diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-12-24 19:26:39 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-12-26 00:30:30 +0000 |
| commit | de911c73504da8dd7d9bbaddcf0c0845dd6eb9a0 (patch) | |
| tree | c1be675cab068c60f7461a67b396961227c9ae6d /debian/patches/debian-config.patch | |
| parent | 9477f029ee259b25daff503e02e6b011aea82ce3 (diff) | |
| parent | af54c22db774b37a15df5e599d08a83d4bbe5079 (diff) | |
Start handling /etc/ssh/sshd_config using ucf.
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation
for this is to deal with deprecations of options related to protocol 1,
but something like this has been needed for a long time (closes:
#419574, #848089):
- sshd_config is now a slightly-patched version of upstream's, and only
contains non-default settings (closes: #147201).
- I've included as many historical md5sums of default versions of
sshd_config as I could reconstruct from version control, but I'm sure
I've missed some.
- Explicitly synchronise the debconf database with the current
configuration file state in openssh-server.config, to ensure that the
PermitRootLogin setting is properly preserved.
- UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
than "yes", per upstream.
Diffstat (limited to 'debian/patches/debian-config.patch')
| -rw-r--r-- | debian/patches/debian-config.patch | 71 |
1 files changed, 56 insertions, 15 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 8129c1e58..65175d589 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001 | 1 | From af54c22db774b37a15df5e599d08a83d4bbe5079 Mon Sep 17 00:00:00 2001 |
| 2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
| 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
| 4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
| @@ -14,12 +14,20 @@ worms. | |||
| 14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | 14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by |
| 15 | default. | 15 | default. |
| 16 | 16 | ||
| 17 | Document all of this, along with several sshd defaults set in | 17 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable |
| 18 | debian/openssh-server.postinst. | 18 | PrintMotd. |
| 19 | |||
| 20 | sshd: Enable X11Forwarding. | ||
| 21 | |||
| 22 | sshd: Set 'AcceptEnv LANG LC_*' by default. | ||
| 23 | |||
| 24 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. | ||
| 25 | |||
| 26 | Document all of this. | ||
| 19 | 27 | ||
| 20 | Author: Russ Allbery <rra@debian.org> | 28 | Author: Russ Allbery <rra@debian.org> |
| 21 | Forwarded: not-needed | 29 | Forwarded: not-needed |
| 22 | Last-Update: 2015-12-07 | 30 | Last-Update: 2016-12-24 |
| 23 | 31 | ||
| 24 | Patch-Name: debian-config.patch | 32 | Patch-Name: debian-config.patch |
| 25 | --- | 33 | --- |
| @@ -27,9 +35,9 @@ Patch-Name: debian-config.patch | |||
| 27 | ssh.1 | 21 +++++++++++++++++++++ | 35 | ssh.1 | 21 +++++++++++++++++++++ |
| 28 | ssh_config | 7 ++++++- | 36 | ssh_config | 7 ++++++- |
| 29 | ssh_config.5 | 19 ++++++++++++++++++- | 37 | ssh_config.5 | 19 ++++++++++++++++++- |
| 30 | sshd_config | 2 +- | 38 | sshd_config | 16 ++++++++++------ |
| 31 | sshd_config.5 | 25 +++++++++++++++++++++++++ | 39 | sshd_config.5 | 22 ++++++++++++++++++++++ |
| 32 | 6 files changed, 72 insertions(+), 4 deletions(-) | 40 | 6 files changed, 78 insertions(+), 9 deletions(-) |
| 33 | 41 | ||
| 34 | diff --git a/readconf.c b/readconf.c | 42 | diff --git a/readconf.c b/readconf.c |
| 35 | index c02cdf63..d1091cbd 100644 | 43 | index c02cdf63..d1091cbd 100644 |
| @@ -149,12 +157,48 @@ index 40617be4..8dce757e 100644 | |||
| 149 | from stealing or tampering with data belonging to trusted X11 | 157 | from stealing or tampering with data belonging to trusted X11 |
| 150 | clients. | 158 | clients. |
| 151 | diff --git a/sshd_config b/sshd_config | 159 | diff --git a/sshd_config b/sshd_config |
| 152 | index 00e5a728..c0b84f8e 100644 | 160 | index 00e5a728..13cbe2c6 100644 |
| 153 | --- a/sshd_config | 161 | --- a/sshd_config |
| 154 | +++ b/sshd_config | 162 | +++ b/sshd_config |
| 155 | @@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys | 163 | @@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys |
| 164 | #PasswordAuthentication yes | ||
| 165 | #PermitEmptyPasswords no | ||
| 166 | |||
| 167 | -# Change to no to disable s/key passwords | ||
| 168 | -#ChallengeResponseAuthentication yes | ||
| 169 | +# Change to yes to enable challenge-response passwords (beware issues with | ||
| 170 | +# some PAM modules and threads) | ||
| 171 | +ChallengeResponseAuthentication no | ||
| 172 | |||
| 173 | # Kerberos options | ||
| 174 | #KerberosAuthentication no | ||
| 175 | @@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
| 176 | # If you just want the PAM account and session checks to run without | ||
| 177 | # PAM authentication, then enable this but set PasswordAuthentication | ||
| 178 | # and ChallengeResponseAuthentication to 'no'. | ||
| 179 | -#UsePAM no | ||
| 180 | +UsePAM yes | ||
| 181 | |||
| 182 | #AllowAgentForwarding yes | ||
| 183 | #AllowTcpForwarding yes | ||
| 184 | #GatewayPorts no | ||
| 185 | -#X11Forwarding no | ||
| 186 | +X11Forwarding yes | ||
| 187 | #X11DisplayOffset 10 | ||
| 188 | #X11UseLocalhost yes | ||
| 189 | #PermitTTY yes | ||
| 190 | -#PrintMotd yes | ||
| 191 | +PrintMotd no | ||
| 192 | #PrintLastLog yes | ||
| 193 | #TCPKeepAlive yes | ||
| 194 | #UseLogin no | ||
| 195 | @@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
| 196 | # no default banner path | ||
| 156 | #Banner none | 197 | #Banner none |
| 157 | 198 | ||
| 199 | +# Allow client to pass locale environment variables | ||
| 200 | +AcceptEnv LANG LC_* | ||
| 201 | + | ||
| 158 | # override default of no subsystems | 202 | # override default of no subsystems |
| 159 | -Subsystem sftp /usr/libexec/sftp-server | 203 | -Subsystem sftp /usr/libexec/sftp-server |
| 160 | +Subsystem sftp /usr/lib/openssh/sftp-server | 204 | +Subsystem sftp /usr/lib/openssh/sftp-server |
| @@ -162,10 +206,10 @@ index 00e5a728..c0b84f8e 100644 | |||
| 162 | # Example of overriding settings on a per-user basis | 206 | # Example of overriding settings on a per-user basis |
| 163 | #Match User anoncvs | 207 | #Match User anoncvs |
| 164 | diff --git a/sshd_config.5 b/sshd_config.5 | 208 | diff --git a/sshd_config.5 b/sshd_config.5 |
| 165 | index e45a8937..d6911a98 100644 | 209 | index e45a8937..703a9cdd 100644 |
| 166 | --- a/sshd_config.5 | 210 | --- a/sshd_config.5 |
| 167 | +++ b/sshd_config.5 | 211 | +++ b/sshd_config.5 |
| 168 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 212 | @@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes |
| 169 | .Pq \&" | 213 | .Pq \&" |
| 170 | in order to represent arguments containing spaces. | 214 | in order to represent arguments containing spaces. |
| 171 | .Pp | 215 | .Pp |
| @@ -174,10 +218,7 @@ index e45a8937..d6911a98 100644 | |||
| 174 | +package sets several options as standard in | 218 | +package sets several options as standard in |
| 175 | +.Pa /etc/ssh/sshd_config | 219 | +.Pa /etc/ssh/sshd_config |
| 176 | +which are not the default in | 220 | +which are not the default in |
| 177 | +.Xr sshd 8 . | 221 | +.Xr sshd 8 : |
| 178 | +The exact list depends on whether the package was installed fresh or | ||
| 179 | +upgraded from various possible previous versions, but includes at least the | ||
| 180 | +following: | ||
| 181 | +.Pp | 222 | +.Pp |
| 182 | +.Bl -bullet -offset indent -compact | 223 | +.Bl -bullet -offset indent -compact |
| 183 | +.It | 224 | +.It |