aboutsummaryrefslogtreecommitdiffstats
path: root/src/fripost-postinst-udeb/debian/templates
diff options
context:
space:
mode:
Diffstat (limited to 'src/fripost-postinst-udeb/debian/templates')
-rw-r--r--src/fripost-postinst-udeb/debian/templates93
1 files changed, 93 insertions, 0 deletions
diff --git a/src/fripost-postinst-udeb/debian/templates b/src/fripost-postinst-udeb/debian/templates
new file mode 100644
index 0000000..5385ce9
--- /dev/null
+++ b/src/fripost-postinst-udeb/debian/templates
@@ -0,0 +1,93 @@
+Template: base-installer/progress/fripost
+Type: text
+Description: ${WHAT}
+
+Template: fripost/initrd-ssh-port
+Type: string
+Default: 22
+Description: On which [address:]port should dropbear listen?
+Extended_description: If port is a range (e.g., 1024-65535), a random
+ port in that range is chosen. Leaving the question empty is equivalent
+ to specifying the range of registered port 1024-49151. This is only
+ used for remote (SSH) unlocking of encrypted disks.
+
+Template: fripost/dropbear-use-openssh-key
+Type: boolean
+Default: false
+Description: Use the same key for dropbear and OpenSSH?
+Extended_description: If False, generate a dedicated key for dropbear.
+
+Template: fripost/activate-selinux
+Type: boolean
+Default: true
+Description: Install and activate (in enforcing mode) SELinux?
+Extended_description: Note that activating SELinux requires a dummy
+ reboot to label all files. So if you have full-disk encryption, you'll
+ have to send the password twice to dropbear.
+
+Template: fripost/keep-media-directory
+Type: boolean
+Default: false
+Description: Keep /media and its kids' entries in the fstab?
+Extended_description: /media (and its related entries in the fstab)
+ can safely be removed on a headless server.
+
+Template: fripost/sshd-fprs_title
+Type: text
+Description: Reboot in progress
+
+Template: fripost/sshd-fprs_text
+Type: note
+Description: Press 'continue' to reboot on the new system
+ We are done! After rebooting you should be able to log in into your
+ new machine:
+ .
+ ssh ${USER}@${IPv4}
+ .
+ To defeat MiTM-attacks, please ensure (for instance by trying to log in
+ right now, although it won't be successful before the next reboot) that
+ the server's public key has the following fingerprint
+ .
+ ${SSHFPR_SERVER}
+ .
+ To unlock the encrypted disk, you need to send the key to the SSH
+ daemon living in in the initrd:
+ .
+ ssh -p ${PORT} -T root@${IPv4} < /path/to/key
+ .
+ An attacker successfully mounting a MiTM-attack could get hold of the
+ encryption key! It is crucial that you match this (single purpose)
+ server's fingerprint against
+ .
+ ${SSHFPR_INITRD}
+ .
+ Key(s) that are granted access to these two servers have the following
+ fingerprint:
+ .
+ ${SSHFPR_AUTHORIZED}
+
+Template: fripost/sshd-fprs-nodropbear_text
+Type: note
+Description: Press 'continue' to reboot on the new system
+ We are done! After rebooting you should be able to log in into your new
+ machine:
+ .
+ ssh ${USER}@${IPv4}
+ .
+ To defeat MiTM-attacks, please ensure (for instance by trying to log in
+ right now, although it won't be successful before the next reboot) that
+ the server's public key has the following fingerprint
+ .
+ ${SSHFPR_SERVER}
+ .
+ Key(s) that are granted access to the server have the following
+ fingerprint:
+ .
+ ${SSHFPR_AUTHORIZED}
+
+Template: fripost/final-notice
+Type: boolean
+Default: true
+Description: Display the final notice before rebooting?
+Extended_description: It's good to show SSH fingerprints, because it
+ defeats MiTM-attacks.