Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-01-04 15:07:01 +0000
commit: 966fde291d530349c427da5c98e4f1869cb4e0bb (patch)
tree: 99ddb7e16d978ac40f8c5d7017a2d5e5d83bd148 /ssh.1
parent: 0aff7ca980bc54be68f7479a016d7779f99cf06e (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 05b7f107b..649d6c303 100644
--- a/ssh.1
+++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-01-04 15:07:01 +0000
commit	966fde291d530349c427da5c98e4f1869cb4e0bb (patch)
tree	99ddb7e16d978ac40f8c5d7017a2d5e5d83bd148 /ssh.1
parent	0aff7ca980bc54be68f7479a016d7779f99cf06e (diff)

diff --git a/ssh.1 b/ssh.1 index 05b7f107b..649d6c303 100644 --- a/ssh.1 +++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
755	.Xr ssh_config 5	755	.Xr ssh_config 5
756	for more information.	756	for more information.
757	.Pp	757	.Pp
		758	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		759	restrictions by default, because too many programs currently crash in this
		760	mode.
		761	Set the
		762	.Cm ForwardX11Trusted
		763	option to
		764	.Dq no
		765	to restore the upstream behaviour.
		766	This may change in future depending on client-side improvements.)
		767	.Pp
758	.It Fl x	768	.It Fl x
759	Disables X11 forwarding.	769	Disables X11 forwarding.
760	.Pp	770	.Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
763	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	773	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
764	controls.	774	controls.
765	.Pp	775	.Pp
		776	(Debian-specific: This option does nothing in the default configuration: it
		777	is equivalent to
		778	.Dq Cm ForwardX11Trusted No yes ,
		779	which is the default as described above.
		780	Set the
		781	.Cm ForwardX11Trusted
		782	option to
		783	.Dq no
		784	to restore the upstream behaviour.
		785	This may change in future depending on client-side improvements.)
		786	.Pp
766	.It Fl y	787	.It Fl y
767	Send log information using the	788	Send log information using the
768	.Xr syslog 3	789	.Xr syslog 3