summaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:18 +0000
committerColin Watson <cjwatson@debian.org>2019-10-09 23:07:49 +0100
commit7abde40896668ce9debfe056c7dabc6a70ef7da4 (patch)
tree56e57f3b57350a1a18cf9798e728af6c12d4a3c7 /sshd_config
parentab765b2bd55062a704f09da8f8c1c4ad1d6630a7 (diff)
Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config16
1 files changed, 10 insertions, 6 deletions
diff --git a/sshd_config b/sshd_config
index 2c48105f8..ed8272f6d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 57#PasswordAuthentication yes
58#PermitEmptyPasswords no 58#PermitEmptyPasswords no
59 59
60# Change to no to disable s/key passwords 60# Change to yes to enable challenge-response passwords (beware issues with
61#ChallengeResponseAuthentication yes 61# some PAM modules and threads)
62ChallengeResponseAuthentication no
62 63
63# Kerberos options 64# Kerberos options
64#KerberosAuthentication no 65#KerberosAuthentication no
@@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys
81# If you just want the PAM account and session checks to run without 82# If you just want the PAM account and session checks to run without
82# PAM authentication, then enable this but set PasswordAuthentication 83# PAM authentication, then enable this but set PasswordAuthentication
83# and ChallengeResponseAuthentication to 'no'. 84# and ChallengeResponseAuthentication to 'no'.
84#UsePAM no 85UsePAM yes
85 86
86#AllowAgentForwarding yes 87#AllowAgentForwarding yes
87#AllowTcpForwarding yes 88#AllowTcpForwarding yes
88#GatewayPorts no 89#GatewayPorts no
89#X11Forwarding no 90X11Forwarding yes
90#X11DisplayOffset 10 91#X11DisplayOffset 10
91#X11UseLocalhost yes 92#X11UseLocalhost yes
92#PermitTTY yes 93#PermitTTY yes
93#PrintMotd yes 94PrintMotd no
94#PrintLastLog yes 95#PrintLastLog yes
95#TCPKeepAlive yes 96#TCPKeepAlive yes
96#PermitUserEnvironment no 97#PermitUserEnvironment no
@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
107# no default banner path 108# no default banner path
108#Banner none 109#Banner none
109 110
111# Allow client to pass locale environment variables
112AcceptEnv LANG LC_*
113
110# override default of no subsystems 114# override default of no subsystems
111Subsystem sftp /usr/libexec/sftp-server 115Subsystem sftp /usr/lib/openssh/sftp-server
112 116
113# Example of overriding settings on a per-user basis 117# Example of overriding settings on a per-user basis
114#Match User anoncvs 118#Match User anoncvs