diff options
Diffstat (limited to 'src/fripost-postinst-udeb/debian/templates')
| -rw-r--r-- | src/fripost-postinst-udeb/debian/templates | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/src/fripost-postinst-udeb/debian/templates b/src/fripost-postinst-udeb/debian/templates new file mode 100644 index 0000000..5385ce9 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/templates @@ -0,0 +1,93 @@ +Template: base-installer/progress/fripost +Type: text +Description: ${WHAT} + +Template: fripost/initrd-ssh-port +Type: string +Default: 22 +Description: On which [address:]port should dropbear listen? +Extended_description: If port is a range (e.g., 1024-65535), a random + port in that range is chosen. Leaving the question empty is equivalent + to specifying the range of registered port 1024-49151. This is only + used for remote (SSH) unlocking of encrypted disks. + +Template: fripost/dropbear-use-openssh-key +Type: boolean +Default: false +Description: Use the same key for dropbear and OpenSSH? +Extended_description: If False, generate a dedicated key for dropbear. + +Template: fripost/activate-selinux +Type: boolean +Default: true +Description: Install and activate (in enforcing mode) SELinux? +Extended_description: Note that activating SELinux requires a dummy + reboot to label all files. So if you have full-disk encryption, you'll + have to send the password twice to dropbear. + +Template: fripost/keep-media-directory +Type: boolean +Default: false +Description: Keep /media and its kids' entries in the fstab? +Extended_description: /media (and its related entries in the fstab) + can safely be removed on a headless server. + +Template: fripost/sshd-fprs_title +Type: text +Description: Reboot in progress + +Template: fripost/sshd-fprs_text +Type: note +Description: Press 'continue' to reboot on the new system + We are done! After rebooting you should be able to log in into your + new machine: + . + ssh ${USER}@${IPv4} + . + To defeat MiTM-attacks, please ensure (for instance by trying to log in + right now, although it won't be successful before the next reboot) that + the server's public key has the following fingerprint + . + ${SSHFPR_SERVER} + . + To unlock the encrypted disk, you need to send the key to the SSH + daemon living in in the initrd: + . + ssh -p ${PORT} -T root@${IPv4} < /path/to/key + . + An attacker successfully mounting a MiTM-attack could get hold of the + encryption key! It is crucial that you match this (single purpose) + server's fingerprint against + . + ${SSHFPR_INITRD} + . + Key(s) that are granted access to these two servers have the following + fingerprint: + . + ${SSHFPR_AUTHORIZED} + +Template: fripost/sshd-fprs-nodropbear_text +Type: note +Description: Press 'continue' to reboot on the new system + We are done! After rebooting you should be able to log in into your new + machine: + . + ssh ${USER}@${IPv4} + . + To defeat MiTM-attacks, please ensure (for instance by trying to log in + right now, although it won't be successful before the next reboot) that + the server's public key has the following fingerprint + . + ${SSHFPR_SERVER} + . + Key(s) that are granted access to the server have the following + fingerprint: + . + ${SSHFPR_AUTHORIZED} + +Template: fripost/final-notice +Type: boolean +Default: true +Description: Display the final notice before rebooting? +Extended_description: It's good to show SSH fingerprints, because it + defeats MiTM-attacks. |