diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:18 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-10-04 13:54:48 +0100 |
| commit | 4847e512c0b94c615b838904a5f139a761bee284 (patch) | |
| tree | f4784e39f9700a109ce869711b69ecfaa81d6f09 /sshd_config | |
| parent | ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd (diff) | |
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
| -rw-r--r-- | sshd_config | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config index c01dd6561..f68edf367 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 58 | #PasswordAuthentication yes | 58 | #PasswordAuthentication yes |
| 59 | #PermitEmptyPasswords no | 59 | #PermitEmptyPasswords no |
| 60 | 60 | ||
| 61 | # Change to no to disable s/key passwords | 61 | # Change to yes to enable challenge-response passwords (beware issues with |
| 62 | #ChallengeResponseAuthentication yes | 62 | # some PAM modules and threads) |
| 63 | ChallengeResponseAuthentication no | ||
| 63 | 64 | ||
| 64 | # Kerberos options | 65 | # Kerberos options |
| 65 | #KerberosAuthentication no | 66 | #KerberosAuthentication no |
| @@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 82 | # If you just want the PAM account and session checks to run without | 83 | # If you just want the PAM account and session checks to run without |
| 83 | # PAM authentication, then enable this but set PasswordAuthentication | 84 | # PAM authentication, then enable this but set PasswordAuthentication |
| 84 | # and ChallengeResponseAuthentication to 'no'. | 85 | # and ChallengeResponseAuthentication to 'no'. |
| 85 | #UsePAM no | 86 | UsePAM yes |
| 86 | 87 | ||
| 87 | #AllowAgentForwarding yes | 88 | #AllowAgentForwarding yes |
| 88 | #AllowTcpForwarding yes | 89 | #AllowTcpForwarding yes |
| 89 | #GatewayPorts no | 90 | #GatewayPorts no |
| 90 | #X11Forwarding no | 91 | X11Forwarding yes |
| 91 | #X11DisplayOffset 10 | 92 | #X11DisplayOffset 10 |
| 92 | #X11UseLocalhost yes | 93 | #X11UseLocalhost yes |
| 93 | #PermitTTY yes | 94 | #PermitTTY yes |
| 94 | #PrintMotd yes | 95 | PrintMotd no |
| 95 | #PrintLastLog yes | 96 | #PrintLastLog yes |
| 96 | #TCPKeepAlive yes | 97 | #TCPKeepAlive yes |
| 97 | #UseLogin no | 98 | #UseLogin no |
| @@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
| 109 | # no default banner path | 110 | # no default banner path |
| 110 | #Banner none | 111 | #Banner none |
| 111 | 112 | ||
| 113 | # Allow client to pass locale environment variables | ||
| 114 | AcceptEnv LANG LC_* | ||
| 115 | |||
| 112 | # override default of no subsystems | 116 | # override default of no subsystems |
| 113 | Subsystem sftp /usr/libexec/sftp-server | 117 | Subsystem sftp /usr/lib/openssh/sftp-server |
| 114 | 118 | ||
| 115 | # Example of overriding settings on a per-user basis | 119 | # Example of overriding settings on a per-user basis |
| 116 | #Match User anoncvs | 120 | #Match User anoncvs |