summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2015-08-19 21:45:00 +0100
commit88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 (patch)
tree01b06510540fd02f07be82ab16a2c5277c97b3e3
parentb0b95d9689563856ac4992c90b65ed4fd8f3fae6 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config7
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.525
6 files changed, 73 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index 5f6c37fe4..f0769b574 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
1748 if (options->forward_x11 == -1) 1748 if (options->forward_x11 == -1)
1749 options->forward_x11 = 0; 1749 options->forward_x11 = 0;
1750 if (options->forward_x11_trusted == -1) 1750 if (options->forward_x11_trusted == -1)
1751 options->forward_x11_trusted = 0; 1751 options->forward_x11_trusted = 1;
1752 if (options->forward_x11_timeout == -1) 1752 if (options->forward_x11_timeout == -1)
1753 options->forward_x11_timeout = 1200; 1753 options->forward_x11_timeout = 1200;
1754 if (options->exit_on_forward_failure == -1) 1754 if (options->exit_on_forward_failure == -1)
diff --git a/ssh.1 b/ssh.1
index 217886319..e2cce49d3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
670directive in 670directive in
671.Xr ssh_config 5 671.Xr ssh_config 5
672for more information. 672for more information.
673.Pp
674(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
675restrictions by default, because too many programs currently crash in this
676mode.
677Set the
678.Cm ForwardX11Trusted
679option to
680.Dq no
681to restore the upstream behaviour.
682This may change in future depending on client-side improvements.)
673.It Fl x 683.It Fl x
674Disables X11 forwarding. 684Disables X11 forwarding.
675.It Fl Y 685.It Fl Y
676Enables trusted X11 forwarding. 686Enables trusted X11 forwarding.
677Trusted X11 forwardings are not subjected to the X11 SECURITY extension 687Trusted X11 forwardings are not subjected to the X11 SECURITY extension
678controls. 688controls.
689.Pp
690(Debian-specific: This option does nothing in the default configuration: it
691is equivalent to
692.Dq Cm ForwardX11Trusted No yes ,
693which is the default as described above.
694Set the
695.Cm ForwardX11Trusted
696option to
697.Dq no
698to restore the upstream behaviour.
699This may change in future depending on client-side improvements.)
679.It Fl y 700.It Fl y
680Send log information using the 701Send log information using the
681.Xr syslog 3 702.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 228e5abce..c9386aadd 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48# VisualHostKey no 49# VisualHostKey no
49# ProxyCommand ssh -q -W %h:%p gateway.example.com 50# ProxyCommand ssh -q -W %h:%p gateway.example.com
50# RekeyLimit 1G 1h 51# RekeyLimit 1G 1h
52 SendEnv LANG LC_*
53 HashKnownHosts yes
54 GSSAPIAuthentication yes
55 GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index acd581bf5..844d1a0f5 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77Note that the Debian
78.Ic openssh-client
79package sets several options as standard in
80.Pa /etc/ssh/ssh_config
81which are not the default in
82.Xr ssh 1 :
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86.Cm SendEnv No LANG LC_*
87.It
88.Cm HashKnownHosts No yes
89.It
90.Cm GSSAPIAuthentication No yes
91.El
92.Pp
77The configuration file has the following format: 93The configuration file has the following format:
78.Pp 94.Pp
79Empty lines and lines starting with 95Empty lines and lines starting with
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
716Remote clients will be refused access after this time. 732Remote clients will be refused access after this time.
717.Pp 733.Pp
718The default is 734The default is
719.Dq no . 735.Dq yes
736(Debian-specific).
720.Pp 737.Pp
721See the X11 SECURITY extension specification for full details on 738See the X11 SECURITY extension specification for full details on
722the restrictions imposed on untrusted clients. 739the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 1dfd0f156..23a338fa3 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,7 +41,8 @@
41# Authentication: 41# Authentication:
42 42
43#LoginGraceTime 2m 43#LoginGraceTime 2m
44#PermitRootLogin no 44# See /usr/share/doc/openssh-server/README.Debian.gz.
45#PermitRootLogin without-password
45#StrictModes yes 46#StrictModes yes
46#MaxAuthTries 6 47#MaxAuthTries 6
47#MaxSessions 10 48#MaxSessions 10
diff --git a/sshd_config.5 b/sshd_config.5
index 355b44544..eb6bff85f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 .
66The exact list depends on whether the package was installed fresh or
67upgraded from various possible previous versions, but includes at least the
68following:
69.Pp
70.Bl -bullet -offset indent -compact
71.It
72.Cm ChallengeResponseAuthentication No no
73.It
74.Cm X11Forwarding No yes
75.It
76.Cm PrintMotd No no
77.It
78.Cm AcceptEnv No LANG LC_*
79.It
80.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
81.It
82.Cm UsePAM No yes
83.El
84.Pp
60The possible 85The possible
61keywords and their meanings are as follows (note that 86keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 87keywords are case-insensitive and arguments are case-sensitive):