Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2014-02-12 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-10-07 14:27:21 +0100
commit: 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (patch)
tree: 3625014bb6bad6ff7bb257eab9b917079f6a1dac /ssh_config.5
parent: 689f465c66059e527974c6d4ea8e95f04d5abab7 (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index a1005ba3d..da3c1771a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-10-07 14:27:21 +0100
commit	762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (patch)
tree	3625014bb6bad6ff7bb257eab9b917079f6a1dac /ssh_config.5
parent	689f465c66059e527974c6d4ea8e95f04d5abab7 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index a1005ba3d..da3c1771a 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	71	host-specific declarations should be given near the beginning of the
72	file, and general defaults at the end.	72	file, and general defaults at the end.
73	.Pp	73	.Pp
		74	Note that the Debian
		75	.Ic openssh-client
		76	package sets several options as standard in
		77	.Pa /etc/ssh/ssh_config
		78	which are not the default in
		79	.Xr ssh 1 :
		80	.Pp
		81	.Bl -bullet -offset indent -compact
		82	.It
		83	.Cm SendEnv No LANG LC_*
		84	.It
		85	.Cm HashKnownHosts No yes
		86	.It
		87	.Cm GSSAPIAuthentication No yes
		88	.El
		89	.Pp
74	The configuration file has the following format:	90	The configuration file has the following format:
75	.Pp	91	.Pp
76	Empty lines and lines starting with	92	Empty lines and lines starting with
@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes.
673	Remote clients will be refused access after this time.	689	Remote clients will be refused access after this time.
674	.Pp	690	.Pp
675	The default is	691	The default is
676	.Dq no .	692	.Dq yes
		693	(Debian-specific).
677	.Pp	694	.Pp
678	See the X11 SECURITY extension specification for full details on	695	See the X11 SECURITY extension specification for full details on
679	the restrictions imposed on untrusted clients.	696	the restrictions imposed on untrusted clients.