aboutsummaryrefslogtreecommitdiffstats
path: root/src/fripost-postinst-udeb/debian/templates
blob: fcba8ded0933066994cc5567a6ec38b1a6553c25 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Template: base-installer/progress/fripost
Type: text
Description: ${WHAT}

Template: fripost/initrd-ssh-port
Type: string
Default: 22
Description: Listening [address:]port for dropbear:
 If port is a range (e.g., 1024-65535), a random port in that range is
 chosen.  Leaving the question empty is equivalent to specifying the
 range of registered port 1024-49151.  This is only used for remote
 (SSH) unlocking of encrypted disks.

Template: fripost/dropbear-use-openssh-key
Type: boolean
Default: false
Description: Use the same key for dropbear and OpenSSH?
 If False, generate a dedicated key for dropbear.

Template: fripost/activate-selinux
Type: boolean
Default: true
Description: Install and activate (in enforcing mode) SELinux?
 Note that activating SELinux requires a dummy reboot to label all
 files.  So if you have full-disk encryption, you'll have to send the
 password twice to dropbear.

Template: fripost/keep-media-directory
Type: boolean
Default: false
Description: Keep /media and its kids' entries in the fstab?
 /media (and its related entries in the fstab) can safely be removed on
 a headless server.

Template: fripost/sshd-fprs_title
Type: text
Description: Reboot in progress

Template: fripost/sshd-fprs_text
Type: note
Description: Press 'continue' to reboot on the new system
 Done!  After rebooting you should be able to log in into your new
 machine:
 .
     ssh ${USER}@${IPv4}
 .
 To defeat MiTM-attacks, please ensure (for instance by trying to log in
 right now, although it won't be successful before the next reboot) that
 the server's public key has the following fingerprint
 .
     ${SSHFPR_SERVER}
 .
 To unlock the encrypted disk, you need to send the key to the SSH
 daemon living in in the initrd:
 .
     ssh -p ${PORT} -T root@${IPv4} < /path/to/key
 .
 An attacker successfully mounting a MiTM-attack could get hold of the
 encryption key! It is crucial that you match this (single purpose)
 server's fingerprint against
 .
     ${SSHFPR_INITRD}
 .
 Key(s) that are granted access to these two servers have the following
 fingerprint:
 .
     ${SSHFPR_AUTHORIZED}

Template: fripost/sshd-fprs-nodropbear_text
Type: note
Description: Press 'continue' to reboot on the new system
 Done! After rebooting you should be able to log in into your new
 machine:
 .
     ssh ${USER}@${IPv4}
 .
 To defeat MiTM-attacks, please ensure (for instance by trying to log in
 right now, although it won't be successful before the next reboot) that
 the server's public key has the following fingerprint
 .
     ${SSHFPR_SERVER}
 .
 Key(s) that are granted access to the server have the following
 fingerprint:
 .
     ${SSHFPR_AUTHORIZED}

Template: fripost/final-notice
Type: boolean
Default: true
Description: Display the final notice before rebooting?
 It's good to show SSH fingerprints, because it defeats MiTM-attacks.