Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-02-29 12:35:37 +0000
commit: 85e40e87a75fb80a0bf893ac05a417d6c353537d (patch)
tree: 0f76f9976afd1622fe4fd2258fa0136a4ac75312 /ssh.1
parent: a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 74d965544..7fb9d3040 100644
--- a/ssh.1
+++ b/ssh.1
@@ -760,6 +760,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -768,6 +778,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-02-29 12:35:37 +0000
commit	85e40e87a75fb80a0bf893ac05a417d6c353537d (patch)
tree	0f76f9976afd1622fe4fd2258fa0136a4ac75312 /ssh.1
parent	a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 (diff)

diff --git a/ssh.1 b/ssh.1 index 74d965544..7fb9d3040 100644 --- a/ssh.1 +++ b/ssh.1
@@ -760,6 +760,16 @@ directive in
760	.Xr ssh_config 5	760	.Xr ssh_config 5
761	for more information.	761	for more information.
762	.Pp	762	.Pp
		763	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		764	restrictions by default, because too many programs currently crash in this
		765	mode.
		766	Set the
		767	.Cm ForwardX11Trusted
		768	option to
		769	.Dq no
		770	to restore the upstream behaviour.
		771	This may change in future depending on client-side improvements.)
		772	.Pp
763	.It Fl x	773	.It Fl x
764	Disables X11 forwarding.	774	Disables X11 forwarding.
765	.Pp	775	.Pp
@@ -768,6 +778,17 @@ Enables trusted X11 forwarding.
768	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	778	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
769	controls.	779	controls.
770	.Pp	780	.Pp
		781	(Debian-specific: This option does nothing in the default configuration: it
		782	is equivalent to
		783	.Dq Cm ForwardX11Trusted No yes ,
		784	which is the default as described above.
		785	Set the
		786	.Cm ForwardX11Trusted
		787	option to
		788	.Dq no
		789	to restore the upstream behaviour.
		790	This may change in future depending on client-side improvements.)
		791	.Pp
771	.It Fl y	792	.It Fl y
772	Send log information using the	793	Send log information using the
773	.Xr syslog 3	794	.Xr syslog 3