diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-03-29 01:40:56 +0100 |
commit | 78fc8282e021b0236697caedb612cab78831755f (patch) | |
tree | 19e3384aaaec6b0350f9edc6c04872c422ad7131 /sshd_config | |
parent | bd5c1cc302550e4caf8c3a6942f48a784f347b58 (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r-- | sshd_config | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config index c01dd6561..f68edf367 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
58 | #PasswordAuthentication yes | 58 | #PasswordAuthentication yes |
59 | #PermitEmptyPasswords no | 59 | #PermitEmptyPasswords no |
60 | 60 | ||
61 | # Change to no to disable s/key passwords | 61 | # Change to yes to enable challenge-response passwords (beware issues with |
62 | #ChallengeResponseAuthentication yes | 62 | # some PAM modules and threads) |
63 | ChallengeResponseAuthentication no | ||
63 | 64 | ||
64 | # Kerberos options | 65 | # Kerberos options |
65 | #KerberosAuthentication no | 66 | #KerberosAuthentication no |
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
82 | # If you just want the PAM account and session checks to run without | 83 | # If you just want the PAM account and session checks to run without |
83 | # PAM authentication, then enable this but set PasswordAuthentication | 84 | # PAM authentication, then enable this but set PasswordAuthentication |
84 | # and ChallengeResponseAuthentication to 'no'. | 85 | # and ChallengeResponseAuthentication to 'no'. |
85 | #UsePAM no | 86 | UsePAM yes |
86 | 87 | ||
87 | #AllowAgentForwarding yes | 88 | #AllowAgentForwarding yes |
88 | #AllowTcpForwarding yes | 89 | #AllowTcpForwarding yes |
89 | #GatewayPorts no | 90 | #GatewayPorts no |
90 | #X11Forwarding no | 91 | X11Forwarding yes |
91 | #X11DisplayOffset 10 | 92 | #X11DisplayOffset 10 |
92 | #X11UseLocalhost yes | 93 | #X11UseLocalhost yes |
93 | #PermitTTY yes | 94 | #PermitTTY yes |
94 | #PrintMotd yes | 95 | PrintMotd no |
95 | #PrintLastLog yes | 96 | #PrintLastLog yes |
96 | #TCPKeepAlive yes | 97 | #TCPKeepAlive yes |
97 | #UseLogin no | 98 | #UseLogin no |
@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
109 | # no default banner path | 110 | # no default banner path |
110 | #Banner none | 111 | #Banner none |
111 | 112 | ||
113 | # Allow client to pass locale environment variables | ||
114 | AcceptEnv LANG LC_* | ||
115 | |||
112 | # override default of no subsystems | 116 | # override default of no subsystems |
113 | Subsystem sftp /usr/libexec/sftp-server | 117 | Subsystem sftp /usr/lib/openssh/sftp-server |
114 | 118 | ||
115 | # Example of overriding settings on a per-user basis | 119 | # Example of overriding settings on a per-user basis |
116 | #Match User anoncvs | 120 | #Match User anoncvs |