summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2020-06-07 10:25:35 +0100
commit08ca1225e6979fc6b5b6e7f85ce5cb0ac5cc7405 (patch)
tree6affe2fe4794807f180fe50ffd800b23dd653414
parentfe8c9983321154a61f4f06be602f925f1fd24ee7 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-config.patch
-rw-r--r--readconf.c2
-rw-r--r--ssh.124
-rw-r--r--ssh_config8
-rw-r--r--ssh_config.526
-rw-r--r--sshd_config18
-rw-r--r--sshd_config.529
6 files changed, 98 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c
index 5bf0afbb4..87b0dc62a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2111,7 +2111,7 @@ fill_default_options(Options * options)
2111 if (options->forward_x11 == -1) 2111 if (options->forward_x11 == -1)
2112 options->forward_x11 = 0; 2112 options->forward_x11 = 0;
2113 if (options->forward_x11_trusted == -1) 2113 if (options->forward_x11_trusted == -1)
2114 options->forward_x11_trusted = 0; 2114 options->forward_x11_trusted = 1;
2115 if (options->forward_x11_timeout == -1) 2115 if (options->forward_x11_timeout == -1)
2116 options->forward_x11_timeout = 1200; 2116 options->forward_x11_timeout = 1200;
2117 /* 2117 /*
diff --git a/ssh.1 b/ssh.1
index 5a31b5dde..035823da3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -812,6 +812,16 @@ directive in
812.Xr ssh_config 5 812.Xr ssh_config 5
813for more information. 813for more information.
814.Pp 814.Pp
815(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
816restrictions by default, because too many programs currently crash in this
817mode.
818Set the
819.Cm ForwardX11Trusted
820option to
821.Dq no
822to restore the upstream behaviour.
823This may change in future depending on client-side improvements.)
824.Pp
815.It Fl x 825.It Fl x
816Disables X11 forwarding. 826Disables X11 forwarding.
817.Pp 827.Pp
@@ -820,6 +830,20 @@ Enables trusted X11 forwarding.
820Trusted X11 forwardings are not subjected to the X11 SECURITY extension 830Trusted X11 forwardings are not subjected to the X11 SECURITY extension
821controls. 831controls.
822.Pp 832.Pp
833(Debian-specific: In the default configuration, this option is equivalent to
834.Fl X ,
835since
836.Cm ForwardX11Trusted
837defaults to
838.Dq yes
839as described above.
840Set the
841.Cm ForwardX11Trusted
842option to
843.Dq no
844to restore the upstream behaviour.
845This may change in future depending on client-side improvements.)
846.Pp
823.It Fl y 847.It Fl y
824Send log information using the 848Send log information using the
825.Xr syslog 3 849.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 1ff999b68..8a55237b9 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,12 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Include /etc/ssh/ssh_config.d/*.conf
21
22Host *
21# ForwardAgent no 23# ForwardAgent no
22# ForwardX11 no 24# ForwardX11 no
25# ForwardX11Trusted yes
23# PasswordAuthentication yes 26# PasswordAuthentication yes
24# HostbasedAuthentication no 27# HostbasedAuthentication no
25# GSSAPIAuthentication no 28# GSSAPIAuthentication no
@@ -45,3 +48,6 @@
45# VisualHostKey no 48# VisualHostKey no
46# ProxyCommand ssh -q -W %h:%p gateway.example.com 49# ProxyCommand ssh -q -W %h:%p gateway.example.com
47# RekeyLimit 1G 1h 50# RekeyLimit 1G 1h
51 SendEnv LANG LC_*
52 HashKnownHosts yes
53 GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index dd8241df1..aac3fabb7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 71host-specific declarations should be given near the beginning of the
72file, and general defaults at the end. 72file, and general defaults at the end.
73.Pp 73.Pp
74Note that the Debian
75.Ic openssh-client
76package sets several options as standard in
77.Pa /etc/ssh/ssh_config
78which are not the default in
79.Xr ssh 1 :
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83.Cm Include /etc/ssh/ssh_config.d/*.conf
84.It
85.Cm SendEnv No LANG LC_*
86.It
87.Cm HashKnownHosts No yes
88.It
89.Cm GSSAPIAuthentication No yes
90.El
91.Pp
92.Pa /etc/ssh/ssh_config.d/*.conf
93files are included at the start of the system-wide configuration file, so
94options set there will override those in
95.Pa /etc/ssh/ssh_config.
96.Pp
74The file contains keyword-argument pairs, one per line. 97The file contains keyword-argument pairs, one per line.
75Lines starting with 98Lines starting with
76.Ql # 99.Ql #
@@ -729,11 +752,12 @@ elapsed.
729.It Cm ForwardX11Trusted 752.It Cm ForwardX11Trusted
730If this option is set to 753If this option is set to
731.Cm yes , 754.Cm yes ,
755(the Debian-specific default),
732remote X11 clients will have full access to the original X11 display. 756remote X11 clients will have full access to the original X11 display.
733.Pp 757.Pp
734If this option is set to 758If this option is set to
735.Cm no 759.Cm no
736(the default), 760(the upstream default),
737remote X11 clients will be considered untrusted and prevented 761remote X11 clients will be considered untrusted and prevented
738from stealing or tampering with data belonging to trusted X11 762from stealing or tampering with data belonging to trusted X11
739clients. 763clients.
diff --git a/sshd_config b/sshd_config
index 2c48105f8..459c1b230 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
10# possible, but leave them commented. Uncommented options override the 10# possible, but leave them commented. Uncommented options override the
11# default value. 11# default value.
12 12
13Include /etc/ssh/sshd_config.d/*.conf
14
13#Port 22 15#Port 22
14#AddressFamily any 16#AddressFamily any
15#ListenAddress 0.0.0.0 17#ListenAddress 0.0.0.0
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 59#PasswordAuthentication yes
58#PermitEmptyPasswords no 60#PermitEmptyPasswords no
59 61
60# Change to no to disable s/key passwords 62# Change to yes to enable challenge-response passwords (beware issues with
61#ChallengeResponseAuthentication yes 63# some PAM modules and threads)
64ChallengeResponseAuthentication no
62 65
63# Kerberos options 66# Kerberos options
64#KerberosAuthentication no 67#KerberosAuthentication no
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
81# If you just want the PAM account and session checks to run without 84# If you just want the PAM account and session checks to run without
82# PAM authentication, then enable this but set PasswordAuthentication 85# PAM authentication, then enable this but set PasswordAuthentication
83# and ChallengeResponseAuthentication to 'no'. 86# and ChallengeResponseAuthentication to 'no'.
84#UsePAM no 87UsePAM yes
85 88
86#AllowAgentForwarding yes 89#AllowAgentForwarding yes
87#AllowTcpForwarding yes 90#AllowTcpForwarding yes
88#GatewayPorts no 91#GatewayPorts no
89#X11Forwarding no 92X11Forwarding yes
90#X11DisplayOffset 10 93#X11DisplayOffset 10
91#X11UseLocalhost yes 94#X11UseLocalhost yes
92#PermitTTY yes 95#PermitTTY yes
93#PrintMotd yes 96PrintMotd no
94#PrintLastLog yes 97#PrintLastLog yes
95#TCPKeepAlive yes 98#TCPKeepAlive yes
96#PermitUserEnvironment no 99#PermitUserEnvironment no
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
107# no default banner path 110# no default banner path
108#Banner none 111#Banner none
109 112
113# Allow client to pass locale environment variables
114AcceptEnv LANG LC_*
115
110# override default of no subsystems 116# override default of no subsystems
111Subsystem sftp /usr/libexec/sftp-server 117Subsystem sftp /usr/lib/openssh/sftp-server
112 118
113# Example of overriding settings on a per-user basis 119# Example of overriding settings on a per-user basis
114#Match User anoncvs 120#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index c27f99937..b38025dbf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
56.Pq \&" 56.Pq \&"
57in order to represent arguments containing spaces. 57in order to represent arguments containing spaces.
58.Pp 58.Pp
59Note that the Debian
60.Ic openssh-server
61package sets several options as standard in
62.Pa /etc/ssh/sshd_config
63which are not the default in
64.Xr sshd 8 :
65.Pp
66.Bl -bullet -offset indent -compact
67.It
68.Cm Include /etc/ssh/sshd_config.d/*.conf
69.It
70.Cm ChallengeResponseAuthentication No no
71.It
72.Cm X11Forwarding No yes
73.It
74.Cm PrintMotd No no
75.It
76.Cm AcceptEnv No LANG LC_*
77.It
78.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
79.It
80.Cm UsePAM No yes
81.El
82.Pp
83.Pa /etc/ssh/sshd_config.d/*.conf
84files are included at the start of the configuration file, so options set
85there will override those in
86.Pa /etc/ssh/sshd_config.
87.Pp
59The possible 88The possible
60keywords and their meanings are as follows (note that 89keywords and their meanings are as follows (note that
61keywords are case-insensitive and arguments are case-sensitive): 90keywords are case-insensitive and arguments are case-sensitive):