diff options
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | ssh.1 | 21 | ||||
-rw-r--r-- | ssh_config | 6 | ||||
-rw-r--r-- | ssh_config.5 | 19 | ||||
-rw-r--r-- | sshd_config | 16 | ||||
-rw-r--r-- | sshd_config.5 | 22 |
6 files changed, 77 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c index c02cdf63a..d1091cbda 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1927,7 +1927,7 @@ fill_default_options(Options * options) | |||
1927 | if (options->forward_x11 == -1) | 1927 | if (options->forward_x11 == -1) |
1928 | options->forward_x11 = 0; | 1928 | options->forward_x11 = 0; |
1929 | if (options->forward_x11_trusted == -1) | 1929 | if (options->forward_x11_trusted == -1) |
1930 | options->forward_x11_trusted = 0; | 1930 | options->forward_x11_trusted = 1; |
1931 | if (options->forward_x11_timeout == -1) | 1931 | if (options->forward_x11_timeout == -1) |
1932 | options->forward_x11_timeout = 1200; | 1932 | options->forward_x11_timeout = 1200; |
1933 | /* | 1933 | /* |
@@ -785,6 +785,16 @@ directive in | |||
785 | .Xr ssh_config 5 | 785 | .Xr ssh_config 5 |
786 | for more information. | 786 | for more information. |
787 | .Pp | 787 | .Pp |
788 | (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
789 | restrictions by default, because too many programs currently crash in this | ||
790 | mode. | ||
791 | Set the | ||
792 | .Cm ForwardX11Trusted | ||
793 | option to | ||
794 | .Dq no | ||
795 | to restore the upstream behaviour. | ||
796 | This may change in future depending on client-side improvements.) | ||
797 | .Pp | ||
788 | .It Fl x | 798 | .It Fl x |
789 | Disables X11 forwarding. | 799 | Disables X11 forwarding. |
790 | .Pp | 800 | .Pp |
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding. | |||
793 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 803 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
794 | controls. | 804 | controls. |
795 | .Pp | 805 | .Pp |
806 | (Debian-specific: This option does nothing in the default configuration: it | ||
807 | is equivalent to | ||
808 | .Dq Cm ForwardX11Trusted No yes , | ||
809 | which is the default as described above. | ||
810 | Set the | ||
811 | .Cm ForwardX11Trusted | ||
812 | option to | ||
813 | .Dq no | ||
814 | to restore the upstream behaviour. | ||
815 | This may change in future depending on client-side improvements.) | ||
816 | .Pp | ||
796 | .It Fl y | 817 | .It Fl y |
797 | Send log information using the | 818 | Send log information using the |
798 | .Xr syslog 3 | 819 | .Xr syslog 3 |
diff --git a/ssh_config b/ssh_config index 4e879cd20..093c8366e 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -17,9 +17,10 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | # Host * | 20 | Host * |
21 | # ForwardAgent no | 21 | # ForwardAgent no |
22 | # ForwardX11 no | 22 | # ForwardX11 no |
23 | # ForwardX11Trusted yes | ||
23 | # RhostsRSAAuthentication no | 24 | # RhostsRSAAuthentication no |
24 | # RSAAuthentication yes | 25 | # RSAAuthentication yes |
25 | # PasswordAuthentication yes | 26 | # PasswordAuthentication yes |
@@ -50,3 +51,6 @@ | |||
50 | # VisualHostKey no | 51 | # VisualHostKey no |
51 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 52 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
52 | # RekeyLimit 1G 1h | 53 | # RekeyLimit 1G 1h |
54 | SendEnv LANG LC_* | ||
55 | HashKnownHosts yes | ||
56 | GSSAPIAuthentication yes | ||
diff --git a/ssh_config.5 b/ssh_config.5 index 8698c28ee..26f983a3e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | |||
74 | host-specific declarations should be given near the beginning of the | 74 | host-specific declarations should be given near the beginning of the |
75 | file, and general defaults at the end. | 75 | file, and general defaults at the end. |
76 | .Pp | 76 | .Pp |
77 | Note that the Debian | ||
78 | .Ic openssh-client | ||
79 | package sets several options as standard in | ||
80 | .Pa /etc/ssh/ssh_config | ||
81 | which are not the default in | ||
82 | .Xr ssh 1 : | ||
83 | .Pp | ||
84 | .Bl -bullet -offset indent -compact | ||
85 | .It | ||
86 | .Cm SendEnv No LANG LC_* | ||
87 | .It | ||
88 | .Cm HashKnownHosts No yes | ||
89 | .It | ||
90 | .Cm GSSAPIAuthentication No yes | ||
91 | .El | ||
92 | .Pp | ||
77 | The file contains keyword-argument pairs, one per line. | 93 | The file contains keyword-argument pairs, one per line. |
78 | Lines starting with | 94 | Lines starting with |
79 | .Ql # | 95 | .Ql # |
@@ -711,11 +727,12 @@ elapsed. | |||
711 | .It Cm ForwardX11Trusted | 727 | .It Cm ForwardX11Trusted |
712 | If this option is set to | 728 | If this option is set to |
713 | .Cm yes , | 729 | .Cm yes , |
730 | (the Debian-specific default), | ||
714 | remote X11 clients will have full access to the original X11 display. | 731 | remote X11 clients will have full access to the original X11 display. |
715 | .Pp | 732 | .Pp |
716 | If this option is set to | 733 | If this option is set to |
717 | .Cm no | 734 | .Cm no |
718 | (the default), | 735 | (the upstream default), |
719 | remote X11 clients will be considered untrusted and prevented | 736 | remote X11 clients will be considered untrusted and prevented |
720 | from stealing or tampering with data belonging to trusted X11 | 737 | from stealing or tampering with data belonging to trusted X11 |
721 | clients. | 738 | clients. |
diff --git a/sshd_config b/sshd_config index 00e5a728b..13cbe2c66 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
58 | #PasswordAuthentication yes | 58 | #PasswordAuthentication yes |
59 | #PermitEmptyPasswords no | 59 | #PermitEmptyPasswords no |
60 | 60 | ||
61 | # Change to no to disable s/key passwords | 61 | # Change to yes to enable challenge-response passwords (beware issues with |
62 | #ChallengeResponseAuthentication yes | 62 | # some PAM modules and threads) |
63 | ChallengeResponseAuthentication no | ||
63 | 64 | ||
64 | # Kerberos options | 65 | # Kerberos options |
65 | #KerberosAuthentication no | 66 | #KerberosAuthentication no |
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
82 | # If you just want the PAM account and session checks to run without | 83 | # If you just want the PAM account and session checks to run without |
83 | # PAM authentication, then enable this but set PasswordAuthentication | 84 | # PAM authentication, then enable this but set PasswordAuthentication |
84 | # and ChallengeResponseAuthentication to 'no'. | 85 | # and ChallengeResponseAuthentication to 'no'. |
85 | #UsePAM no | 86 | UsePAM yes |
86 | 87 | ||
87 | #AllowAgentForwarding yes | 88 | #AllowAgentForwarding yes |
88 | #AllowTcpForwarding yes | 89 | #AllowTcpForwarding yes |
89 | #GatewayPorts no | 90 | #GatewayPorts no |
90 | #X11Forwarding no | 91 | X11Forwarding yes |
91 | #X11DisplayOffset 10 | 92 | #X11DisplayOffset 10 |
92 | #X11UseLocalhost yes | 93 | #X11UseLocalhost yes |
93 | #PermitTTY yes | 94 | #PermitTTY yes |
94 | #PrintMotd yes | 95 | PrintMotd no |
95 | #PrintLastLog yes | 96 | #PrintLastLog yes |
96 | #TCPKeepAlive yes | 97 | #TCPKeepAlive yes |
97 | #UseLogin no | 98 | #UseLogin no |
@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
110 | # no default banner path | 111 | # no default banner path |
111 | #Banner none | 112 | #Banner none |
112 | 113 | ||
114 | # Allow client to pass locale environment variables | ||
115 | AcceptEnv LANG LC_* | ||
116 | |||
113 | # override default of no subsystems | 117 | # override default of no subsystems |
114 | Subsystem sftp /usr/libexec/sftp-server | 118 | Subsystem sftp /usr/lib/openssh/sftp-server |
115 | 119 | ||
116 | # Example of overriding settings on a per-user basis | 120 | # Example of overriding settings on a per-user basis |
117 | #Match User anoncvs | 121 | #Match User anoncvs |
diff --git a/sshd_config.5 b/sshd_config.5 index e45a89372..703a9cddc 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes | |||
57 | .Pq \&" | 57 | .Pq \&" |
58 | in order to represent arguments containing spaces. | 58 | in order to represent arguments containing spaces. |
59 | .Pp | 59 | .Pp |
60 | Note that the Debian | ||
61 | .Ic openssh-server | ||
62 | package sets several options as standard in | ||
63 | .Pa /etc/ssh/sshd_config | ||
64 | which are not the default in | ||
65 | .Xr sshd 8 : | ||
66 | .Pp | ||
67 | .Bl -bullet -offset indent -compact | ||
68 | .It | ||
69 | .Cm ChallengeResponseAuthentication No no | ||
70 | .It | ||
71 | .Cm X11Forwarding No yes | ||
72 | .It | ||
73 | .Cm PrintMotd No no | ||
74 | .It | ||
75 | .Cm AcceptEnv No LANG LC_* | ||
76 | .It | ||
77 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
78 | .It | ||
79 | .Cm UsePAM No yes | ||
80 | .El | ||
81 | .Pp | ||
60 | The possible | 82 | The possible |
61 | keywords and their meanings are as follows (note that | 83 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 84 | keywords are case-insensitive and arguments are case-sensitive): |