Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-10-18 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-10-18 12:07:21 +0100
commit: a0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 (patch)
tree: 1d383167149b22907153635b676d52f824681d66 /sshd_config.5
parent: e8453621b2a26f8d6afec405ff60201749b01e5e (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 32ae46476..472001dd1 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-10-18 12:07:21 +0100
commit	a0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 (patch)
tree	1d383167149b22907153635b676d52f824681d66 /sshd_config.5
parent	e8453621b2a26f8d6afec405ff60201749b01e5e (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 32ae46476..472001dd1 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
56	.Pq \&"	56	.Pq \&"
57	in order to represent arguments containing spaces.	57	in order to represent arguments containing spaces.
58	.Pp	58	.Pp
		59	Note that the Debian
		60	.Ic openssh-server
		61	package sets several options as standard in
		62	.Pa /etc/ssh/sshd_config
		63	which are not the default in
		64	.Xr sshd 8 :
		65	.Pp
		66	.Bl -bullet -offset indent -compact
		67	.It
		68	.Cm Include /etc/ssh/sshd_config.d/*.conf
		69	.It
		70	.Cm ChallengeResponseAuthentication No no
		71	.It
		72	.Cm X11Forwarding No yes
		73	.It
		74	.Cm PrintMotd No no
		75	.It
		76	.Cm AcceptEnv No LANG LC_*
		77	.It
		78	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		79	.It
		80	.Cm UsePAM No yes
		81	.El
		82	.Pp
		83	.Pa /etc/ssh/sshd_config.d/*.conf
		84	files are included at the start of the configuration file, so options set
		85	there will override those in
		86	.Pa /etc/ssh/sshd_config.
		87	.Pp
59	The possible	88	The possible
60	keywords and their meanings are as follows (note that	89	keywords and their meanings are as follows (note that
61	keywords are case-insensitive and arguments are case-sensitive):	90	keywords are case-insensitive and arguments are case-sensitive):