diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-08-24 17:49:07 +0100 |
| commit | 157278376c0eb6e4de3d47e8573684095a230685 (patch) | |
| tree | 02fd56a8b71afb41346d27c74f7bf7a8609e1706 /sshd_config | |
| parent | ba2be368348f9f411377f494e209faedf53903de (diff) | |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
| -rw-r--r-- | sshd_config | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config index 2c48105f8..ed8272f6d 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 57 | #PasswordAuthentication yes | 57 | #PasswordAuthentication yes |
| 58 | #PermitEmptyPasswords no | 58 | #PermitEmptyPasswords no |
| 59 | 59 | ||
| 60 | # Change to no to disable s/key passwords | 60 | # Change to yes to enable challenge-response passwords (beware issues with |
| 61 | #ChallengeResponseAuthentication yes | 61 | # some PAM modules and threads) |
| 62 | ChallengeResponseAuthentication no | ||
| 62 | 63 | ||
| 63 | # Kerberos options | 64 | # Kerberos options |
| 64 | #KerberosAuthentication no | 65 | #KerberosAuthentication no |
| @@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 81 | # If you just want the PAM account and session checks to run without | 82 | # If you just want the PAM account and session checks to run without |
| 82 | # PAM authentication, then enable this but set PasswordAuthentication | 83 | # PAM authentication, then enable this but set PasswordAuthentication |
| 83 | # and ChallengeResponseAuthentication to 'no'. | 84 | # and ChallengeResponseAuthentication to 'no'. |
| 84 | #UsePAM no | 85 | UsePAM yes |
| 85 | 86 | ||
| 86 | #AllowAgentForwarding yes | 87 | #AllowAgentForwarding yes |
| 87 | #AllowTcpForwarding yes | 88 | #AllowTcpForwarding yes |
| 88 | #GatewayPorts no | 89 | #GatewayPorts no |
| 89 | #X11Forwarding no | 90 | X11Forwarding yes |
| 90 | #X11DisplayOffset 10 | 91 | #X11DisplayOffset 10 |
| 91 | #X11UseLocalhost yes | 92 | #X11UseLocalhost yes |
| 92 | #PermitTTY yes | 93 | #PermitTTY yes |
| 93 | #PrintMotd yes | 94 | PrintMotd no |
| 94 | #PrintLastLog yes | 95 | #PrintLastLog yes |
| 95 | #TCPKeepAlive yes | 96 | #TCPKeepAlive yes |
| 96 | #PermitUserEnvironment no | 97 | #PermitUserEnvironment no |
| @@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 107 | # no default banner path | 108 | # no default banner path |
| 108 | #Banner none | 109 | #Banner none |
| 109 | 110 | ||
| 111 | # Allow client to pass locale environment variables | ||
| 112 | AcceptEnv LANG LC_* | ||
| 113 | |||
| 110 | # override default of no subsystems | 114 | # override default of no subsystems |
| 111 | Subsystem sftp /usr/libexec/sftp-server | 115 | Subsystem sftp /usr/lib/openssh/sftp-server |
| 112 | 116 | ||
| 113 | # Example of overriding settings on a per-user basis | 117 | # Example of overriding settings on a per-user basis |
| 114 | #Match User anoncvs | 118 | #Match User anoncvs |