summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config7
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config2
-rw-r--r--sshd_config.525
6 files changed, 72 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index f6b4c8f1e..5cd51f3e6 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1928,7 +1928,7 @@ fill_default_options(Options * options)
1928 if (options->forward_x11 == -1) 1928 if (options->forward_x11 == -1)
1929 options->forward_x11 = 0; 1929 options->forward_x11 = 0;
1930 if (options->forward_x11_trusted == -1) 1930 if (options->forward_x11_trusted == -1)
1931 options->forward_x11_trusted = 0; 1931 options->forward_x11_trusted = 1;
1932 if (options->forward_x11_timeout == -1) 1932 if (options->forward_x11_timeout == -1)
1933 options->forward_x11_timeout = 1200; 1933 options->forward_x11_timeout = 1200;
1934 /* 1934 /*
diff --git a/ssh.1 b/ssh.1
index 22e56a7b9..6aa57c462 100644
--- a/ssh.1
+++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
785.Xr ssh_config 5 785.Xr ssh_config 5
786for more information. 786for more information.
787.Pp 787.Pp
788(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
789restrictions by default, because too many programs currently crash in this
790mode.
791Set the
792.Cm ForwardX11Trusted
793option to
794.Dq no
795to restore the upstream behaviour.
796This may change in future depending on client-side improvements.)
797.Pp
788.It Fl x 798.It Fl x
789Disables X11 forwarding. 799Disables X11 forwarding.
790.Pp 800.Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
793Trusted X11 forwardings are not subjected to the X11 SECURITY extension 803Trusted X11 forwardings are not subjected to the X11 SECURITY extension
794controls. 804controls.
795.Pp 805.Pp
806(Debian-specific: This option does nothing in the default configuration: it
807is equivalent to
808.Dq Cm ForwardX11Trusted No yes ,
809which is the default as described above.
810Set the
811.Cm ForwardX11Trusted
812option to
813.Dq no
814to restore the upstream behaviour.
815This may change in future depending on client-side improvements.)
816.Pp
796.It Fl y 817.It Fl y
797Send log information using the 818Send log information using the
798.Xr syslog 3 819.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 4e879cd20..5190b06b1 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -50,3 +51,7 @@
50# VisualHostKey no 51# VisualHostKey no
51# ProxyCommand ssh -q -W %h:%p gateway.example.com 52# ProxyCommand ssh -q -W %h:%p gateway.example.com
52# RekeyLimit 1G 1h 53# RekeyLimit 1G 1h
54 SendEnv LANG LC_*
55 HashKnownHosts yes
56 GSSAPIAuthentication yes
57 GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index 30c97a9b9..c96725862 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77Note that the Debian
78.Ic openssh-client
79package sets several options as standard in
80.Pa /etc/ssh/ssh_config
81which are not the default in
82.Xr ssh 1 :
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86.Cm SendEnv No LANG LC_*
87.It
88.Cm HashKnownHosts No yes
89.It
90.Cm GSSAPIAuthentication No yes
91.El
92.Pp
77The configuration file has the following format: 93The configuration file has the following format:
78.Pp 94.Pp
79Empty lines and lines starting with 95Empty lines and lines starting with
@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes.
799Remote clients will be refused access after this time. 815Remote clients will be refused access after this time.
800.Pp 816.Pp
801The default is 817The default is
802.Dq no . 818.Dq yes
819(Debian-specific).
803.Pp 820.Pp
804See the X11 SECURITY extension specification for full details on 821See the X11 SECURITY extension specification for full details on
805the restrictions imposed on untrusted clients. 822the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 3fe3e017e..ec8ff8f19 100644
--- a/sshd_config
+++ b/sshd_config
@@ -124,7 +124,7 @@ AuthorizedKeysFile .ssh/authorized_keys
124#Banner none 124#Banner none
125 125
126# override default of no subsystems 126# override default of no subsystems
127Subsystem sftp /usr/libexec/sftp-server 127Subsystem sftp /usr/lib/openssh/sftp-server
128 128
129# Example of overriding settings on a per-user basis 129# Example of overriding settings on a per-user basis
130#Match User anoncvs 130#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index b2b349e1b..79f2d611f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 .
66The exact list depends on whether the package was installed fresh or
67upgraded from various possible previous versions, but includes at least the
68following:
69.Pp
70.Bl -bullet -offset indent -compact
71.It
72.Cm ChallengeResponseAuthentication No no
73.It
74.Cm X11Forwarding No yes
75.It
76.Cm PrintMotd No no
77.It
78.Cm AcceptEnv No LANG LC_*
79.It
80.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
81.It
82.Cm UsePAM No yes
83.El
84.Pp
60The possible 85The possible
61keywords and their meanings are as follows (note that 86keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 87keywords are case-insensitive and arguments are case-sensitive):