Template: base-installer/progress/fripost Type: text Description: ${WHAT} Template: fripost/initrd-ssh-port Type: string Default: 22 Description: Listening [address:]port for dropbear: If port is a range (e.g., 1024-65535), a random port in that range is chosen. Leaving the question empty is equivalent to specifying the range of registered port 1024-49151. This is only used for remote (SSH) unlocking of encrypted disks. Template: fripost/dropbear-use-openssh-key Type: boolean Default: false Description: Use the same key for dropbear and OpenSSH? If False, generate a dedicated key for dropbear. Template: fripost/activate-selinux Type: boolean Default: false Description: Install and activate (in enforcing mode) SELinux? Note that activating SELinux requires a dummy reboot to label all files. So if you have full-disk encryption, you'll have to send the password twice to dropbear. Template: fripost/keep-media-directory Type: boolean Default: false Description: Keep /media and its kids' entries in the fstab? /media (and its related entries in the fstab) can safely be removed on a headless server. Template: fripost/sshd-fprs_title Type: text Description: Reboot in progress Template: fripost/sshd-fprs_text Type: note Description: Press 'continue' to reboot on the new system Done! After rebooting you should be able to log in into your new machine: . ssh ${USER}@${IPv4} . To defeat MiTM-attacks, please ensure (for instance by trying to log in right now, although it won't be successful before the next reboot) that the server's public key has the following fingerprint . ${SSHFPR_SERVER} . To unlock the encrypted disk, you need to send the key to the SSH daemon living in in the initrd: . ssh -p ${PORT} -T root@${IPv4} < /path/to/key . An attacker successfully mounting a MiTM-attack could get hold of the encryption key! It is crucial that you match this (single purpose) server's fingerprint against . ${SSHFPR_INITRD} . Key(s) that are granted access to these two servers have the following fingerprint: . ${SSHFPR_AUTHORIZED} Template: fripost/sshd-fprs-nodropbear_text Type: note Description: Press 'continue' to reboot on the new system Done! After rebooting you should be able to log in into your new machine: . ssh ${USER}@${IPv4} . To defeat MiTM-attacks, please ensure (for instance by trying to log in right now, although it won't be successful before the next reboot) that the server's public key has the following fingerprint . ${SSHFPR_SERVER} . Key(s) that are granted access to the server have the following fingerprint: . ${SSHFPR_AUTHORIZED} Template: fripost/final-notice Type: boolean Default: true Description: Display the final notice before rebooting? It's good to show SSH fingerprints, because it defeats MiTM-attacks.