Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:26:38 +0100
commit: 279cd9cd9a66daac701328cb0c53863e2bb5ab02 (patch)
tree: 576110989e00a499f9a20cbfeb5574ffe36ac9a0 /ssh.1
parent: 293675c88b02f0a5ba3896db73b2716e70d87b31 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index f8fc26d2a..8a03db952 100644
--- a/ssh.1
+++ b/ssh.1
@@ -768,6 +768,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -776,6 +786,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:26:38 +0100
commit	279cd9cd9a66daac701328cb0c53863e2bb5ab02 (patch)
tree	576110989e00a499f9a20cbfeb5574ffe36ac9a0 /ssh.1
parent	293675c88b02f0a5ba3896db73b2716e70d87b31 (diff)

diff --git a/ssh.1 b/ssh.1 index f8fc26d2a..8a03db952 100644 --- a/ssh.1 +++ b/ssh.1
@@ -768,6 +768,16 @@ directive in
768	.Xr ssh_config 5	768	.Xr ssh_config 5
769	for more information.	769	for more information.
770	.Pp	770	.Pp
		771	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		772	restrictions by default, because too many programs currently crash in this
		773	mode.
		774	Set the
		775	.Cm ForwardX11Trusted
		776	option to
		777	.Dq no
		778	to restore the upstream behaviour.
		779	This may change in future depending on client-side improvements.)
		780	.Pp
771	.It Fl x	781	.It Fl x
772	Disables X11 forwarding.	782	Disables X11 forwarding.
773	.Pp	783	.Pp
@@ -776,6 +786,17 @@ Enables trusted X11 forwarding.
776	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	786	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
777	controls.	787	controls.
778	.Pp	788	.Pp
		789	(Debian-specific: This option does nothing in the default configuration: it
		790	is equivalent to
		791	.Dq Cm ForwardX11Trusted No yes ,
		792	which is the default as described above.
		793	Set the
		794	.Cm ForwardX11Trusted
		795	option to
		796	.Dq no
		797	to restore the upstream behaviour.
		798	This may change in future depending on client-side improvements.)
		799	.Pp
779	.It Fl y	800	.It Fl y
780	Send log information using the	801	Send log information using the
781	.Xr syslog 3	802	.Xr syslog 3