diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-10-04 13:54:48 +0100 |
commit | 4847e512c0b94c615b838904a5f139a761bee284 (patch) | |
tree | f4784e39f9700a109ce869711b69ecfaa81d6f09 | |
parent | ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | ssh.1 | 21 | ||||
-rw-r--r-- | ssh_config | 6 | ||||
-rw-r--r-- | ssh_config.5 | 19 | ||||
-rw-r--r-- | sshd_config | 16 | ||||
-rw-r--r-- | sshd_config.5 | 22 |
6 files changed, 77 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c index be3d58737..41f36aa8d 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1940,7 +1940,7 @@ fill_default_options(Options * options) | |||
1940 | if (options->forward_x11 == -1) | 1940 | if (options->forward_x11 == -1) |
1941 | options->forward_x11 = 0; | 1941 | options->forward_x11 = 0; |
1942 | if (options->forward_x11_trusted == -1) | 1942 | if (options->forward_x11_trusted == -1) |
1943 | options->forward_x11_trusted = 0; | 1943 | options->forward_x11_trusted = 1; |
1944 | if (options->forward_x11_timeout == -1) | 1944 | if (options->forward_x11_timeout == -1) |
1945 | options->forward_x11_timeout = 1200; | 1945 | options->forward_x11_timeout = 1200; |
1946 | /* | 1946 | /* |
@@ -764,6 +764,16 @@ directive in | |||
764 | .Xr ssh_config 5 | 764 | .Xr ssh_config 5 |
765 | for more information. | 765 | for more information. |
766 | .Pp | 766 | .Pp |
767 | (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
768 | restrictions by default, because too many programs currently crash in this | ||
769 | mode. | ||
770 | Set the | ||
771 | .Cm ForwardX11Trusted | ||
772 | option to | ||
773 | .Dq no | ||
774 | to restore the upstream behaviour. | ||
775 | This may change in future depending on client-side improvements.) | ||
776 | .Pp | ||
767 | .It Fl x | 777 | .It Fl x |
768 | Disables X11 forwarding. | 778 | Disables X11 forwarding. |
769 | .Pp | 779 | .Pp |
@@ -772,6 +782,17 @@ Enables trusted X11 forwarding. | |||
772 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 782 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
773 | controls. | 783 | controls. |
774 | .Pp | 784 | .Pp |
785 | (Debian-specific: This option does nothing in the default configuration: it | ||
786 | is equivalent to | ||
787 | .Dq Cm ForwardX11Trusted No yes , | ||
788 | which is the default as described above. | ||
789 | Set the | ||
790 | .Cm ForwardX11Trusted | ||
791 | option to | ||
792 | .Dq no | ||
793 | to restore the upstream behaviour. | ||
794 | This may change in future depending on client-side improvements.) | ||
795 | .Pp | ||
775 | .It Fl y | 796 | .It Fl y |
776 | Send log information using the | 797 | Send log information using the |
777 | .Xr syslog 3 | 798 | .Xr syslog 3 |
diff --git a/ssh_config b/ssh_config index bcb9f153d..1b676fb2c 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -17,9 +17,10 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | # Host * | 20 | Host * |
21 | # ForwardAgent no | 21 | # ForwardAgent no |
22 | # ForwardX11 no | 22 | # ForwardX11 no |
23 | # ForwardX11Trusted yes | ||
23 | # PasswordAuthentication yes | 24 | # PasswordAuthentication yes |
24 | # HostbasedAuthentication no | 25 | # HostbasedAuthentication no |
25 | # GSSAPIAuthentication no | 26 | # GSSAPIAuthentication no |
@@ -46,3 +47,6 @@ | |||
46 | # VisualHostKey no | 47 | # VisualHostKey no |
47 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 48 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
48 | # RekeyLimit 1G 1h | 49 | # RekeyLimit 1G 1h |
50 | SendEnv LANG LC_* | ||
51 | HashKnownHosts yes | ||
52 | GSSAPIAuthentication yes | ||
diff --git a/ssh_config.5 b/ssh_config.5 index 1edfe761c..2da7029af 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | |||
71 | host-specific declarations should be given near the beginning of the | 71 | host-specific declarations should be given near the beginning of the |
72 | file, and general defaults at the end. | 72 | file, and general defaults at the end. |
73 | .Pp | 73 | .Pp |
74 | Note that the Debian | ||
75 | .Ic openssh-client | ||
76 | package sets several options as standard in | ||
77 | .Pa /etc/ssh/ssh_config | ||
78 | which are not the default in | ||
79 | .Xr ssh 1 : | ||
80 | .Pp | ||
81 | .Bl -bullet -offset indent -compact | ||
82 | .It | ||
83 | .Cm SendEnv No LANG LC_* | ||
84 | .It | ||
85 | .Cm HashKnownHosts No yes | ||
86 | .It | ||
87 | .Cm GSSAPIAuthentication No yes | ||
88 | .El | ||
89 | .Pp | ||
74 | The file contains keyword-argument pairs, one per line. | 90 | The file contains keyword-argument pairs, one per line. |
75 | Lines starting with | 91 | Lines starting with |
76 | .Ql # | 92 | .Ql # |
@@ -683,11 +699,12 @@ elapsed. | |||
683 | .It Cm ForwardX11Trusted | 699 | .It Cm ForwardX11Trusted |
684 | If this option is set to | 700 | If this option is set to |
685 | .Cm yes , | 701 | .Cm yes , |
702 | (the Debian-specific default), | ||
686 | remote X11 clients will have full access to the original X11 display. | 703 | remote X11 clients will have full access to the original X11 display. |
687 | .Pp | 704 | .Pp |
688 | If this option is set to | 705 | If this option is set to |
689 | .Cm no | 706 | .Cm no |
690 | (the default), | 707 | (the upstream default), |
691 | remote X11 clients will be considered untrusted and prevented | 708 | remote X11 clients will be considered untrusted and prevented |
692 | from stealing or tampering with data belonging to trusted X11 | 709 | from stealing or tampering with data belonging to trusted X11 |
693 | clients. | 710 | clients. |
diff --git a/sshd_config b/sshd_config index c01dd6561..f68edf367 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
58 | #PasswordAuthentication yes | 58 | #PasswordAuthentication yes |
59 | #PermitEmptyPasswords no | 59 | #PermitEmptyPasswords no |
60 | 60 | ||
61 | # Change to no to disable s/key passwords | 61 | # Change to yes to enable challenge-response passwords (beware issues with |
62 | #ChallengeResponseAuthentication yes | 62 | # some PAM modules and threads) |
63 | ChallengeResponseAuthentication no | ||
63 | 64 | ||
64 | # Kerberos options | 65 | # Kerberos options |
65 | #KerberosAuthentication no | 66 | #KerberosAuthentication no |
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
82 | # If you just want the PAM account and session checks to run without | 83 | # If you just want the PAM account and session checks to run without |
83 | # PAM authentication, then enable this but set PasswordAuthentication | 84 | # PAM authentication, then enable this but set PasswordAuthentication |
84 | # and ChallengeResponseAuthentication to 'no'. | 85 | # and ChallengeResponseAuthentication to 'no'. |
85 | #UsePAM no | 86 | UsePAM yes |
86 | 87 | ||
87 | #AllowAgentForwarding yes | 88 | #AllowAgentForwarding yes |
88 | #AllowTcpForwarding yes | 89 | #AllowTcpForwarding yes |
89 | #GatewayPorts no | 90 | #GatewayPorts no |
90 | #X11Forwarding no | 91 | X11Forwarding yes |
91 | #X11DisplayOffset 10 | 92 | #X11DisplayOffset 10 |
92 | #X11UseLocalhost yes | 93 | #X11UseLocalhost yes |
93 | #PermitTTY yes | 94 | #PermitTTY yes |
94 | #PrintMotd yes | 95 | PrintMotd no |
95 | #PrintLastLog yes | 96 | #PrintLastLog yes |
96 | #TCPKeepAlive yes | 97 | #TCPKeepAlive yes |
97 | #UseLogin no | 98 | #UseLogin no |
@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
109 | # no default banner path | 110 | # no default banner path |
110 | #Banner none | 111 | #Banner none |
111 | 112 | ||
113 | # Allow client to pass locale environment variables | ||
114 | AcceptEnv LANG LC_* | ||
115 | |||
112 | # override default of no subsystems | 116 | # override default of no subsystems |
113 | Subsystem sftp /usr/libexec/sftp-server | 117 | Subsystem sftp /usr/lib/openssh/sftp-server |
114 | 118 | ||
115 | # Example of overriding settings on a per-user basis | 119 | # Example of overriding settings on a per-user basis |
116 | #Match User anoncvs | 120 | #Match User anoncvs |
diff --git a/sshd_config.5 b/sshd_config.5 index 79676a955..16be4f628 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -55,6 +55,28 @@ Arguments may optionally be enclosed in double quotes | |||
55 | .Pq \&" | 55 | .Pq \&" |
56 | in order to represent arguments containing spaces. | 56 | in order to represent arguments containing spaces. |
57 | .Pp | 57 | .Pp |
58 | Note that the Debian | ||
59 | .Ic openssh-server | ||
60 | package sets several options as standard in | ||
61 | .Pa /etc/ssh/sshd_config | ||
62 | which are not the default in | ||
63 | .Xr sshd 8 : | ||
64 | .Pp | ||
65 | .Bl -bullet -offset indent -compact | ||
66 | .It | ||
67 | .Cm ChallengeResponseAuthentication No no | ||
68 | .It | ||
69 | .Cm X11Forwarding No yes | ||
70 | .It | ||
71 | .Cm PrintMotd No no | ||
72 | .It | ||
73 | .Cm AcceptEnv No LANG LC_* | ||
74 | .It | ||
75 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
76 | .It | ||
77 | .Cm UsePAM No yes | ||
78 | .El | ||
79 | .Pp | ||
58 | The possible | 80 | The possible |
59 | keywords and their meanings are as follows (note that | 81 | keywords and their meanings are as follows (note that |
60 | keywords are case-insensitive and arguments are case-sensitive): | 82 | keywords are case-insensitive and arguments are case-sensitive): |