Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:44 +0100
commit: 4c914ccd85bbf391c4dc61b85e3c178fef465e3f (patch)
tree: 1fe9b624bbfd09f31552db2715334955be2e5327
parent: fe97848e044743f0bac019a491ddf0138f84e14a (diff)
6 files changed, 72 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index f6b4c8f1e..5cd51f3e6 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1928,7 +1928,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
-                options->forward_x11_trusted = 0;
+                options->forward_x11_trusted = 1;
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        /*
diff --git a/ssh.1 b/ssh.1
index 22e56a7b9..6aa57c462 100644
--- a/ssh.1
+++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 4e879cd20..5190b06b1 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -50,3 +51,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index 30c97a9b9..c96725862 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 3fe3e017e..ec8ff8f19 100644
--- a/sshd_config
+++ b/sshd_config
@@ -124,7 +124,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #Banner none
 # override default of no subsystems
-Subsystem       sftp    /usr/libexec/sftp-server
+Subsystem       sftp    /usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index b2b349e1b..79f2d611f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:44 +0100
commit	4c914ccd85bbf391c4dc61b85e3c178fef465e3f (patch)
tree	1fe9b624bbfd09f31552db2715334955be2e5327
parent	fe97848e044743f0bac019a491ddf0138f84e14a (diff)

diff --git a/readconf.c b/readconf.c index f6b4c8f1e..5cd51f3e6 100644 --- a/readconf.c +++ b/readconf.c
@@ -1928,7 +1928,7 @@ fill_default_options(Options * options)
1928	if (options->forward_x11 == -1)	1928	if (options->forward_x11 == -1)
1929	options->forward_x11 = 0;	1929	options->forward_x11 = 0;
1930	if (options->forward_x11_trusted == -1)	1930	if (options->forward_x11_trusted == -1)
1931	options->forward_x11_trusted = 0;	1931	options->forward_x11_trusted = 1;
1932	if (options->forward_x11_timeout == -1)	1932	if (options->forward_x11_timeout == -1)
1933	options->forward_x11_timeout = 1200;	1933	options->forward_x11_timeout = 1200;
1934	/*	1934	/*


diff --git a/ssh.1 b/ssh.1 index 22e56a7b9..6aa57c462 100644 --- a/ssh.1 +++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
785	.Xr ssh_config 5	785	.Xr ssh_config 5
786	for more information.	786	for more information.
787	.Pp	787	.Pp
		788	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		789	restrictions by default, because too many programs currently crash in this
		790	mode.
		791	Set the
		792	.Cm ForwardX11Trusted
		793	option to
		794	.Dq no
		795	to restore the upstream behaviour.
		796	This may change in future depending on client-side improvements.)
		797	.Pp
788	.It Fl x	798	.It Fl x
789	Disables X11 forwarding.	799	Disables X11 forwarding.
790	.Pp	800	.Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
793	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	803	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
794	controls.	804	controls.
795	.Pp	805	.Pp
		806	(Debian-specific: This option does nothing in the default configuration: it
		807	is equivalent to
		808	.Dq Cm ForwardX11Trusted No yes ,
		809	which is the default as described above.
		810	Set the
		811	.Cm ForwardX11Trusted
		812	option to
		813	.Dq no
		814	to restore the upstream behaviour.
		815	This may change in future depending on client-side improvements.)
		816	.Pp
796	.It Fl y	817	.It Fl y
797	Send log information using the	818	Send log information using the
798	.Xr syslog 3	819	.Xr syslog 3


diff --git a/ssh_config b/ssh_config index 4e879cd20..5190b06b1 100644 --- a/ssh_config +++ b/ssh_config
@@ -17,9 +17,10 @@
17	# list of available options, their meanings and defaults, please see the	17	# list of available options, their meanings and defaults, please see the
18	# ssh_config(5) man page.	18	# ssh_config(5) man page.
19		19
20	# Host *	20	Host *
21	# ForwardAgent no	21	# ForwardAgent no
22	# ForwardX11 no	22	# ForwardX11 no
		23	# ForwardX11Trusted yes
23	# RhostsRSAAuthentication no	24	# RhostsRSAAuthentication no
24	# RSAAuthentication yes	25	# RSAAuthentication yes
25	# PasswordAuthentication yes	26	# PasswordAuthentication yes
@@ -50,3 +51,7 @@
50	# VisualHostKey no	51	# VisualHostKey no
51	# ProxyCommand ssh -q -W %h:%p gateway.example.com	52	# ProxyCommand ssh -q -W %h:%p gateway.example.com
52	# RekeyLimit 1G 1h	53	# RekeyLimit 1G 1h
		54	SendEnv LANG LC_*
		55	HashKnownHosts yes
		56	GSSAPIAuthentication yes
		57	GSSAPIDelegateCredentials no


diff --git a/ssh_config.5 b/ssh_config.5 index 30c97a9b9..c96725862 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
75	file, and general defaults at the end.	75	file, and general defaults at the end.
76	.Pp	76	.Pp
		77	Note that the Debian
		78	.Ic openssh-client
		79	package sets several options as standard in
		80	.Pa /etc/ssh/ssh_config
		81	which are not the default in
		82	.Xr ssh 1 :
		83	.Pp
		84	.Bl -bullet -offset indent -compact
		85	.It
		86	.Cm SendEnv No LANG LC_*
		87	.It
		88	.Cm HashKnownHosts No yes
		89	.It
		90	.Cm GSSAPIAuthentication No yes
		91	.El
		92	.Pp
77	The configuration file has the following format:	93	The configuration file has the following format:
78	.Pp	94	.Pp
79	Empty lines and lines starting with	95	Empty lines and lines starting with
@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes.
799	Remote clients will be refused access after this time.	815	Remote clients will be refused access after this time.
800	.Pp	816	.Pp
801	The default is	817	The default is
802	.Dq no .	818	.Dq yes
		819	(Debian-specific).
803	.Pp	820	.Pp
804	See the X11 SECURITY extension specification for full details on	821	See the X11 SECURITY extension specification for full details on
805	the restrictions imposed on untrusted clients.	822	the restrictions imposed on untrusted clients.


diff --git a/sshd_config b/sshd_config index 3fe3e017e..ec8ff8f19 100644 --- a/sshd_config +++ b/sshd_config
@@ -124,7 +124,7 @@ AuthorizedKeysFile .ssh/authorized_keys
124	#Banner none	124	#Banner none
125		125
126	# override default of no subsystems	126	# override default of no subsystems
127	Subsystem sftp /usr/libexec/sftp-server	127	Subsystem sftp /usr/lib/openssh/sftp-server
128		128
129	# Example of overriding settings on a per-user basis	129	# Example of overriding settings on a per-user basis
130	#Match User anoncvs	130	#Match User anoncvs


diff --git a/sshd_config.5 b/sshd_config.5 index b2b349e1b..79f2d611f 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm ChallengeResponseAuthentication No no
		73	.It
		74	.Cm X11Forwarding No yes
		75	.It
		76	.Cm PrintMotd No no
		77	.It
		78	.Cm AcceptEnv No LANG LC_*
		79	.It
		80	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		81	.It
		82	.Cm UsePAM No yes
		83	.El
		84	.Pp
60	The possible	85	The possible
61	keywords and their meanings are as follows (note that	86	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	87	keywords are case-insensitive and arguments are case-sensitive):