Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-06-05 13:11:53 +0100
commit: ebd590550bb09fe129b103994d53143788683d05 (patch)
tree: 93db46a23bdee40f62165dacd946588c39353e1b /ssh.1
parent: a88f67584ef5889d95c04b0294e92c11ed4904cd (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 8d2b08a29..4e298cb56 100644
--- a/ssh.1
+++ b/ssh.1
@@ -795,6 +795,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -803,6 +813,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-06-05 13:11:53 +0100
commit	ebd590550bb09fe129b103994d53143788683d05 (patch)
tree	93db46a23bdee40f62165dacd946588c39353e1b /ssh.1
parent	a88f67584ef5889d95c04b0294e92c11ed4904cd (diff)

diff --git a/ssh.1 b/ssh.1 index 8d2b08a29..4e298cb56 100644 --- a/ssh.1 +++ b/ssh.1
@@ -795,6 +795,16 @@ directive in
795	.Xr ssh_config 5	795	.Xr ssh_config 5
796	for more information.	796	for more information.
797	.Pp	797	.Pp
		798	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		799	restrictions by default, because too many programs currently crash in this
		800	mode.
		801	Set the
		802	.Cm ForwardX11Trusted
		803	option to
		804	.Dq no
		805	to restore the upstream behaviour.
		806	This may change in future depending on client-side improvements.)
		807	.Pp
798	.It Fl x	808	.It Fl x
799	Disables X11 forwarding.	809	Disables X11 forwarding.
800	.Pp	810	.Pp
@@ -803,6 +813,17 @@ Enables trusted X11 forwarding.
803	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	813	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
804	controls.	814	controls.
805	.Pp	815	.Pp
		816	(Debian-specific: This option does nothing in the default configuration: it
		817	is equivalent to
		818	.Dq Cm ForwardX11Trusted No yes ,
		819	which is the default as described above.
		820	Set the
		821	.Cm ForwardX11Trusted
		822	option to
		823	.Dq no
		824	to restore the upstream behaviour.
		825	This may change in future depending on client-side improvements.)
		826	.Pp
806	.It Fl y	827	.It Fl y
807	Send log information using the	828	Send log information using the
808	.Xr syslog 3	829	.Xr syslog 3