diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-10-20 22:54:09 +0100 |
commit | a433d9baa031d7136a8cf3e3807ebff83a3a8634 (patch) | |
tree | 3fecc984dfc9a222bcc8a5353bca9640c1d48c55 /ssh_config.5 | |
parent | da34947128351bee9d2530574432190548f5be58 (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index a91355726..1a8e24bd1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | |||
71 | host-specific declarations should be given near the beginning of the | 71 | host-specific declarations should be given near the beginning of the |
72 | file, and general defaults at the end. | 72 | file, and general defaults at the end. |
73 | .Pp | 73 | .Pp |
74 | Note that the Debian | ||
75 | .Ic openssh-client | ||
76 | package sets several options as standard in | ||
77 | .Pa /etc/ssh/ssh_config | ||
78 | which are not the default in | ||
79 | .Xr ssh 1 : | ||
80 | .Pp | ||
81 | .Bl -bullet -offset indent -compact | ||
82 | .It | ||
83 | .Cm SendEnv No LANG LC_* | ||
84 | .It | ||
85 | .Cm HashKnownHosts No yes | ||
86 | .It | ||
87 | .Cm GSSAPIAuthentication No yes | ||
88 | .El | ||
89 | .Pp | ||
74 | The file contains keyword-argument pairs, one per line. | 90 | The file contains keyword-argument pairs, one per line. |
75 | Lines starting with | 91 | Lines starting with |
76 | .Ql # | 92 | .Ql # |
@@ -699,11 +715,12 @@ elapsed. | |||
699 | .It Cm ForwardX11Trusted | 715 | .It Cm ForwardX11Trusted |
700 | If this option is set to | 716 | If this option is set to |
701 | .Cm yes , | 717 | .Cm yes , |
718 | (the Debian-specific default), | ||
702 | remote X11 clients will have full access to the original X11 display. | 719 | remote X11 clients will have full access to the original X11 display. |
703 | .Pp | 720 | .Pp |
704 | If this option is set to | 721 | If this option is set to |
705 | .Cm no | 722 | .Cm no |
706 | (the default), | 723 | (the upstream default), |
707 | remote X11 clients will be considered untrusted and prevented | 724 | remote X11 clients will be considered untrusted and prevented |
708 | from stealing or tampering with data belonging to trusted X11 | 725 | from stealing or tampering with data belonging to trusted X11 |
709 | clients. | 726 | clients. |