diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 14:45:02 +0000 |
commit | 8086961f9f4ad834e9c3b09b6e2c80273be1c506 (patch) | |
tree | 8fe8ff2f139a625e4c90b536593f6bc9811865e6 /sshd_config | |
parent | a208834b2d1811dac7054d7fdcdd04672f8b19f6 (diff) |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
ssh: Include /etc/ssh/ssh_config.d/*.conf.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r-- | sshd_config | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config index 2c48105f8..459c1b230 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -10,6 +10,8 @@ | |||
10 | # possible, but leave them commented. Uncommented options override the | 10 | # possible, but leave them commented. Uncommented options override the |
11 | # default value. | 11 | # default value. |
12 | 12 | ||
13 | Include /etc/ssh/sshd_config.d/*.conf | ||
14 | |||
13 | #Port 22 | 15 | #Port 22 |
14 | #AddressFamily any | 16 | #AddressFamily any |
15 | #ListenAddress 0.0.0.0 | 17 | #ListenAddress 0.0.0.0 |
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
57 | #PasswordAuthentication yes | 59 | #PasswordAuthentication yes |
58 | #PermitEmptyPasswords no | 60 | #PermitEmptyPasswords no |
59 | 61 | ||
60 | # Change to no to disable s/key passwords | 62 | # Change to yes to enable challenge-response passwords (beware issues with |
61 | #ChallengeResponseAuthentication yes | 63 | # some PAM modules and threads) |
64 | ChallengeResponseAuthentication no | ||
62 | 65 | ||
63 | # Kerberos options | 66 | # Kerberos options |
64 | #KerberosAuthentication no | 67 | #KerberosAuthentication no |
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
81 | # If you just want the PAM account and session checks to run without | 84 | # If you just want the PAM account and session checks to run without |
82 | # PAM authentication, then enable this but set PasswordAuthentication | 85 | # PAM authentication, then enable this but set PasswordAuthentication |
83 | # and ChallengeResponseAuthentication to 'no'. | 86 | # and ChallengeResponseAuthentication to 'no'. |
84 | #UsePAM no | 87 | UsePAM yes |
85 | 88 | ||
86 | #AllowAgentForwarding yes | 89 | #AllowAgentForwarding yes |
87 | #AllowTcpForwarding yes | 90 | #AllowTcpForwarding yes |
88 | #GatewayPorts no | 91 | #GatewayPorts no |
89 | #X11Forwarding no | 92 | X11Forwarding yes |
90 | #X11DisplayOffset 10 | 93 | #X11DisplayOffset 10 |
91 | #X11UseLocalhost yes | 94 | #X11UseLocalhost yes |
92 | #PermitTTY yes | 95 | #PermitTTY yes |
93 | #PrintMotd yes | 96 | PrintMotd no |
94 | #PrintLastLog yes | 97 | #PrintLastLog yes |
95 | #TCPKeepAlive yes | 98 | #TCPKeepAlive yes |
96 | #PermitUserEnvironment no | 99 | #PermitUserEnvironment no |
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
107 | # no default banner path | 110 | # no default banner path |
108 | #Banner none | 111 | #Banner none |
109 | 112 | ||
113 | # Allow client to pass locale environment variables | ||
114 | AcceptEnv LANG LC_* | ||
115 | |||
110 | # override default of no subsystems | 116 | # override default of no subsystems |
111 | Subsystem sftp /usr/libexec/sftp-server | 117 | Subsystem sftp /usr/lib/openssh/sftp-server |
112 | 118 | ||
113 | # Example of overriding settings on a per-user basis | 119 | # Example of overriding settings on a per-user basis |
114 | #Match User anoncvs | 120 | #Match User anoncvs |