Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2018-10-20 22:54:09 +0100
commit: a433d9baa031d7136a8cf3e3807ebff83a3a8634 (patch)
tree: 3fecc984dfc9a222bcc8a5353bca9640c1d48c55 /ssh.1
parent: da34947128351bee9d2530574432190548f5be58 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index ad1ed0f86..1bcc8edab 100644
--- a/ssh.1
+++ b/ssh.1
@@ -782,6 +782,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2018-10-20 22:54:09 +0100
commit	a433d9baa031d7136a8cf3e3807ebff83a3a8634 (patch)
tree	3fecc984dfc9a222bcc8a5353bca9640c1d48c55 /ssh.1
parent	da34947128351bee9d2530574432190548f5be58 (diff)

diff --git a/ssh.1 b/ssh.1 index ad1ed0f86..1bcc8edab 100644 --- a/ssh.1 +++ b/ssh.1
@@ -782,6 +782,16 @@ directive in
782	.Xr ssh_config 5	782	.Xr ssh_config 5
783	for more information.	783	for more information.
784	.Pp	784	.Pp
		785	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		786	restrictions by default, because too many programs currently crash in this
		787	mode.
		788	Set the
		789	.Cm ForwardX11Trusted
		790	option to
		791	.Dq no
		792	to restore the upstream behaviour.
		793	This may change in future depending on client-side improvements.)
		794	.Pp
785	.It Fl x	795	.It Fl x
786	Disables X11 forwarding.	796	Disables X11 forwarding.
787	.Pp	797	.Pp
@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
790	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	800	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
791	controls.	801	controls.
792	.Pp	802	.Pp
		803	(Debian-specific: This option does nothing in the default configuration: it
		804	is equivalent to
		805	.Dq Cm ForwardX11Trusted No yes ,
		806	which is the default as described above.
		807	Set the
		808	.Cm ForwardX11Trusted
		809	option to
		810	.Dq no
		811	to restore the upstream behaviour.
		812	This may change in future depending on client-side improvements.)
		813	.Pp
793	.It Fl y	814	.It Fl y
794	Send log information using the	815	Send log information using the
795	.Xr syslog 3	816	.Xr syslog 3