diff options
author | Colin Watson <cjwatson@debian.org> | 2020-02-21 14:45:25 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 14:48:42 +0000 |
commit | cb37f2bf1b8576863448555af5c5309a6c220785 (patch) | |
tree | 3a73125336f610265c6793cba89942eada865a2e /debian/patches | |
parent | 886e47e745586c34e81cfd5c5fb9b5dbc8e84d04 (diff) | |
parent | 86fe78ef4686485394b464cf9d3393ce27b33979 (diff) |
Include /etc/ssh/*_config.d/*.conf
Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
/etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config.
Closes: #845315
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/conch-old-privkey-format.patch | 2 | ||||
-rw-r--r-- | debian/patches/debian-config.patch | 67 | ||||
-rw-r--r-- | debian/patches/restore-authorized_keys2.patch | 6 | ||||
-rw-r--r-- | debian/patches/revert-ipqos-defaults.patch | 10 |
4 files changed, 57 insertions, 28 deletions
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch index b04c21060..c48220f63 100644 --- a/debian/patches/conch-old-privkey-format.patch +++ b/debian/patches/conch-old-privkey-format.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 311da721c2a5c6d147738e0699fa49d04cd5762a Mon Sep 17 00:00:00 2001 | 1 | From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 |
4 | Subject: Work around conch interoperability failure | 4 | Subject: Work around conch interoperability failure |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index e5c690915..35c71b0e9 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cc80ecc65d57a9e68ce84d67bcfece281ffa0e9f Mon Sep 17 00:00:00 2001 | 1 | From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -13,6 +13,8 @@ worms. | |||
13 | 13 | ||
14 | ssh: Enable GSSAPIAuthentication by default. | 14 | ssh: Enable GSSAPIAuthentication by default. |
15 | 15 | ||
16 | ssh: Include /etc/ssh/ssh_config.d/*.conf. | ||
17 | |||
16 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable | 18 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable |
17 | PrintMotd. | 19 | PrintMotd. |
18 | 20 | ||
@@ -22,21 +24,23 @@ sshd: Set 'AcceptEnv LANG LC_*' by default. | |||
22 | 24 | ||
23 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. | 25 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. |
24 | 26 | ||
27 | sshd: Include /etc/ssh/sshd_config.d/*.conf. | ||
28 | |||
25 | Document all of this. | 29 | Document all of this. |
26 | 30 | ||
27 | Author: Russ Allbery <rra@debian.org> | 31 | Author: Russ Allbery <rra@debian.org> |
28 | Forwarded: not-needed | 32 | Forwarded: not-needed |
29 | Last-Update: 2020-02-19 | 33 | Last-Update: 2020-02-21 |
30 | 34 | ||
31 | Patch-Name: debian-config.patch | 35 | Patch-Name: debian-config.patch |
32 | --- | 36 | --- |
33 | readconf.c | 2 +- | 37 | readconf.c | 2 +- |
34 | ssh.1 | 24 ++++++++++++++++++++++++ | 38 | ssh.1 | 24 ++++++++++++++++++++++++ |
35 | ssh_config | 6 +++++- | 39 | ssh_config | 8 +++++++- |
36 | ssh_config.5 | 19 ++++++++++++++++++- | 40 | ssh_config.5 | 26 +++++++++++++++++++++++++- |
37 | sshd_config | 16 ++++++++++------ | 41 | sshd_config | 18 ++++++++++++------ |
38 | sshd_config.5 | 22 ++++++++++++++++++++++ | 42 | sshd_config.5 | 29 +++++++++++++++++++++++++++++ |
39 | 6 files changed, 80 insertions(+), 9 deletions(-) | 43 | 6 files changed, 98 insertions(+), 9 deletions(-) |
40 | 44 | ||
41 | diff --git a/readconf.c b/readconf.c | 45 | diff --git a/readconf.c b/readconf.c |
42 | index 7f251dd4a..e82024678 100644 | 46 | index 7f251dd4a..e82024678 100644 |
@@ -94,14 +98,16 @@ index b33a8049f..a8967c2f8 100644 | |||
94 | Send log information using the | 98 | Send log information using the |
95 | .Xr syslog 3 | 99 | .Xr syslog 3 |
96 | diff --git a/ssh_config b/ssh_config | 100 | diff --git a/ssh_config b/ssh_config |
97 | index 1ff999b68..6dd6ecf87 100644 | 101 | index 1ff999b68..8a55237b9 100644 |
98 | --- a/ssh_config | 102 | --- a/ssh_config |
99 | +++ b/ssh_config | 103 | +++ b/ssh_config |
100 | @@ -17,9 +17,10 @@ | 104 | @@ -17,9 +17,12 @@ |
101 | # list of available options, their meanings and defaults, please see the | 105 | # list of available options, their meanings and defaults, please see the |
102 | # ssh_config(5) man page. | 106 | # ssh_config(5) man page. |
103 | 107 | ||
104 | -# Host * | 108 | -# Host * |
109 | +Include /etc/ssh/ssh_config.d/*.conf | ||
110 | + | ||
105 | +Host * | 111 | +Host * |
106 | # ForwardAgent no | 112 | # ForwardAgent no |
107 | # ForwardX11 no | 113 | # ForwardX11 no |
@@ -109,7 +115,7 @@ index 1ff999b68..6dd6ecf87 100644 | |||
109 | # PasswordAuthentication yes | 115 | # PasswordAuthentication yes |
110 | # HostbasedAuthentication no | 116 | # HostbasedAuthentication no |
111 | # GSSAPIAuthentication no | 117 | # GSSAPIAuthentication no |
112 | @@ -45,3 +46,6 @@ | 118 | @@ -45,3 +48,6 @@ |
113 | # VisualHostKey no | 119 | # VisualHostKey no |
114 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 120 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
115 | # RekeyLimit 1G 1h | 121 | # RekeyLimit 1G 1h |
@@ -117,10 +123,10 @@ index 1ff999b68..6dd6ecf87 100644 | |||
117 | + HashKnownHosts yes | 123 | + HashKnownHosts yes |
118 | + GSSAPIAuthentication yes | 124 | + GSSAPIAuthentication yes |
119 | diff --git a/ssh_config.5 b/ssh_config.5 | 125 | diff --git a/ssh_config.5 b/ssh_config.5 |
120 | index c6eaa63e7..5c90d3e02 100644 | 126 | index c6eaa63e7..34dc2d51b 100644 |
121 | --- a/ssh_config.5 | 127 | --- a/ssh_config.5 |
122 | +++ b/ssh_config.5 | 128 | +++ b/ssh_config.5 |
123 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 129 | @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more |
124 | host-specific declarations should be given near the beginning of the | 130 | host-specific declarations should be given near the beginning of the |
125 | file, and general defaults at the end. | 131 | file, and general defaults at the end. |
126 | .Pp | 132 | .Pp |
@@ -133,6 +139,8 @@ index c6eaa63e7..5c90d3e02 100644 | |||
133 | +.Pp | 139 | +.Pp |
134 | +.Bl -bullet -offset indent -compact | 140 | +.Bl -bullet -offset indent -compact |
135 | +.It | 141 | +.It |
142 | +.Cm Include /etc/ssh/ssh_config.d/*.conf | ||
143 | +.It | ||
136 | +.Cm SendEnv No LANG LC_* | 144 | +.Cm SendEnv No LANG LC_* |
137 | +.It | 145 | +.It |
138 | +.Cm HashKnownHosts No yes | 146 | +.Cm HashKnownHosts No yes |
@@ -140,10 +148,15 @@ index c6eaa63e7..5c90d3e02 100644 | |||
140 | +.Cm GSSAPIAuthentication No yes | 148 | +.Cm GSSAPIAuthentication No yes |
141 | +.El | 149 | +.El |
142 | +.Pp | 150 | +.Pp |
151 | +.Pa /etc/ssh/ssh_config.d/*.conf | ||
152 | +files are included at the start of the system-wide configuration file, so | ||
153 | +options set there will override those in | ||
154 | +.Pa /etc/ssh/ssh_config. | ||
155 | +.Pp | ||
143 | The file contains keyword-argument pairs, one per line. | 156 | The file contains keyword-argument pairs, one per line. |
144 | Lines starting with | 157 | Lines starting with |
145 | .Ql # | 158 | .Ql # |
146 | @@ -729,11 +745,12 @@ elapsed. | 159 | @@ -729,11 +752,12 @@ elapsed. |
147 | .It Cm ForwardX11Trusted | 160 | .It Cm ForwardX11Trusted |
148 | If this option is set to | 161 | If this option is set to |
149 | .Cm yes , | 162 | .Cm yes , |
@@ -158,10 +171,19 @@ index c6eaa63e7..5c90d3e02 100644 | |||
158 | from stealing or tampering with data belonging to trusted X11 | 171 | from stealing or tampering with data belonging to trusted X11 |
159 | clients. | 172 | clients. |
160 | diff --git a/sshd_config b/sshd_config | 173 | diff --git a/sshd_config b/sshd_config |
161 | index 2c48105f8..ed8272f6d 100644 | 174 | index 2c48105f8..459c1b230 100644 |
162 | --- a/sshd_config | 175 | --- a/sshd_config |
163 | +++ b/sshd_config | 176 | +++ b/sshd_config |
164 | @@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys | 177 | @@ -10,6 +10,8 @@ |
178 | # possible, but leave them commented. Uncommented options override the | ||
179 | # default value. | ||
180 | |||
181 | +Include /etc/ssh/sshd_config.d/*.conf | ||
182 | + | ||
183 | #Port 22 | ||
184 | #AddressFamily any | ||
185 | #ListenAddress 0.0.0.0 | ||
186 | @@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
165 | #PasswordAuthentication yes | 187 | #PasswordAuthentication yes |
166 | #PermitEmptyPasswords no | 188 | #PermitEmptyPasswords no |
167 | 189 | ||
@@ -173,7 +195,7 @@ index 2c48105f8..ed8272f6d 100644 | |||
173 | 195 | ||
174 | # Kerberos options | 196 | # Kerberos options |
175 | #KerberosAuthentication no | 197 | #KerberosAuthentication no |
176 | @@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys | 198 | @@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys |
177 | # If you just want the PAM account and session checks to run without | 199 | # If you just want the PAM account and session checks to run without |
178 | # PAM authentication, then enable this but set PasswordAuthentication | 200 | # PAM authentication, then enable this but set PasswordAuthentication |
179 | # and ChallengeResponseAuthentication to 'no'. | 201 | # and ChallengeResponseAuthentication to 'no'. |
@@ -193,7 +215,7 @@ index 2c48105f8..ed8272f6d 100644 | |||
193 | #PrintLastLog yes | 215 | #PrintLastLog yes |
194 | #TCPKeepAlive yes | 216 | #TCPKeepAlive yes |
195 | #PermitUserEnvironment no | 217 | #PermitUserEnvironment no |
196 | @@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys | 218 | @@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys |
197 | # no default banner path | 219 | # no default banner path |
198 | #Banner none | 220 | #Banner none |
199 | 221 | ||
@@ -207,10 +229,10 @@ index 2c48105f8..ed8272f6d 100644 | |||
207 | # Example of overriding settings on a per-user basis | 229 | # Example of overriding settings on a per-user basis |
208 | #Match User anoncvs | 230 | #Match User anoncvs |
209 | diff --git a/sshd_config.5 b/sshd_config.5 | 231 | diff --git a/sshd_config.5 b/sshd_config.5 |
210 | index 25f4b8117..b8bea2ad7 100644 | 232 | index 25f4b8117..e8271be74 100644 |
211 | --- a/sshd_config.5 | 233 | --- a/sshd_config.5 |
212 | +++ b/sshd_config.5 | 234 | +++ b/sshd_config.5 |
213 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes | 235 | @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes |
214 | .Pq \&" | 236 | .Pq \&" |
215 | in order to represent arguments containing spaces. | 237 | in order to represent arguments containing spaces. |
216 | .Pp | 238 | .Pp |
@@ -223,6 +245,8 @@ index 25f4b8117..b8bea2ad7 100644 | |||
223 | +.Pp | 245 | +.Pp |
224 | +.Bl -bullet -offset indent -compact | 246 | +.Bl -bullet -offset indent -compact |
225 | +.It | 247 | +.It |
248 | +.Cm Include /etc/ssh/sshd_config.d/*.conf | ||
249 | +.It | ||
226 | +.Cm ChallengeResponseAuthentication No no | 250 | +.Cm ChallengeResponseAuthentication No no |
227 | +.It | 251 | +.It |
228 | +.Cm X11Forwarding No yes | 252 | +.Cm X11Forwarding No yes |
@@ -236,6 +260,11 @@ index 25f4b8117..b8bea2ad7 100644 | |||
236 | +.Cm UsePAM No yes | 260 | +.Cm UsePAM No yes |
237 | +.El | 261 | +.El |
238 | +.Pp | 262 | +.Pp |
263 | +.Pa /etc/ssh/sshd_config.d/*.conf | ||
264 | +files are included at the start of the configuration file, so options set | ||
265 | +there will override those in | ||
266 | +.Pa /etc/ssh/sshd_config. | ||
267 | +.Pp | ||
239 | The possible | 268 | The possible |
240 | keywords and their meanings are as follows (note that | 269 | keywords and their meanings are as follows (note that |
241 | keywords are case-insensitive and arguments are case-sensitive): | 270 | keywords are case-insensitive and arguments are case-sensitive): |
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index 7281395ae..aa6f4cc31 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2fe72c4e855be0fc87dbdc296632394b6cfe957a Mon Sep 17 00:00:00 2001 | 1 | From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | 3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 |
4 | Subject: Restore reading authorized_keys2 by default | 4 | Subject: Restore reading authorized_keys2 by default |
@@ -18,10 +18,10 @@ Patch-Name: restore-authorized_keys2.patch | |||
18 | 1 file changed, 2 insertions(+), 3 deletions(-) | 18 | 1 file changed, 2 insertions(+), 3 deletions(-) |
19 | 19 | ||
20 | diff --git a/sshd_config b/sshd_config | 20 | diff --git a/sshd_config b/sshd_config |
21 | index ed8272f6d..ee9629102 100644 | 21 | index 459c1b230..dc0db5706 100644 |
22 | --- a/sshd_config | 22 | --- a/sshd_config |
23 | +++ b/sshd_config | 23 | +++ b/sshd_config |
24 | @@ -36,9 +36,8 @@ | 24 | @@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf |
25 | 25 | ||
26 | #PubkeyAuthentication yes | 26 | #PubkeyAuthentication yes |
27 | 27 | ||
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index 02c505531..13192e380 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a2dabf35ce0228c86a288d11cc847a9d9801604f Mon Sep 17 00:00:00 2001 | 1 | From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 | 3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 |
4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP | 4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP |
@@ -56,10 +56,10 @@ index 7bbc25c2e..470ad3619 100644 | |||
56 | options->version_addendum = xstrdup(""); | 56 | options->version_addendum = xstrdup(""); |
57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | 57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
58 | diff --git a/ssh_config.5 b/ssh_config.5 | 58 | diff --git a/ssh_config.5 b/ssh_config.5 |
59 | index 5c90d3e02..6b4e4f43b 100644 | 59 | index 34dc2d51b..91beb6f50 100644 |
60 | --- a/ssh_config.5 | 60 | --- a/ssh_config.5 |
61 | +++ b/ssh_config.5 | 61 | +++ b/ssh_config.5 |
62 | @@ -1133,11 +1133,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 62 | @@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
63 | If two values are specified, the first is automatically selected for | 63 | If two values are specified, the first is automatically selected for |
64 | interactive sessions and the second for non-interactive sessions. | 64 | interactive sessions and the second for non-interactive sessions. |
65 | The default is | 65 | The default is |
@@ -74,10 +74,10 @@ index 5c90d3e02..6b4e4f43b 100644 | |||
74 | .It Cm KbdInteractiveAuthentication | 74 | .It Cm KbdInteractiveAuthentication |
75 | Specifies whether to use keyboard-interactive authentication. | 75 | Specifies whether to use keyboard-interactive authentication. |
76 | diff --git a/sshd_config.5 b/sshd_config.5 | 76 | diff --git a/sshd_config.5 b/sshd_config.5 |
77 | index b8bea2ad7..fd205e418 100644 | 77 | index e8271be74..d25b2f3d5 100644 |
78 | --- a/sshd_config.5 | 78 | --- a/sshd_config.5 |
79 | +++ b/sshd_config.5 | 79 | +++ b/sshd_config.5 |
80 | @@ -907,11 +907,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 80 | @@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
81 | If two values are specified, the first is automatically selected for | 81 | If two values are specified, the first is automatically selected for |
82 | interactive sessions and the second for non-interactive sessions. | 82 | interactive sessions and the second for non-interactive sessions. |
83 | The default is | 83 | The default is |