summaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2016-12-26 00:58:25 +0000
commit41265d4fa6f5946719155a08a19717a4ca229454 (patch)
treea4e96623fbed610d945104feca7834ccb24d0f49 /sshd_config
parentc95bb2c6a018688e44481bf1d199607db567fd9e (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config16
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config
index 00e5a728b..13cbe2c66 100644
--- a/sshd_config
+++ b/sshd_config
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
58#PasswordAuthentication yes 58#PasswordAuthentication yes
59#PermitEmptyPasswords no 59#PermitEmptyPasswords no
60 60
61# Change to no to disable s/key passwords 61# Change to yes to enable challenge-response passwords (beware issues with
62#ChallengeResponseAuthentication yes 62# some PAM modules and threads)
63ChallengeResponseAuthentication no
63 64
64# Kerberos options 65# Kerberos options
65#KerberosAuthentication no 66#KerberosAuthentication no
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
82# If you just want the PAM account and session checks to run without 83# If you just want the PAM account and session checks to run without
83# PAM authentication, then enable this but set PasswordAuthentication 84# PAM authentication, then enable this but set PasswordAuthentication
84# and ChallengeResponseAuthentication to 'no'. 85# and ChallengeResponseAuthentication to 'no'.
85#UsePAM no 86UsePAM yes
86 87
87#AllowAgentForwarding yes 88#AllowAgentForwarding yes
88#AllowTcpForwarding yes 89#AllowTcpForwarding yes
89#GatewayPorts no 90#GatewayPorts no
90#X11Forwarding no 91X11Forwarding yes
91#X11DisplayOffset 10 92#X11DisplayOffset 10
92#X11UseLocalhost yes 93#X11UseLocalhost yes
93#PermitTTY yes 94#PermitTTY yes
94#PrintMotd yes 95PrintMotd no
95#PrintLastLog yes 96#PrintLastLog yes
96#TCPKeepAlive yes 97#TCPKeepAlive yes
97#UseLogin no 98#UseLogin no
@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys
110# no default banner path 111# no default banner path
111#Banner none 112#Banner none
112 113
114# Allow client to pass locale environment variables
115AcceptEnv LANG LC_*
116
113# override default of no subsystems 117# override default of no subsystems
114Subsystem sftp /usr/libexec/sftp-server 118Subsystem sftp /usr/lib/openssh/sftp-server
115 119
116# Example of overriding settings on a per-user basis 120# Example of overriding settings on a per-user basis
117#Match User anoncvs 121#Match User anoncvs