Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-19 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 12:10:36 +0000
commit: cc80ecc65d57a9e68ce84d67bcfece281ffa0e9f (patch)
tree: ae0f22c19546882adbc8835e068ebafd4e0a4d90 /ssh.1
parent: a208834b2d1811dac7054d7fdcdd04672f8b19f6 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index b33a8049f..a8967c2f8 100644
--- a/ssh.1
+++ b/ssh.1
@@ -809,6 +809,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 12:10:36 +0000
commit	cc80ecc65d57a9e68ce84d67bcfece281ffa0e9f (patch)
tree	ae0f22c19546882adbc8835e068ebafd4e0a4d90 /ssh.1
parent	a208834b2d1811dac7054d7fdcdd04672f8b19f6 (diff)

diff --git a/ssh.1 b/ssh.1 index b33a8049f..a8967c2f8 100644 --- a/ssh.1 +++ b/ssh.1
@@ -809,6 +809,16 @@ directive in
809	.Xr ssh_config 5	809	.Xr ssh_config 5
810	for more information.	810	for more information.
811	.Pp	811	.Pp
		812	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		813	restrictions by default, because too many programs currently crash in this
		814	mode.
		815	Set the
		816	.Cm ForwardX11Trusted
		817	option to
		818	.Dq no
		819	to restore the upstream behaviour.
		820	This may change in future depending on client-side improvements.)
		821	.Pp
812	.It Fl x	822	.It Fl x
813	Disables X11 forwarding.	823	Disables X11 forwarding.
814	.Pp	824	.Pp
@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
817	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	827	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
818	controls.	828	controls.
819	.Pp	829	.Pp
		830	(Debian-specific: In the default configuration, this option is equivalent to
		831	.Fl X ,
		832	since
		833	.Cm ForwardX11Trusted
		834	defaults to
		835	.Dq yes
		836	as described above.
		837	Set the
		838	.Cm ForwardX11Trusted
		839	option to
		840	.Dq no
		841	to restore the upstream behaviour.
		842	This may change in future depending on client-side improvements.)
		843	.Pp
820	.It Fl y	844	.It Fl y
821	Send log information using the	845	Send log information using the
822	.Xr syslog 3	846	.Xr syslog 3