summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:21 +0100
commit762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (patch)
tree3625014bb6bad6ff7bb257eab9b917079f6a1dac
parent689f465c66059e527974c6d4ea8e95f04d5abab7 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2014-02-12 Patch-Name: debian-config.patch
-rw-r--r--readconf.c2
-rw-r--r--ssh_config7
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config1
-rw-r--r--sshd_config.525
5 files changed, 51 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c
index 0648867e8..29338b619 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1681,7 +1681,7 @@ fill_default_options(Options * options)
1681 if (options->forward_x11 == -1) 1681 if (options->forward_x11 == -1)
1682 options->forward_x11 = 0; 1682 options->forward_x11 = 0;
1683 if (options->forward_x11_trusted == -1) 1683 if (options->forward_x11_trusted == -1)
1684 options->forward_x11_trusted = 0; 1684 options->forward_x11_trusted = 1;
1685 if (options->forward_x11_timeout == -1) 1685 if (options->forward_x11_timeout == -1)
1686 options->forward_x11_timeout = 1200; 1686 options->forward_x11_timeout = 1200;
1687 if (options->exit_on_forward_failure == -1) 1687 if (options->exit_on_forward_failure == -1)
diff --git a/ssh_config b/ssh_config
index 228e5abce..c9386aadd 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48# VisualHostKey no 49# VisualHostKey no
49# ProxyCommand ssh -q -W %h:%p gateway.example.com 50# ProxyCommand ssh -q -W %h:%p gateway.example.com
50# RekeyLimit 1G 1h 51# RekeyLimit 1G 1h
52 SendEnv LANG LC_*
53 HashKnownHosts yes
54 GSSAPIAuthentication yes
55 GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index a1005ba3d..da3c1771a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 71host-specific declarations should be given near the beginning of the
72file, and general defaults at the end. 72file, and general defaults at the end.
73.Pp 73.Pp
74Note that the Debian
75.Ic openssh-client
76package sets several options as standard in
77.Pa /etc/ssh/ssh_config
78which are not the default in
79.Xr ssh 1 :
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83.Cm SendEnv No LANG LC_*
84.It
85.Cm HashKnownHosts No yes
86.It
87.Cm GSSAPIAuthentication No yes
88.El
89.Pp
74The configuration file has the following format: 90The configuration file has the following format:
75.Pp 91.Pp
76Empty lines and lines starting with 92Empty lines and lines starting with
@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes.
673Remote clients will be refused access after this time. 689Remote clients will be refused access after this time.
674.Pp 690.Pp
675The default is 691The default is
676.Dq no . 692.Dq yes
693(Debian-specific).
677.Pp 694.Pp
678See the X11 SECURITY extension specification for full details on 695See the X11 SECURITY extension specification for full details on
679the restrictions imposed on untrusted clients. 696the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index d9b859407..4db32f509 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,6 +41,7 @@
41# Authentication: 41# Authentication:
42 42
43#LoginGraceTime 2m 43#LoginGraceTime 2m
44# See /usr/share/doc/openssh-server/README.Debian.gz.
44#PermitRootLogin yes 45#PermitRootLogin yes
45#StrictModes yes 46#StrictModes yes
46#MaxAuthTries 6 47#MaxAuthTries 6
diff --git a/sshd_config.5 b/sshd_config.5
index 7396b238c..7aa7b4733 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 .
66The exact list depends on whether the package was installed fresh or
67upgraded from various possible previous versions, but includes at least the
68following:
69.Pp
70.Bl -bullet -offset indent -compact
71.It
72.Cm ChallengeResponseAuthentication No no
73.It
74.Cm X11Forwarding No yes
75.It
76.Cm PrintMotd No no
77.It
78.Cm AcceptEnv No LANG LC_*
79.It
80.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
81.It
82.Cm UsePAM No yes
83.El
84.Pp
60The possible 85The possible
61keywords and their meanings are as follows (note that 86keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 87keywords are case-insensitive and arguments are case-sensitive):