Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-01-16 15:02:54 +0000
commit: 2b53482aec037f0747198f19e449f51d921acd30 (patch)
tree: 840d9ac0c2317fa1f5482a26230b50579eef5afe /ssh.1
parent: 0fd4134a3ef467e1e69db5b19b7903cf306ec64b (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 22e56a7b9..6aa57c462 100644
--- a/ssh.1
+++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-01-16 15:02:54 +0000
commit	2b53482aec037f0747198f19e449f51d921acd30 (patch)
tree	840d9ac0c2317fa1f5482a26230b50579eef5afe /ssh.1
parent	0fd4134a3ef467e1e69db5b19b7903cf306ec64b (diff)

diff --git a/ssh.1 b/ssh.1 index 22e56a7b9..6aa57c462 100644 --- a/ssh.1 +++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
785	.Xr ssh_config 5	785	.Xr ssh_config 5
786	for more information.	786	for more information.
787	.Pp	787	.Pp
		788	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		789	restrictions by default, because too many programs currently crash in this
		790	mode.
		791	Set the
		792	.Cm ForwardX11Trusted
		793	option to
		794	.Dq no
		795	to restore the upstream behaviour.
		796	This may change in future depending on client-side improvements.)
		797	.Pp
788	.It Fl x	798	.It Fl x
789	Disables X11 forwarding.	799	Disables X11 forwarding.
790	.Pp	800	.Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
793	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	803	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
794	controls.	804	controls.
795	.Pp	805	.Pp
		806	(Debian-specific: This option does nothing in the default configuration: it
		807	is equivalent to
		808	.Dq Cm ForwardX11Trusted No yes ,
		809	which is the default as described above.
		810	Set the
		811	.Cm ForwardX11Trusted
		812	option to
		813	.Dq no
		814	to restore the upstream behaviour.
		815	This may change in future depending on client-side improvements.)
		816	.Pp
796	.It Fl y	817	.It Fl y
797	Send log information using the	818	Send log information using the
798	.Xr syslog 3	819	.Xr syslog 3