diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:02:54 +0000 |
| commit | 2b53482aec037f0747198f19e449f51d921acd30 (patch) | |
| tree | 840d9ac0c2317fa1f5482a26230b50579eef5afe /ssh_config.5 | |
| parent | 0fd4134a3ef467e1e69db5b19b7903cf306ec64b (diff) | |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
Diffstat (limited to 'ssh_config.5')
| -rw-r--r-- | ssh_config.5 | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 8698c28ee..26f983a3e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | |||
| 74 | host-specific declarations should be given near the beginning of the | 74 | host-specific declarations should be given near the beginning of the |
| 75 | file, and general defaults at the end. | 75 | file, and general defaults at the end. |
| 76 | .Pp | 76 | .Pp |
| 77 | Note that the Debian | ||
| 78 | .Ic openssh-client | ||
| 79 | package sets several options as standard in | ||
| 80 | .Pa /etc/ssh/ssh_config | ||
| 81 | which are not the default in | ||
| 82 | .Xr ssh 1 : | ||
| 83 | .Pp | ||
| 84 | .Bl -bullet -offset indent -compact | ||
| 85 | .It | ||
| 86 | .Cm SendEnv No LANG LC_* | ||
| 87 | .It | ||
| 88 | .Cm HashKnownHosts No yes | ||
| 89 | .It | ||
| 90 | .Cm GSSAPIAuthentication No yes | ||
| 91 | .El | ||
| 92 | .Pp | ||
| 77 | The file contains keyword-argument pairs, one per line. | 93 | The file contains keyword-argument pairs, one per line. |
| 78 | Lines starting with | 94 | Lines starting with |
| 79 | .Ql # | 95 | .Ql # |
| @@ -711,11 +727,12 @@ elapsed. | |||
| 711 | .It Cm ForwardX11Trusted | 727 | .It Cm ForwardX11Trusted |
| 712 | If this option is set to | 728 | If this option is set to |
| 713 | .Cm yes , | 729 | .Cm yes , |
| 730 | (the Debian-specific default), | ||
| 714 | remote X11 clients will have full access to the original X11 display. | 731 | remote X11 clients will have full access to the original X11 display. |
| 715 | .Pp | 732 | .Pp |
| 716 | If this option is set to | 733 | If this option is set to |
| 717 | .Cm no | 734 | .Cm no |
| 718 | (the default), | 735 | (the upstream default), |
| 719 | remote X11 clients will be considered untrusted and prevented | 736 | remote X11 clients will be considered untrusted and prevented |
| 720 | from stealing or tampering with data belonging to trusted X11 | 737 | from stealing or tampering with data belonging to trusted X11 |
| 721 | clients. | 738 | clients. |