Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-19 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-19 11:49:48 +0000
commit: 9a713cd4bbaef5ad4f1d28c1718fb6960ac257b3 (patch)
tree: af1b4389f3c60ba6858f24914b3f6d722c58817c /ssh.1
parent: ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 24530e511..44a00d525 100644
--- a/ssh.1
+++ b/ssh.1
@@ -795,6 +795,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -803,6 +813,20 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-19 11:49:48 +0000
commit	9a713cd4bbaef5ad4f1d28c1718fb6960ac257b3 (patch)
tree	af1b4389f3c60ba6858f24914b3f6d722c58817c /ssh.1
parent	ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 (diff)

diff --git a/ssh.1 b/ssh.1 index 24530e511..44a00d525 100644 --- a/ssh.1 +++ b/ssh.1
@@ -795,6 +795,16 @@ directive in
795	.Xr ssh_config 5	795	.Xr ssh_config 5
796	for more information.	796	for more information.
797	.Pp	797	.Pp
		798	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		799	restrictions by default, because too many programs currently crash in this
		800	mode.
		801	Set the
		802	.Cm ForwardX11Trusted
		803	option to
		804	.Dq no
		805	to restore the upstream behaviour.
		806	This may change in future depending on client-side improvements.)
		807	.Pp
798	.It Fl x	808	.It Fl x
799	Disables X11 forwarding.	809	Disables X11 forwarding.
800	.Pp	810	.Pp
@@ -803,6 +813,20 @@ Enables trusted X11 forwarding.
803	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	813	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
804	controls.	814	controls.
805	.Pp	815	.Pp
		816	(Debian-specific: In the default configuration, this option is equivalent to
		817	.Fl X ,
		818	since
		819	.Cm ForwardX11Trusted
		820	defaults to
		821	.Dq yes
		822	as described above.
		823	Set the
		824	.Cm ForwardX11Trusted
		825	option to
		826	.Dq no
		827	to restore the upstream behaviour.
		828	This may change in future depending on client-side improvements.)
		829	.Pp
806	.It Fl y	830	.It Fl y
807	Send log information using the	831	Send log information using the
808	.Xr syslog 3	832	.Xr syslog 3