summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2020-10-18 12:07:21 +0100
commita0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 (patch)
tree1d383167149b22907153635b676d52f824681d66 /ssh_config.5
parente8453621b2a26f8d6afec405ff60201749b01e5e (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-10-18 Patch-Name: debian-config.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.526
1 files changed, 25 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 96ca7a5df..6d6c59521 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 71host-specific declarations should be given near the beginning of the
72file, and general defaults at the end. 72file, and general defaults at the end.
73.Pp 73.Pp
74Note that the Debian
75.Ic openssh-client
76package sets several options as standard in
77.Pa /etc/ssh/ssh_config
78which are not the default in
79.Xr ssh 1 :
80.Pp
81.Bl -bullet -offset indent -compact
82.It
83.Cm Include /etc/ssh/ssh_config.d/*.conf
84.It
85.Cm SendEnv No LANG LC_*
86.It
87.Cm HashKnownHosts No yes
88.It
89.Cm GSSAPIAuthentication No yes
90.El
91.Pp
92.Pa /etc/ssh/ssh_config.d/*.conf
93files are included at the start of the system-wide configuration file, so
94options set there will override those in
95.Pa /etc/ssh/ssh_config.
96.Pp
74The file contains keyword-argument pairs, one per line. 97The file contains keyword-argument pairs, one per line.
75Lines starting with 98Lines starting with
76.Ql # 99.Ql #
@@ -742,11 +765,12 @@ elapsed.
742.It Cm ForwardX11Trusted 765.It Cm ForwardX11Trusted
743If this option is set to 766If this option is set to
744.Cm yes , 767.Cm yes ,
768(the Debian-specific default),
745remote X11 clients will have full access to the original X11 display. 769remote X11 clients will have full access to the original X11 display.
746.Pp 770.Pp
747If this option is set to 771If this option is set to
748.Cm no 772.Cm no
749(the default), 773(the upstream default),
750remote X11 clients will be considered untrusted and prevented 774remote X11 clients will be considered untrusted and prevented
751from stealing or tampering with data belonging to trusted X11 775from stealing or tampering with data belonging to trusted X11
752clients. 776clients.