Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 21:45:00 +0100
commit: 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 (patch)
tree: 01b06510540fd02f07be82ab16a2c5277c97b3e3 /ssh_config.5
parent: b0b95d9689563856ac4992c90b65ed4fd8f3fae6 (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index acd581bf5..844d1a0f5 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 21:45:00 +0100
commit	88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 (patch)
tree	01b06510540fd02f07be82ab16a2c5277c97b3e3 /ssh_config.5
parent	b0b95d9689563856ac4992c90b65ed4fd8f3fae6 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index acd581bf5..844d1a0f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
75	file, and general defaults at the end.	75	file, and general defaults at the end.
76	.Pp	76	.Pp
		77	Note that the Debian
		78	.Ic openssh-client
		79	package sets several options as standard in
		80	.Pa /etc/ssh/ssh_config
		81	which are not the default in
		82	.Xr ssh 1 :
		83	.Pp
		84	.Bl -bullet -offset indent -compact
		85	.It
		86	.Cm SendEnv No LANG LC_*
		87	.It
		88	.Cm HashKnownHosts No yes
		89	.It
		90	.Cm GSSAPIAuthentication No yes
		91	.El
		92	.Pp
77	The configuration file has the following format:	93	The configuration file has the following format:
78	.Pp	94	.Pp
79	Empty lines and lines starting with	95	Empty lines and lines starting with
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
716	Remote clients will be refused access after this time.	732	Remote clients will be refused access after this time.
717	.Pp	733	.Pp
718	The default is	734	The default is
719	.Dq no .	735	.Dq yes
		736	(Debian-specific).
720	.Pp	737	.Pp
721	See the X11 SECURITY extension specification for full details on	738	See the X11 SECURITY extension specification for full details on
722	the restrictions imposed on untrusted clients.	739	the restrictions imposed on untrusted clients.