Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-10-04 13:54:48 +0100
commit: 4847e512c0b94c615b838904a5f139a761bee284 (patch)
tree: f4784e39f9700a109ce869711b69ecfaa81d6f09 /ssh.1
parent: ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 711fe6087..f1b01c566 100644
--- a/ssh.1
+++ b/ssh.1
@@ -764,6 +764,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -772,6 +782,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-10-04 13:54:48 +0100
commit	4847e512c0b94c615b838904a5f139a761bee284 (patch)
tree	f4784e39f9700a109ce869711b69ecfaa81d6f09 /ssh.1
parent	ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd (diff)

diff --git a/ssh.1 b/ssh.1 index 711fe6087..f1b01c566 100644 --- a/ssh.1 +++ b/ssh.1
@@ -764,6 +764,16 @@ directive in
764	.Xr ssh_config 5	764	.Xr ssh_config 5
765	for more information.	765	for more information.
766	.Pp	766	.Pp
		767	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		768	restrictions by default, because too many programs currently crash in this
		769	mode.
		770	Set the
		771	.Cm ForwardX11Trusted
		772	option to
		773	.Dq no
		774	to restore the upstream behaviour.
		775	This may change in future depending on client-side improvements.)
		776	.Pp
767	.It Fl x	777	.It Fl x
768	Disables X11 forwarding.	778	Disables X11 forwarding.
769	.Pp	779	.Pp
@@ -772,6 +782,17 @@ Enables trusted X11 forwarding.
772	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	782	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
773	controls.	783	controls.
774	.Pp	784	.Pp
		785	(Debian-specific: This option does nothing in the default configuration: it
		786	is equivalent to
		787	.Dq Cm ForwardX11Trusted No yes ,
		788	which is the default as described above.
		789	Set the
		790	.Cm ForwardX11Trusted
		791	option to
		792	.Dq no
		793	to restore the upstream behaviour.
		794	This may change in future depending on client-side improvements.)
		795	.Pp
775	.It Fl y	796	.It Fl y
776	Send log information using the	797	Send log information using the
777	.Xr syslog 3	798	.Xr syslog 3