to you to make the final decision for openssh. We also agreed to avoid the use of double spaces after full stops. That review implements this. Other changes are proposed rewordings for clarity and sometimes reflect my own views....Feel free to comment Finally in debian/control, I removed all initial capitals in short descriptions as recommended by the developer's reference. --
Template: ssh/new_config Type: boolean Default: true _Description: Generate a new configuration file for OpenSSH? This version of OpenSSH has a considerably changed configuration file from the version shipped in Debian 'Potato', which you appear to be upgrading from. This package can now generate a new configuration file (/etc/ssh/sshd.config), which will work with the new server version, but will not contain any customizations you made with the old version. . Please note that this new configuration file will set the value of 'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password can ssh directly in as root). Please read the README.Debian files for more details about this design choice. . It is strongly recommended that choose to generate a new configuration file now. Template: ssh/use_old_init_script Type: boolean Default: false _Description: Do you want to risk killing active SSH sessions? The currently installed version of /etc/init.d/ssh is likely to kill all running sshd instances. If you are doing this upgrade via an SSH session, you're likely to be disconnected and leave the upgrade procedure unfinished. . This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to the start-stop-daemon line in the stop section of the file. Template: ssh/encrypted_host_key_but_no_keygen Type: note _Description: New host key mandatory The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA algorithm. OpenSSH can not handle this host key file, and the ssh-keygen utility from the old (non-free) SSH installation does not appear to be available. . You need to manually generate a new host key. Template: ssh/disable_cr_auth Type: boolean Default: false _Description: Disable challenge-response authentication? Password authentication appears to be disabled in the current OpenSSH server configuration. In order to prevent users from logging in using passwords (perhaps using only public key authentication instead) with recent versions of OpenSSH, you must disable challenge-response authentication, or else ensure that your PAM configuration does not allow Unix password file authentication. . If you disable challenge-response authentication, then users will not be able to log in using passwords. If you leave it enabled (the default answer), then the 'PasswordAuthentication no' option will have no useful effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
--- ../openssh.old/debian/openssh-server.templates.master 2007-03-29 06:13:05.523673024 +0200
+++ debian/openssh-server.templates.master 2007-04-08 09:22:36.284815041 +0200
@@ -1,47 +1,48 @@
Template: ssh/new_config
Type: boolean
Default: true
-_Description: Generate new configuration file?
+_Description: Generate a new configuration file for OpenSSH?
This version of OpenSSH has a considerably changed configuration file from
the version shipped in Debian 'Potato', which you appear to be upgrading
from. This package can now generate a new configuration file
(/etc/ssh/sshd.config), which will work with the new server version, but
- will not contain any customisations you made with the old version.
+ will not contain any customizations you made with the old version.
.
Please note that this new configuration file will set the value of
- 'PermitRootLogin' to yes (meaning that anyone knowing the root password
- can ssh directly in as root). It is the opinion of the maintainer that
- this is the correct default (see README.Debian for more details), but you
- can always edit sshd_config and set it to no if you wish.
+ 'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password
+ can ssh directly in as root). Please read the README.Debian files for
+ more details about this design choice.
.
- It is strongly recommended that you let this package generate a new
+ It is strongly recommended that choose to generate a new
configuration file now.
Template: ssh/use_old_init_script
Type: boolean
Default: false
-_Description: Do you want to continue (and risk killing active ssh sessions)?
- The version of /etc/init.d/ssh that you have installed, is likely to kill
- all running sshd instances. If you are doing this upgrade via an ssh
- session, that would be a Bad Thing(tm).
+_Description: Do you want to risk killing active SSH sessions?
+ The currently installed version of /etc/init.d/ssh is likely to kill
+ all running sshd instances. If you are doing this upgrade via an SSH
+ session, you're likely to be disconnected and leave the upgrade
+ procedure unfinished.
.
- You can fix this by adding "--pidfile /var/run/sshd.pid" to the
- start-stop-daemon line in the stop section of the file.
+ This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to
+ the start-stop-daemon line in the stop section of the file.
Template: ssh/encrypted_host_key_but_no_keygen
Type: note
-_Description: Warning: you must create a new host key
- There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
- can not handle this host key file, and the ssh-keygen utility from the old
- (non-free) SSH installation does not appear to be available.
+_Description: New host key mandatory
+ The current host key, in /etc/ssh/ssh_host_key, is encrypted with the
+ IDEA algorithm. OpenSSH can not handle this host key file, and the
+ ssh-keygen utility from the old (non-free) SSH installation does not
+ appear to be available.
.
- You will need to generate a new host key.
+ You need to manually generate a new host key.
Template: ssh/disable_cr_auth
Type: boolean
Default: false
_Description: Disable challenge-response authentication?
- Password authentication appears to be disabled in your current OpenSSH
+ Password authentication appears to be disabled in the current OpenSSH
server configuration. In order to prevent users from logging in using
passwords (perhaps using only public key authentication instead) with
recent versions of OpenSSH, you must disable challenge-response
--- ../openssh.old/debian/control 2007-03-29 06:13:05.315671355 +0200
+++ debian/control 2007-04-08 09:25:20.126113743 +0200
@@ -13,7 +13,7 @@
Replaces: ssh, ssh-krb5
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
-Description: Secure shell client, an rlogin/rsh/rcp replacement
+Description: secure shell client, an rlogin/rsh/rcp replacement
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
@@ -21,7 +21,7 @@
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
- hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It is intended as a replacement for rlogin, rsh and rcp, and can be
used to provide applications with a secure communication channel.
@@ -30,8 +30,6 @@
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
- --------------------------------------------------------------------
- .
In some countries it may be illegal to use any encryption at all
without a special permit.
@@ -43,7 +41,7 @@
Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5
Suggests: ssh-askpass, xbase-clients, rssh, molly-guard
Provides: ssh-server
-Description: Secure shell server, an rshd replacement
+Description: secure shell server, an rshd replacement
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
@@ -51,15 +49,13 @@
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
- hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It is intended as a replacement for rlogin, rsh and rcp, and can be
used to provide applications with a secure communication channel.
.
This package provides the sshd server.
.
- --------------------------------------------------------------------
- .
In some countries it may be illegal to use any encryption at all
without a special permit.
@@ -67,7 +63,7 @@
Priority: extra
Architecture: all
Depends: openssh-client, openssh-server
-Description: Secure shell client and server (transitional package)
+Description: secure shell client and server (transitional package)
This is a transitional package depending on both the OpenSSH client and
the OpenSSH server, which are now in separate packages. You may remove
it once the upgrade is complete and nothing depends on it.
@@ -76,10 +72,10 @@
Priority: extra
Architecture: all
Depends: openssh-client, openssh-server
-Description: Secure shell client and server (transitional package)
+Description: secure shell client and server (transitional package)
This is a transitional package depending on the regular Debian OpenSSH
- client and server, which now support GSSAPI natively. It will add the
- necessary GSSAPI options to the server configuration file. You can
+ client and server, which now support GSSAPI natively. It will add the
+ necessary GSSAPI options to the server configuration file. You can
remove it once the upgrade is complete and nothing depends on it.
Package: ssh-askpass-gnome
@@ -89,7 +85,7 @@
Depends: ${shlibs:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5
Replaces: ssh (<< 1:3.5p1-3)
Provides: ssh-askpass
-Description: under X, asks user for a passphrase for ssh-add
+Description: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main ssh package, so that the ssh will
not need to depend upon the Gnome libraries.
.
@@ -103,7 +99,7 @@
Architecture: any
Depends: ${shlibs:Depends}, libnss-files-udeb
XB-Installer-Menu-Item: 999
-Description: Secure shell client for the Debian installer
+Description: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
@@ -116,7 +112,7 @@
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, libnss-files-udeb
-Description: Secure shell server for the Debian installer
+Description: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
Source: openssh
Section: net
Priority: standard
Maintainer: Matthew Vernon <matthew@debian.org>
Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev
Standards-Version: 3.7.2
Uploaders: Colin Watson <cjwatson@debian.org>
Package: openssh-client
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
Replaces: ssh, ssh-krb5
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
Description: secure shell client, an rlogin/rsh/rcp replacement
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It is intended as a replacement for rlogin, rsh and rcp, and can be
used to provide applications with a secure communication channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
Package: openssh-server
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5
Suggests: ssh-askpass, xbase-clients, rssh, molly-guard
Provides: ssh-server
Description: secure shell server, an rshd replacement
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It is intended as a replacement for rlogin, rsh and rcp, and can be
used to provide applications with a secure communication channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
Package: ssh
Priority: extra
Architecture: all
Depends: openssh-client, openssh-server
Description: secure shell client and server (transitional package)
This is a transitional package depending on both the OpenSSH client and
the OpenSSH server, which are now in separate packages. You may remove
it once the upgrade is complete and nothing depends on it.
Package: ssh-krb5
Priority: extra
Architecture: all
Depends: openssh-client, openssh-server
Description: secure shell client and server (transitional package)
This is a transitional package depending on the regular Debian OpenSSH
client and server, which now support GSSAPI natively. It will add the
necessary GSSAPI options to the server configuration file. You can
remove it once the upgrade is complete and nothing depends on it.
Package: ssh-askpass-gnome
Section: gnome
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5
Replaces: ssh (<< 1:3.5p1-3)
Provides: ssh-askpass
Description: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main ssh package, so that the ssh will
not need to depend upon the Gnome libraries.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
Package: openssh-client-udeb
XC-Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, libnss-files-udeb
XB-Installer-Menu-Item: 999
Description: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the ssh client for use in debian-installer.
Package: openssh-server-udeb
XC-Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends: ${shlibs:Depends}, libnss-files-udeb
Description: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the sshd server for use in debian-installer.
Since it is expected to be used in specialized situations (e.g. S/390
installs with no console), it does not provide any configuration.
Attachment:
signature.asc
Description: Digital signature