summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2018-10-20 22:54:09 +0100
commita433d9baa031d7136a8cf3e3807ebff83a3a8634 (patch)
tree3fecc984dfc9a222bcc8a5353bca9640c1d48c55
parentda34947128351bee9d2530574432190548f5be58 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config6
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config16
-rw-r--r--sshd_config.522
6 files changed, 77 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c
index 6b01f20d2..661b8bf40 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2000,7 +2000,7 @@ fill_default_options(Options * options)
2000 if (options->forward_x11 == -1) 2000 if (options->forward_x11 == -1)
2001 options->forward_x11 = 0; 2001 options->forward_x11 = 0;
2002 if (options->forward_x11_trusted == -1) 2002 if (options->forward_x11_trusted == -1)
2003 options->forward_x11_trusted = 0; 2003 options->forward_x11_trusted = 1;
2004 if (options->forward_x11_timeout == -1) 2004 if (options->forward_x11_timeout == -1)
2005 options->forward_x11_timeout = 1200; 2005 options->forward_x11_timeout = 1200;
2006 /* 2006 /*
diff --git a/ssh.1 b/ssh.1
index ad1ed0f86..1bcc8edab 100644
--- a/ssh.1
+++ b/ssh.1
@@ -782,6 +782,16 @@ directive in
782.Xr ssh_config 5 782.Xr ssh_config 5
783for more information. 783for more information.
784.Pp 784.Pp
785(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
786restrictions by default, because too many programs currently crash in this
787mode.
788Set the
789.Cm ForwardX11Trusted
790option to
791.Dq no
792to restore the upstream behaviour.
793This may change in future depending on client-side improvements.)
794.Pp
785.It Fl x 795.It Fl x
786Disables X11 forwarding. 796Disables X11 forwarding.
787.Pp 797.Pp
@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
790Trusted X11 forwardings are not subjected to the X11 SECURITY extension 800Trusted X11 forwardings are not subjected to the X11 SECURITY extension
791controls. 801controls.
792.Pp 802.Pp
803(Debian-specific: This option does nothing in the default configuration: it
804is equivalent to
805.Dq Cm ForwardX11Trusted No yes ,
806which is the default as described above.
807Set the
808.Cm ForwardX11Trusted
809option to
810.Dq no
811to restore the upstream behaviour.
812This may change in future depending on client-side improvements.)
813.Pp
793.It Fl y 814.It Fl y
794Send log information using the 815Send log information using the
795.Xr syslog 3 816.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index bcb9f153d..1b676fb2c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# PasswordAuthentication yes 24# PasswordAuthentication yes
24# HostbasedAuthentication no 25# HostbasedAuthentication no
25# GSSAPIAuthentication no 26# GSSAPIAuthentication no
@@ -46,3 +47,6 @@
46# VisualHostKey no 47# VisualHostKey no
47# ProxyCommand ssh -q -W %h:%p gateway.example.com 48# ProxyCommand ssh -q -W %h:%p gateway.example.com
48# RekeyLimit 1G 1h 49# RekeyLimit 1G 1h
50 SendEnv LANG LC_*
51 HashKnownHosts yes
52 GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index a91355726..1a8e24bd1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 71host-specific declarations should be given near the beginning of the
72file, and general defaults at the end. 72file, and general defaults at the end.
73.Pp 73.Pp
74Note that the Debian
75.Ic openssh-client
76package sets several options as standard in
77.Pa /etc/ssh/ssh_config
78which are not the default in
79.Xr ssh 1 :
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83.Cm SendEnv No LANG LC_*
84.It
85.Cm HashKnownHosts No yes
86.It
87.Cm GSSAPIAuthentication No yes
88.El
89.Pp
74The file contains keyword-argument pairs, one per line. 90The file contains keyword-argument pairs, one per line.
75Lines starting with 91Lines starting with
76.Ql # 92.Ql #
@@ -699,11 +715,12 @@ elapsed.
699.It Cm ForwardX11Trusted 715.It Cm ForwardX11Trusted
700If this option is set to 716If this option is set to
701.Cm yes , 717.Cm yes ,
718(the Debian-specific default),
702remote X11 clients will have full access to the original X11 display. 719remote X11 clients will have full access to the original X11 display.
703.Pp 720.Pp
704If this option is set to 721If this option is set to
705.Cm no 722.Cm no
706(the default), 723(the upstream default),
707remote X11 clients will be considered untrusted and prevented 724remote X11 clients will be considered untrusted and prevented
708from stealing or tampering with data belonging to trusted X11 725from stealing or tampering with data belonging to trusted X11
709clients. 726clients.
diff --git a/sshd_config b/sshd_config
index 2c48105f8..ed8272f6d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 57#PasswordAuthentication yes
58#PermitEmptyPasswords no 58#PermitEmptyPasswords no
59 59
60# Change to no to disable s/key passwords 60# Change to yes to enable challenge-response passwords (beware issues with
61#ChallengeResponseAuthentication yes 61# some PAM modules and threads)
62ChallengeResponseAuthentication no
62 63
63# Kerberos options 64# Kerberos options
64#KerberosAuthentication no 65#KerberosAuthentication no
@@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys
81# If you just want the PAM account and session checks to run without 82# If you just want the PAM account and session checks to run without
82# PAM authentication, then enable this but set PasswordAuthentication 83# PAM authentication, then enable this but set PasswordAuthentication
83# and ChallengeResponseAuthentication to 'no'. 84# and ChallengeResponseAuthentication to 'no'.
84#UsePAM no 85UsePAM yes
85 86
86#AllowAgentForwarding yes 87#AllowAgentForwarding yes
87#AllowTcpForwarding yes 88#AllowTcpForwarding yes
88#GatewayPorts no 89#GatewayPorts no
89#X11Forwarding no 90X11Forwarding yes
90#X11DisplayOffset 10 91#X11DisplayOffset 10
91#X11UseLocalhost yes 92#X11UseLocalhost yes
92#PermitTTY yes 93#PermitTTY yes
93#PrintMotd yes 94PrintMotd no
94#PrintLastLog yes 95#PrintLastLog yes
95#TCPKeepAlive yes 96#TCPKeepAlive yes
96#PermitUserEnvironment no 97#PermitUserEnvironment no
@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
107# no default banner path 108# no default banner path
108#Banner none 109#Banner none
109 110
111# Allow client to pass locale environment variables
112AcceptEnv LANG LC_*
113
110# override default of no subsystems 114# override default of no subsystems
111Subsystem sftp /usr/libexec/sftp-server 115Subsystem sftp /usr/lib/openssh/sftp-server
112 116
113# Example of overriding settings on a per-user basis 117# Example of overriding settings on a per-user basis
114#Match User anoncvs 118#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 23f71fd1d..ba50a30f1 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
56.Pq \&" 56.Pq \&"
57in order to represent arguments containing spaces. 57in order to represent arguments containing spaces.
58.Pp 58.Pp
59Note that the Debian
60.Ic openssh-server
61package sets several options as standard in
62.Pa /etc/ssh/sshd_config
63which are not the default in
64.Xr sshd 8 :
65.Pp
66.Bl -bullet -offset indent -compact
67.It
68.Cm ChallengeResponseAuthentication No no
69.It
70.Cm X11Forwarding No yes
71.It
72.Cm PrintMotd No no
73.It
74.Cm AcceptEnv No LANG LC_*
75.It
76.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
77.It
78.Cm UsePAM No yes
79.El
80.Pp
59The possible 81The possible
60keywords and their meanings are as follows (note that 82keywords and their meanings are as follows (note that
61keywords are case-insensitive and arguments are case-sensitive): 83keywords are case-insensitive and arguments are case-sensitive):