diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-26 00:58:25 +0000 |
commit | 41265d4fa6f5946719155a08a19717a4ca229454 (patch) | |
tree | a4e96623fbed610d945104feca7834ccb24d0f49 /sshd_config | |
parent | c95bb2c6a018688e44481bf1d199607db567fd9e (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r-- | sshd_config | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config index 00e5a728b..13cbe2c66 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
58 | #PasswordAuthentication yes | 58 | #PasswordAuthentication yes |
59 | #PermitEmptyPasswords no | 59 | #PermitEmptyPasswords no |
60 | 60 | ||
61 | # Change to no to disable s/key passwords | 61 | # Change to yes to enable challenge-response passwords (beware issues with |
62 | #ChallengeResponseAuthentication yes | 62 | # some PAM modules and threads) |
63 | ChallengeResponseAuthentication no | ||
63 | 64 | ||
64 | # Kerberos options | 65 | # Kerberos options |
65 | #KerberosAuthentication no | 66 | #KerberosAuthentication no |
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
82 | # If you just want the PAM account and session checks to run without | 83 | # If you just want the PAM account and session checks to run without |
83 | # PAM authentication, then enable this but set PasswordAuthentication | 84 | # PAM authentication, then enable this but set PasswordAuthentication |
84 | # and ChallengeResponseAuthentication to 'no'. | 85 | # and ChallengeResponseAuthentication to 'no'. |
85 | #UsePAM no | 86 | UsePAM yes |
86 | 87 | ||
87 | #AllowAgentForwarding yes | 88 | #AllowAgentForwarding yes |
88 | #AllowTcpForwarding yes | 89 | #AllowTcpForwarding yes |
89 | #GatewayPorts no | 90 | #GatewayPorts no |
90 | #X11Forwarding no | 91 | X11Forwarding yes |
91 | #X11DisplayOffset 10 | 92 | #X11DisplayOffset 10 |
92 | #X11UseLocalhost yes | 93 | #X11UseLocalhost yes |
93 | #PermitTTY yes | 94 | #PermitTTY yes |
94 | #PrintMotd yes | 95 | PrintMotd no |
95 | #PrintLastLog yes | 96 | #PrintLastLog yes |
96 | #TCPKeepAlive yes | 97 | #TCPKeepAlive yes |
97 | #UseLogin no | 98 | #UseLogin no |
@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
110 | # no default banner path | 111 | # no default banner path |
111 | #Banner none | 112 | #Banner none |
112 | 113 | ||
114 | # Allow client to pass locale environment variables | ||
115 | AcceptEnv LANG LC_* | ||
116 | |||
113 | # override default of no subsystems | 117 | # override default of no subsystems |
114 | Subsystem sftp /usr/libexec/sftp-server | 118 | Subsystem sftp /usr/lib/openssh/sftp-server |
115 | 119 | ||
116 | # Example of overriding settings on a per-user basis | 120 | # Example of overriding settings on a per-user basis |
117 | #Match User anoncvs | 121 | #Match User anoncvs |