Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 23:43:42 +0000
commit: b65a0ded7a8cfe7d351e28266d7851216d679e05 (patch)
tree: 337e4b3eae48c6187e376d5fe1e926f91cddce76
parent: 727d51f30918f6635f06694f71f4318a6038296d (diff)
5 files changed, 53 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c
index c74193424..e1e82c5ad 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1292,7 +1292,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
-                options->forward_x11_trusted = 0;
+                options->forward_x11_trusted = 1;
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
diff --git a/ssh_config b/ssh_config
index 32343213f..064b59359 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -48,3 +49,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index 7b05e5fb4..01e7b6f23 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 945014124..9cfe28d03 100644
--- a/sshd_config
+++ b/sshd_config
@@ -40,6 +40,7 @@
 # Authentication:
 #LoginGraceTime 2m
+# See /usr/share/doc/openssh-server/README.Debian.gz.
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
diff --git a/sshd_config.5 b/sshd_config.5
index 04b5f1ae8..ca4cb193a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 23:43:42 +0000
commit	b65a0ded7a8cfe7d351e28266d7851216d679e05 (patch)
tree	337e4b3eae48c6187e376d5fe1e926f91cddce76
parent	727d51f30918f6635f06694f71f4318a6038296d (diff)

diff --git a/readconf.c b/readconf.c index c74193424..e1e82c5ad 100644 --- a/readconf.c +++ b/readconf.c
@@ -1292,7 +1292,7 @@ fill_default_options(Options * options)
1292	if (options->forward_x11 == -1)	1292	if (options->forward_x11 == -1)
1293	options->forward_x11 = 0;	1293	options->forward_x11 = 0;
1294	if (options->forward_x11_trusted == -1)	1294	if (options->forward_x11_trusted == -1)
1295	options->forward_x11_trusted = 0;	1295	options->forward_x11_trusted = 1;
1296	if (options->forward_x11_timeout == -1)	1296	if (options->forward_x11_timeout == -1)
1297	options->forward_x11_timeout = 1200;	1297	options->forward_x11_timeout = 1200;
1298	if (options->exit_on_forward_failure == -1)	1298	if (options->exit_on_forward_failure == -1)


diff --git a/ssh_config b/ssh_config index 32343213f..064b59359 100644 --- a/ssh_config +++ b/ssh_config
@@ -17,9 +17,10 @@
17	# list of available options, their meanings and defaults, please see the	17	# list of available options, their meanings and defaults, please see the
18	# ssh_config(5) man page.	18	# ssh_config(5) man page.
19		19
20	# Host *	20	Host *
21	# ForwardAgent no	21	# ForwardAgent no
22	# ForwardX11 no	22	# ForwardX11 no
		23	# ForwardX11Trusted yes
23	# RhostsRSAAuthentication no	24	# RhostsRSAAuthentication no
24	# RSAAuthentication yes	25	# RSAAuthentication yes
25	# PasswordAuthentication yes	26	# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48	# VisualHostKey no	49	# VisualHostKey no
49	# ProxyCommand ssh -q -W %h:%p gateway.example.com	50	# ProxyCommand ssh -q -W %h:%p gateway.example.com
50	# RekeyLimit 1G 1h	51	# RekeyLimit 1G 1h
		52	SendEnv LANG LC_*
		53	HashKnownHosts yes
		54	GSSAPIAuthentication yes
		55	GSSAPIDelegateCredentials no


diff --git a/ssh_config.5 b/ssh_config.5 index 7b05e5fb4..01e7b6f23 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	71	host-specific declarations should be given near the beginning of the
72	file, and general defaults at the end.	72	file, and general defaults at the end.
73	.Pp	73	.Pp
		74	Note that the Debian
		75	.Ic openssh-client
		76	package sets several options as standard in
		77	.Pa /etc/ssh/ssh_config
		78	which are not the default in
		79	.Xr ssh 1 :
		80	.Pp
		81	.Bl -bullet -offset indent -compact
		82	.It
		83	.Cm SendEnv No LANG LC_*
		84	.It
		85	.Cm HashKnownHosts No yes
		86	.It
		87	.Cm GSSAPIAuthentication No yes
		88	.El
		89	.Pp
74	The configuration file has the following format:	90	The configuration file has the following format:
75	.Pp	91	.Pp
76	Empty lines and lines starting with	92	Empty lines and lines starting with
@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes.
501	Remote clients will be refused access after this time.	517	Remote clients will be refused access after this time.
502	.Pp	518	.Pp
503	The default is	519	The default is
504	.Dq no .	520	.Dq yes
		521	(Debian-specific).
505	.Pp	522	.Pp
506	See the X11 SECURITY extension specification for full details on	523	See the X11 SECURITY extension specification for full details on
507	the restrictions imposed on untrusted clients.	524	the restrictions imposed on untrusted clients.


diff --git a/sshd_config b/sshd_config index 945014124..9cfe28d03 100644 --- a/sshd_config +++ b/sshd_config
@@ -40,6 +40,7 @@
40	# Authentication:	40	# Authentication:
41		41
42	#LoginGraceTime 2m	42	#LoginGraceTime 2m
		43	# See /usr/share/doc/openssh-server/README.Debian.gz.
43	#PermitRootLogin yes	44	#PermitRootLogin yes
44	#StrictModes yes	45	#StrictModes yes
45	#MaxAuthTries 6	46	#MaxAuthTries 6


diff --git a/sshd_config.5 b/sshd_config.5 index 04b5f1ae8..ca4cb193a 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm Protocol No 2
		73	.It
		74	.Cm ChallengeResponseAuthentication No no
		75	.It
		76	.Cm X11Forwarding No yes
		77	.It
		78	.Cm PrintMotd No no
		79	.It
		80	.Cm AcceptEnv No LANG LC_*
		81	.It
		82	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		83	.It
		84	.Cm UsePAM No yes
		85	.El
		86	.Pp
60	The possible	87	The possible
61	keywords and their meanings are as follows (note that	88	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	89	keywords are case-insensitive and arguments are case-sensitive):