diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-24 19:26:39 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-26 00:30:30 +0000 |
commit | de911c73504da8dd7d9bbaddcf0c0845dd6eb9a0 (patch) | |
tree | c1be675cab068c60f7461a67b396961227c9ae6d /debian/patches/debian-config.patch | |
parent | 9477f029ee259b25daff503e02e6b011aea82ce3 (diff) | |
parent | af54c22db774b37a15df5e599d08a83d4bbe5079 (diff) |
Start handling /etc/ssh/sshd_config using ucf.
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation
for this is to deal with deprecations of options related to protocol 1,
but something like this has been needed for a long time (closes:
#419574, #848089):
- sshd_config is now a slightly-patched version of upstream's, and only
contains non-default settings (closes: #147201).
- I've included as many historical md5sums of default versions of
sshd_config as I could reconstruct from version control, but I'm sure
I've missed some.
- Explicitly synchronise the debconf database with the current
configuration file state in openssh-server.config, to ensure that the
PermitRootLogin setting is properly preserved.
- UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
than "yes", per upstream.
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 71 |
1 files changed, 56 insertions, 15 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 8129c1e58..65175d589 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001 | 1 | From af54c22db774b37a15df5e599d08a83d4bbe5079 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -14,12 +14,20 @@ worms. | |||
14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | 14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by |
15 | default. | 15 | default. |
16 | 16 | ||
17 | Document all of this, along with several sshd defaults set in | 17 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable |
18 | debian/openssh-server.postinst. | 18 | PrintMotd. |
19 | |||
20 | sshd: Enable X11Forwarding. | ||
21 | |||
22 | sshd: Set 'AcceptEnv LANG LC_*' by default. | ||
23 | |||
24 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. | ||
25 | |||
26 | Document all of this. | ||
19 | 27 | ||
20 | Author: Russ Allbery <rra@debian.org> | 28 | Author: Russ Allbery <rra@debian.org> |
21 | Forwarded: not-needed | 29 | Forwarded: not-needed |
22 | Last-Update: 2015-12-07 | 30 | Last-Update: 2016-12-24 |
23 | 31 | ||
24 | Patch-Name: debian-config.patch | 32 | Patch-Name: debian-config.patch |
25 | --- | 33 | --- |
@@ -27,9 +35,9 @@ Patch-Name: debian-config.patch | |||
27 | ssh.1 | 21 +++++++++++++++++++++ | 35 | ssh.1 | 21 +++++++++++++++++++++ |
28 | ssh_config | 7 ++++++- | 36 | ssh_config | 7 ++++++- |
29 | ssh_config.5 | 19 ++++++++++++++++++- | 37 | ssh_config.5 | 19 ++++++++++++++++++- |
30 | sshd_config | 2 +- | 38 | sshd_config | 16 ++++++++++------ |
31 | sshd_config.5 | 25 +++++++++++++++++++++++++ | 39 | sshd_config.5 | 22 ++++++++++++++++++++++ |
32 | 6 files changed, 72 insertions(+), 4 deletions(-) | 40 | 6 files changed, 78 insertions(+), 9 deletions(-) |
33 | 41 | ||
34 | diff --git a/readconf.c b/readconf.c | 42 | diff --git a/readconf.c b/readconf.c |
35 | index c02cdf63..d1091cbd 100644 | 43 | index c02cdf63..d1091cbd 100644 |
@@ -149,12 +157,48 @@ index 40617be4..8dce757e 100644 | |||
149 | from stealing or tampering with data belonging to trusted X11 | 157 | from stealing or tampering with data belonging to trusted X11 |
150 | clients. | 158 | clients. |
151 | diff --git a/sshd_config b/sshd_config | 159 | diff --git a/sshd_config b/sshd_config |
152 | index 00e5a728..c0b84f8e 100644 | 160 | index 00e5a728..13cbe2c6 100644 |
153 | --- a/sshd_config | 161 | --- a/sshd_config |
154 | +++ b/sshd_config | 162 | +++ b/sshd_config |
155 | @@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys | 163 | @@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys |
164 | #PasswordAuthentication yes | ||
165 | #PermitEmptyPasswords no | ||
166 | |||
167 | -# Change to no to disable s/key passwords | ||
168 | -#ChallengeResponseAuthentication yes | ||
169 | +# Change to yes to enable challenge-response passwords (beware issues with | ||
170 | +# some PAM modules and threads) | ||
171 | +ChallengeResponseAuthentication no | ||
172 | |||
173 | # Kerberos options | ||
174 | #KerberosAuthentication no | ||
175 | @@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
176 | # If you just want the PAM account and session checks to run without | ||
177 | # PAM authentication, then enable this but set PasswordAuthentication | ||
178 | # and ChallengeResponseAuthentication to 'no'. | ||
179 | -#UsePAM no | ||
180 | +UsePAM yes | ||
181 | |||
182 | #AllowAgentForwarding yes | ||
183 | #AllowTcpForwarding yes | ||
184 | #GatewayPorts no | ||
185 | -#X11Forwarding no | ||
186 | +X11Forwarding yes | ||
187 | #X11DisplayOffset 10 | ||
188 | #X11UseLocalhost yes | ||
189 | #PermitTTY yes | ||
190 | -#PrintMotd yes | ||
191 | +PrintMotd no | ||
192 | #PrintLastLog yes | ||
193 | #TCPKeepAlive yes | ||
194 | #UseLogin no | ||
195 | @@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
196 | # no default banner path | ||
156 | #Banner none | 197 | #Banner none |
157 | 198 | ||
199 | +# Allow client to pass locale environment variables | ||
200 | +AcceptEnv LANG LC_* | ||
201 | + | ||
158 | # override default of no subsystems | 202 | # override default of no subsystems |
159 | -Subsystem sftp /usr/libexec/sftp-server | 203 | -Subsystem sftp /usr/libexec/sftp-server |
160 | +Subsystem sftp /usr/lib/openssh/sftp-server | 204 | +Subsystem sftp /usr/lib/openssh/sftp-server |
@@ -162,10 +206,10 @@ index 00e5a728..c0b84f8e 100644 | |||
162 | # Example of overriding settings on a per-user basis | 206 | # Example of overriding settings on a per-user basis |
163 | #Match User anoncvs | 207 | #Match User anoncvs |
164 | diff --git a/sshd_config.5 b/sshd_config.5 | 208 | diff --git a/sshd_config.5 b/sshd_config.5 |
165 | index e45a8937..d6911a98 100644 | 209 | index e45a8937..703a9cdd 100644 |
166 | --- a/sshd_config.5 | 210 | --- a/sshd_config.5 |
167 | +++ b/sshd_config.5 | 211 | +++ b/sshd_config.5 |
168 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 212 | @@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes |
169 | .Pq \&" | 213 | .Pq \&" |
170 | in order to represent arguments containing spaces. | 214 | in order to represent arguments containing spaces. |
171 | .Pp | 215 | .Pp |
@@ -174,10 +218,7 @@ index e45a8937..d6911a98 100644 | |||
174 | +package sets several options as standard in | 218 | +package sets several options as standard in |
175 | +.Pa /etc/ssh/sshd_config | 219 | +.Pa /etc/ssh/sshd_config |
176 | +which are not the default in | 220 | +which are not the default in |
177 | +.Xr sshd 8 . | 221 | +.Xr sshd 8 : |
178 | +The exact list depends on whether the package was installed fresh or | ||
179 | +upgraded from various possible previous versions, but includes at least the | ||
180 | +following: | ||
181 | +.Pp | 222 | +.Pp |
182 | +.Bl -bullet -offset indent -compact | 223 | +.Bl -bullet -offset indent -compact |
183 | +.It | 224 | +.It |