Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-09-17 13:52:41 +0100
commit: be3c323d998ebf49c589bfd887dbb8aa6c68634c (patch)
tree: 09b6c8521b102150bcdc82f00f1d2b97dc35ff06 /ssh.1
parent: e331e402ea0ab5d2333cc91f1724425d961ca293 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 217886319..e2cce49d3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
 directive in
 .Xr ssh_config 5
 for more information.
+.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
+.Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-09-17 13:52:41 +0100
commit	be3c323d998ebf49c589bfd887dbb8aa6c68634c (patch)
tree	09b6c8521b102150bcdc82f00f1d2b97dc35ff06 /ssh.1
parent	e331e402ea0ab5d2333cc91f1724425d961ca293 (diff)

diff --git a/ssh.1 b/ssh.1 index 217886319..e2cce49d3 100644 --- a/ssh.1 +++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
670	directive in	670	directive in
671	.Xr ssh_config 5	671	.Xr ssh_config 5
672	for more information.	672	for more information.
		673	.Pp
		674	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		675	restrictions by default, because too many programs currently crash in this
		676	mode.
		677	Set the
		678	.Cm ForwardX11Trusted
		679	option to
		680	.Dq no
		681	to restore the upstream behaviour.
		682	This may change in future depending on client-side improvements.)
673	.It Fl x	683	.It Fl x
674	Disables X11 forwarding.	684	Disables X11 forwarding.
675	.It Fl Y	685	.It Fl Y
676	Enables trusted X11 forwarding.	686	Enables trusted X11 forwarding.
677	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	687	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
678	controls.	688	controls.
		689	.Pp
		690	(Debian-specific: This option does nothing in the default configuration: it
		691	is equivalent to
		692	.Dq Cm ForwardX11Trusted No yes ,
		693	which is the default as described above.
		694	Set the
		695	.Cm ForwardX11Trusted
		696	option to
		697	.Dq no
		698	to restore the upstream behaviour.
		699	This may change in future depending on client-side improvements.)
679	.It Fl y	700	.It Fl y
680	Send log information using the	701	Send log information using the
681	.Xr syslog 3	702	.Xr syslog 3