Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-12-21 16:09:56 +0000
commit: a466a627b806905df9c7583af7edcf39e9481201 (patch)
tree: d0624eb9d721d69f204cd8bea9c63830835fada3 /ssh.1
parent: 818791ef8edf087481bd49eb32335c8d7e1953d6 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 05b7f107b..649d6c303 100644
--- a/ssh.1
+++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-12-21 16:09:56 +0000
commit	a466a627b806905df9c7583af7edcf39e9481201 (patch)
tree	d0624eb9d721d69f204cd8bea9c63830835fada3 /ssh.1
parent	818791ef8edf087481bd49eb32335c8d7e1953d6 (diff)

diff --git a/ssh.1 b/ssh.1 index 05b7f107b..649d6c303 100644 --- a/ssh.1 +++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
755	.Xr ssh_config 5	755	.Xr ssh_config 5
756	for more information.	756	for more information.
757	.Pp	757	.Pp
		758	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		759	restrictions by default, because too many programs currently crash in this
		760	mode.
		761	Set the
		762	.Cm ForwardX11Trusted
		763	option to
		764	.Dq no
		765	to restore the upstream behaviour.
		766	This may change in future depending on client-side improvements.)
		767	.Pp
758	.It Fl x	768	.It Fl x
759	Disables X11 forwarding.	769	Disables X11 forwarding.
760	.Pp	770	.Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
763	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	773	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
764	controls.	774	controls.
765	.Pp	775	.Pp
		776	(Debian-specific: This option does nothing in the default configuration: it
		777	is equivalent to
		778	.Dq Cm ForwardX11Trusted No yes ,
		779	which is the default as described above.
		780	Set the
		781	.Cm ForwardX11Trusted
		782	option to
		783	.Dq no
		784	to restore the upstream behaviour.
		785	This may change in future depending on client-side improvements.)
		786	.Pp
766	.It Fl y	787	.It Fl y
767	Send log information using the	788	Send log information using the
768	.Xr syslog 3	789	.Xr syslog 3