diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-09-08 14:50:02 +0100 |
commit | c2ef7b500926be2f7d875d63ec72781b50d69294 (patch) | |
tree | 37e3de57ac5cbe2e547837a1dd4f3acec7afaed5 | |
parent | ef16932c23264c749f4b02af34dbd62a2075c04f (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2015-08-19
Patch-Name: debian-config.patch
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | ssh.1 | 21 | ||||
-rw-r--r-- | ssh_config | 7 | ||||
-rw-r--r-- | ssh_config.5 | 19 | ||||
-rw-r--r-- | sshd_config | 3 | ||||
-rw-r--r-- | sshd_config.5 | 25 |
6 files changed, 73 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c index 5f6c37fe4..f0769b574 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1748,7 +1748,7 @@ fill_default_options(Options * options) | |||
1748 | if (options->forward_x11 == -1) | 1748 | if (options->forward_x11 == -1) |
1749 | options->forward_x11 = 0; | 1749 | options->forward_x11 = 0; |
1750 | if (options->forward_x11_trusted == -1) | 1750 | if (options->forward_x11_trusted == -1) |
1751 | options->forward_x11_trusted = 0; | 1751 | options->forward_x11_trusted = 1; |
1752 | if (options->forward_x11_timeout == -1) | 1752 | if (options->forward_x11_timeout == -1) |
1753 | options->forward_x11_timeout = 1200; | 1753 | options->forward_x11_timeout = 1200; |
1754 | if (options->exit_on_forward_failure == -1) | 1754 | if (options->exit_on_forward_failure == -1) |
@@ -670,12 +670,33 @@ option and the | |||
670 | directive in | 670 | directive in |
671 | .Xr ssh_config 5 | 671 | .Xr ssh_config 5 |
672 | for more information. | 672 | for more information. |
673 | .Pp | ||
674 | (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
675 | restrictions by default, because too many programs currently crash in this | ||
676 | mode. | ||
677 | Set the | ||
678 | .Cm ForwardX11Trusted | ||
679 | option to | ||
680 | .Dq no | ||
681 | to restore the upstream behaviour. | ||
682 | This may change in future depending on client-side improvements.) | ||
673 | .It Fl x | 683 | .It Fl x |
674 | Disables X11 forwarding. | 684 | Disables X11 forwarding. |
675 | .It Fl Y | 685 | .It Fl Y |
676 | Enables trusted X11 forwarding. | 686 | Enables trusted X11 forwarding. |
677 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 687 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
678 | controls. | 688 | controls. |
689 | .Pp | ||
690 | (Debian-specific: This option does nothing in the default configuration: it | ||
691 | is equivalent to | ||
692 | .Dq Cm ForwardX11Trusted No yes , | ||
693 | which is the default as described above. | ||
694 | Set the | ||
695 | .Cm ForwardX11Trusted | ||
696 | option to | ||
697 | .Dq no | ||
698 | to restore the upstream behaviour. | ||
699 | This may change in future depending on client-side improvements.) | ||
679 | .It Fl y | 700 | .It Fl y |
680 | Send log information using the | 701 | Send log information using the |
681 | .Xr syslog 3 | 702 | .Xr syslog 3 |
diff --git a/ssh_config b/ssh_config index 228e5abce..c9386aadd 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -17,9 +17,10 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | # Host * | 20 | Host * |
21 | # ForwardAgent no | 21 | # ForwardAgent no |
22 | # ForwardX11 no | 22 | # ForwardX11 no |
23 | # ForwardX11Trusted yes | ||
23 | # RhostsRSAAuthentication no | 24 | # RhostsRSAAuthentication no |
24 | # RSAAuthentication yes | 25 | # RSAAuthentication yes |
25 | # PasswordAuthentication yes | 26 | # PasswordAuthentication yes |
@@ -48,3 +49,7 @@ | |||
48 | # VisualHostKey no | 49 | # VisualHostKey no |
49 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 50 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
50 | # RekeyLimit 1G 1h | 51 | # RekeyLimit 1G 1h |
52 | SendEnv LANG LC_* | ||
53 | HashKnownHosts yes | ||
54 | GSSAPIAuthentication yes | ||
55 | GSSAPIDelegateCredentials no | ||
diff --git a/ssh_config.5 b/ssh_config.5 index acd581bf5..844d1a0f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | |||
74 | host-specific declarations should be given near the beginning of the | 74 | host-specific declarations should be given near the beginning of the |
75 | file, and general defaults at the end. | 75 | file, and general defaults at the end. |
76 | .Pp | 76 | .Pp |
77 | Note that the Debian | ||
78 | .Ic openssh-client | ||
79 | package sets several options as standard in | ||
80 | .Pa /etc/ssh/ssh_config | ||
81 | which are not the default in | ||
82 | .Xr ssh 1 : | ||
83 | .Pp | ||
84 | .Bl -bullet -offset indent -compact | ||
85 | .It | ||
86 | .Cm SendEnv No LANG LC_* | ||
87 | .It | ||
88 | .Cm HashKnownHosts No yes | ||
89 | .It | ||
90 | .Cm GSSAPIAuthentication No yes | ||
91 | .El | ||
92 | .Pp | ||
77 | The configuration file has the following format: | 93 | The configuration file has the following format: |
78 | .Pp | 94 | .Pp |
79 | Empty lines and lines starting with | 95 | Empty lines and lines starting with |
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes. | |||
716 | Remote clients will be refused access after this time. | 732 | Remote clients will be refused access after this time. |
717 | .Pp | 733 | .Pp |
718 | The default is | 734 | The default is |
719 | .Dq no . | 735 | .Dq yes |
736 | (Debian-specific). | ||
720 | .Pp | 737 | .Pp |
721 | See the X11 SECURITY extension specification for full details on | 738 | See the X11 SECURITY extension specification for full details on |
722 | the restrictions imposed on untrusted clients. | 739 | the restrictions imposed on untrusted clients. |
diff --git a/sshd_config b/sshd_config index 1dfd0f156..23a338fa3 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -41,7 +41,8 @@ | |||
41 | # Authentication: | 41 | # Authentication: |
42 | 42 | ||
43 | #LoginGraceTime 2m | 43 | #LoginGraceTime 2m |
44 | #PermitRootLogin no | 44 | # See /usr/share/doc/openssh-server/README.Debian.gz. |
45 | #PermitRootLogin without-password | ||
45 | #StrictModes yes | 46 | #StrictModes yes |
46 | #MaxAuthTries 6 | 47 | #MaxAuthTries 6 |
47 | #MaxSessions 10 | 48 | #MaxSessions 10 |
diff --git a/sshd_config.5 b/sshd_config.5 index 355b44544..eb6bff85f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | |||
57 | .Pq \&" | 57 | .Pq \&" |
58 | in order to represent arguments containing spaces. | 58 | in order to represent arguments containing spaces. |
59 | .Pp | 59 | .Pp |
60 | Note that the Debian | ||
61 | .Ic openssh-server | ||
62 | package sets several options as standard in | ||
63 | .Pa /etc/ssh/sshd_config | ||
64 | which are not the default in | ||
65 | .Xr sshd 8 . | ||
66 | The exact list depends on whether the package was installed fresh or | ||
67 | upgraded from various possible previous versions, but includes at least the | ||
68 | following: | ||
69 | .Pp | ||
70 | .Bl -bullet -offset indent -compact | ||
71 | .It | ||
72 | .Cm ChallengeResponseAuthentication No no | ||
73 | .It | ||
74 | .Cm X11Forwarding No yes | ||
75 | .It | ||
76 | .Cm PrintMotd No no | ||
77 | .It | ||
78 | .Cm AcceptEnv No LANG LC_* | ||
79 | .It | ||
80 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
81 | .It | ||
82 | .Cm UsePAM No yes | ||
83 | .El | ||
84 | .Pp | ||
60 | The possible | 85 | The possible |
61 | keywords and their meanings are as follows (note that | 86 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 87 | keywords are case-insensitive and arguments are case-sensitive): |