Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2018-08-24 17:49:07 +0100
commit: 157278376c0eb6e4de3d47e8573684095a230685 (patch)
tree: 02fd56a8b71afb41346d27c74f7bf7a8609e1706 /ssh.1
parent: ba2be368348f9f411377f494e209faedf53903de (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 0a8e63f51..ba55aa665 100644
--- a/ssh.1
+++ b/ssh.1
@@ -772,6 +772,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -780,6 +790,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2018-08-24 17:49:07 +0100
commit	157278376c0eb6e4de3d47e8573684095a230685 (patch)
tree	02fd56a8b71afb41346d27c74f7bf7a8609e1706 /ssh.1
parent	ba2be368348f9f411377f494e209faedf53903de (diff)

diff --git a/ssh.1 b/ssh.1 index 0a8e63f51..ba55aa665 100644 --- a/ssh.1 +++ b/ssh.1
@@ -772,6 +772,16 @@ directive in
772	.Xr ssh_config 5	772	.Xr ssh_config 5
773	for more information.	773	for more information.
774	.Pp	774	.Pp
		775	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		776	restrictions by default, because too many programs currently crash in this
		777	mode.
		778	Set the
		779	.Cm ForwardX11Trusted
		780	option to
		781	.Dq no
		782	to restore the upstream behaviour.
		783	This may change in future depending on client-side improvements.)
		784	.Pp
775	.It Fl x	785	.It Fl x
776	Disables X11 forwarding.	786	Disables X11 forwarding.
777	.Pp	787	.Pp
@@ -780,6 +790,17 @@ Enables trusted X11 forwarding.
780	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	790	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
781	controls.	791	controls.
782	.Pp	792	.Pp
		793	(Debian-specific: This option does nothing in the default configuration: it
		794	is equivalent to
		795	.Dq Cm ForwardX11Trusted No yes ,
		796	which is the default as described above.
		797	Set the
		798	.Cm ForwardX11Trusted
		799	option to
		800	.Dq no
		801	to restore the upstream behaviour.
		802	This may change in future depending on client-side improvements.)
		803	.Pp
783	.It Fl y	804	.It Fl y
784	Send log information using the	805	Send log information using the
785	.Xr syslog 3	806	.Xr syslog 3