summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config6
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config16
-rw-r--r--sshd_config.522
6 files changed, 77 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c
index c02cdf63a..d1091cbda 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1927,7 +1927,7 @@ fill_default_options(Options * options)
1927 if (options->forward_x11 == -1) 1927 if (options->forward_x11 == -1)
1928 options->forward_x11 = 0; 1928 options->forward_x11 = 0;
1929 if (options->forward_x11_trusted == -1) 1929 if (options->forward_x11_trusted == -1)
1930 options->forward_x11_trusted = 0; 1930 options->forward_x11_trusted = 1;
1931 if (options->forward_x11_timeout == -1) 1931 if (options->forward_x11_timeout == -1)
1932 options->forward_x11_timeout = 1200; 1932 options->forward_x11_timeout = 1200;
1933 /* 1933 /*
diff --git a/ssh.1 b/ssh.1
index 22e56a7b9..6aa57c462 100644
--- a/ssh.1
+++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
785.Xr ssh_config 5 785.Xr ssh_config 5
786for more information. 786for more information.
787.Pp 787.Pp
788(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
789restrictions by default, because too many programs currently crash in this
790mode.
791Set the
792.Cm ForwardX11Trusted
793option to
794.Dq no
795to restore the upstream behaviour.
796This may change in future depending on client-side improvements.)
797.Pp
788.It Fl x 798.It Fl x
789Disables X11 forwarding. 799Disables X11 forwarding.
790.Pp 800.Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
793Trusted X11 forwardings are not subjected to the X11 SECURITY extension 803Trusted X11 forwardings are not subjected to the X11 SECURITY extension
794controls. 804controls.
795.Pp 805.Pp
806(Debian-specific: This option does nothing in the default configuration: it
807is equivalent to
808.Dq Cm ForwardX11Trusted No yes ,
809which is the default as described above.
810Set the
811.Cm ForwardX11Trusted
812option to
813.Dq no
814to restore the upstream behaviour.
815This may change in future depending on client-side improvements.)
816.Pp
796.It Fl y 817.It Fl y
797Send log information using the 818Send log information using the
798.Xr syslog 3 819.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 4e879cd20..093c8366e 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -50,3 +51,6 @@
50# VisualHostKey no 51# VisualHostKey no
51# ProxyCommand ssh -q -W %h:%p gateway.example.com 52# ProxyCommand ssh -q -W %h:%p gateway.example.com
52# RekeyLimit 1G 1h 53# RekeyLimit 1G 1h
54 SendEnv LANG LC_*
55 HashKnownHosts yes
56 GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 8698c28ee..26f983a3e 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77Note that the Debian
78.Ic openssh-client
79package sets several options as standard in
80.Pa /etc/ssh/ssh_config
81which are not the default in
82.Xr ssh 1 :
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86.Cm SendEnv No LANG LC_*
87.It
88.Cm HashKnownHosts No yes
89.It
90.Cm GSSAPIAuthentication No yes
91.El
92.Pp
77The file contains keyword-argument pairs, one per line. 93The file contains keyword-argument pairs, one per line.
78Lines starting with 94Lines starting with
79.Ql # 95.Ql #
@@ -711,11 +727,12 @@ elapsed.
711.It Cm ForwardX11Trusted 727.It Cm ForwardX11Trusted
712If this option is set to 728If this option is set to
713.Cm yes , 729.Cm yes ,
730(the Debian-specific default),
714remote X11 clients will have full access to the original X11 display. 731remote X11 clients will have full access to the original X11 display.
715.Pp 732.Pp
716If this option is set to 733If this option is set to
717.Cm no 734.Cm no
718(the default), 735(the upstream default),
719remote X11 clients will be considered untrusted and prevented 736remote X11 clients will be considered untrusted and prevented
720from stealing or tampering with data belonging to trusted X11 737from stealing or tampering with data belonging to trusted X11
721clients. 738clients.
diff --git a/sshd_config b/sshd_config
index 00e5a728b..13cbe2c66 100644
--- a/sshd_config
+++ b/sshd_config
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
58#PasswordAuthentication yes 58#PasswordAuthentication yes
59#PermitEmptyPasswords no 59#PermitEmptyPasswords no
60 60
61# Change to no to disable s/key passwords 61# Change to yes to enable challenge-response passwords (beware issues with
62#ChallengeResponseAuthentication yes 62# some PAM modules and threads)
63ChallengeResponseAuthentication no
63 64
64# Kerberos options 65# Kerberos options
65#KerberosAuthentication no 66#KerberosAuthentication no
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
82# If you just want the PAM account and session checks to run without 83# If you just want the PAM account and session checks to run without
83# PAM authentication, then enable this but set PasswordAuthentication 84# PAM authentication, then enable this but set PasswordAuthentication
84# and ChallengeResponseAuthentication to 'no'. 85# and ChallengeResponseAuthentication to 'no'.
85#UsePAM no 86UsePAM yes
86 87
87#AllowAgentForwarding yes 88#AllowAgentForwarding yes
88#AllowTcpForwarding yes 89#AllowTcpForwarding yes
89#GatewayPorts no 90#GatewayPorts no
90#X11Forwarding no 91X11Forwarding yes
91#X11DisplayOffset 10 92#X11DisplayOffset 10
92#X11UseLocalhost yes 93#X11UseLocalhost yes
93#PermitTTY yes 94#PermitTTY yes
94#PrintMotd yes 95PrintMotd no
95#PrintLastLog yes 96#PrintLastLog yes
96#TCPKeepAlive yes 97#TCPKeepAlive yes
97#UseLogin no 98#UseLogin no
@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys
110# no default banner path 111# no default banner path
111#Banner none 112#Banner none
112 113
114# Allow client to pass locale environment variables
115AcceptEnv LANG LC_*
116
113# override default of no subsystems 117# override default of no subsystems
114Subsystem sftp /usr/libexec/sftp-server 118Subsystem sftp /usr/lib/openssh/sftp-server
115 119
116# Example of overriding settings on a per-user basis 120# Example of overriding settings on a per-user basis
117#Match User anoncvs 121#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index e45a89372..703a9cddc 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 :
66.Pp
67.Bl -bullet -offset indent -compact
68.It
69.Cm ChallengeResponseAuthentication No no
70.It
71.Cm X11Forwarding No yes
72.It
73.Cm PrintMotd No no
74.It
75.Cm AcceptEnv No LANG LC_*
76.It
77.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
78.It
79.Cm UsePAM No yes
80.El
81.Pp
60The possible 82The possible
61keywords and their meanings are as follows (note that 83keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 84keywords are case-insensitive and arguments are case-sensitive):