summaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2017-08-22 16:24:44 +0100
commitcf60afd3438c444e20b114fbd799168002c74aae (patch)
tree84d004fcc4229ddab1e3b7113a0c644c0305bd9f /sshd_config
parent49ea641997b0dce73df3271f10a875cb702729b7 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config16
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config
index c01dd6561..f68edf367 100644
--- a/sshd_config
+++ b/sshd_config
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
58#PasswordAuthentication yes 58#PasswordAuthentication yes
59#PermitEmptyPasswords no 59#PermitEmptyPasswords no
60 60
61# Change to no to disable s/key passwords 61# Change to yes to enable challenge-response passwords (beware issues with
62#ChallengeResponseAuthentication yes 62# some PAM modules and threads)
63ChallengeResponseAuthentication no
63 64
64# Kerberos options 65# Kerberos options
65#KerberosAuthentication no 66#KerberosAuthentication no
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
82# If you just want the PAM account and session checks to run without 83# If you just want the PAM account and session checks to run without
83# PAM authentication, then enable this but set PasswordAuthentication 84# PAM authentication, then enable this but set PasswordAuthentication
84# and ChallengeResponseAuthentication to 'no'. 85# and ChallengeResponseAuthentication to 'no'.
85#UsePAM no 86UsePAM yes
86 87
87#AllowAgentForwarding yes 88#AllowAgentForwarding yes
88#AllowTcpForwarding yes 89#AllowTcpForwarding yes
89#GatewayPorts no 90#GatewayPorts no
90#X11Forwarding no 91X11Forwarding yes
91#X11DisplayOffset 10 92#X11DisplayOffset 10
92#X11UseLocalhost yes 93#X11UseLocalhost yes
93#PermitTTY yes 94#PermitTTY yes
94#PrintMotd yes 95PrintMotd no
95#PrintLastLog yes 96#PrintLastLog yes
96#TCPKeepAlive yes 97#TCPKeepAlive yes
97#UseLogin no 98#UseLogin no
@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
109# no default banner path 110# no default banner path
110#Banner none 111#Banner none
111 112
113# Allow client to pass locale environment variables
114AcceptEnv LANG LC_*
115
112# override default of no subsystems 116# override default of no subsystems
113Subsystem sftp /usr/libexec/sftp-server 117Subsystem sftp /usr/lib/openssh/sftp-server
114 118
115# Example of overriding settings on a per-user basis 119# Example of overriding settings on a per-user basis
116#Match User anoncvs 120#Match User anoncvs