diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-11-06 10:31:34 +0000 |
| commit | 44f0937b56758f662ff388d474213107e3290863 (patch) | |
| tree | 79fb9978b7e5eb58e5b4ac92eb72ca487f935b0e /ssh_config.5 | |
| parent | 689f465c66059e527974c6d4ea8e95f04d5abab7 (diff) | |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2014-11-06
Patch-Name: debian-config.patch
Diffstat (limited to 'ssh_config.5')
| -rw-r--r-- | ssh_config.5 | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index a1005ba3d..598576997 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -71,6 +71,26 @@ Since the first obtained value for each parameter is used, more | |||
| 71 | host-specific declarations should be given near the beginning of the | 71 | host-specific declarations should be given near the beginning of the |
| 72 | file, and general defaults at the end. | 72 | file, and general defaults at the end. |
| 73 | .Pp | 73 | .Pp |
| 74 | Note that the Debian | ||
| 75 | .Ic openssh-client | ||
| 76 | package sets several options as standard in | ||
| 77 | .Pa /etc/ssh/ssh_config | ||
| 78 | which are not the default in | ||
| 79 | .Xr ssh 1 : | ||
| 80 | .Pp | ||
| 81 | .Bl -bullet -offset indent -compact | ||
| 82 | .It | ||
| 83 | .Cm SendEnv No LANG Xo | ||
| 84 | .No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT | ||
| 85 | .No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME | ||
| 86 | .No LC_ALL | ||
| 87 | .Xc | ||
| 88 | .It | ||
| 89 | .Cm HashKnownHosts No yes | ||
| 90 | .It | ||
| 91 | .Cm GSSAPIAuthentication No yes | ||
| 92 | .El | ||
| 93 | .Pp | ||
| 74 | The configuration file has the following format: | 94 | The configuration file has the following format: |
| 75 | .Pp | 95 | .Pp |
| 76 | Empty lines and lines starting with | 96 | Empty lines and lines starting with |
| @@ -673,7 +693,8 @@ token used for the session will be set to expire after 20 minutes. | |||
| 673 | Remote clients will be refused access after this time. | 693 | Remote clients will be refused access after this time. |
| 674 | .Pp | 694 | .Pp |
| 675 | The default is | 695 | The default is |
| 676 | .Dq no . | 696 | .Dq yes |
| 697 | (Debian-specific). | ||
| 677 | .Pp | 698 | .Pp |
| 678 | See the X11 SECURITY extension specification for full details on | 699 | See the X11 SECURITY extension specification for full details on |
| 679 | the restrictions imposed on untrusted clients. | 700 | the restrictions imposed on untrusted clients. |