Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:18 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-02-29 12:35:37 +0000
commit: 85e40e87a75fb80a0bf893ac05a417d6c353537d (patch)
tree: 0f76f9976afd1622fe4fd2258fa0136a4ac75312 /sshd_config.5
parent: a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 4d255e5ce..2387b51b8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:18 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-02-29 12:35:37 +0000
commit	85e40e87a75fb80a0bf893ac05a417d6c353537d (patch)
tree	0f76f9976afd1622fe4fd2258fa0136a4ac75312 /sshd_config.5
parent	a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 4d255e5ce..2387b51b8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm ChallengeResponseAuthentication No no
		73	.It
		74	.Cm X11Forwarding No yes
		75	.It
		76	.Cm PrintMotd No no
		77	.It
		78	.Cm AcceptEnv No LANG LC_*
		79	.It
		80	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		81	.It
		82	.Cm UsePAM No yes
		83	.El
		84	.Pp
60	The possible	85	The possible
61	keywords and their meanings are as follows (note that	86	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	87	keywords are case-insensitive and arguments are case-sensitive):