summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config6
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config16
-rw-r--r--sshd_config.522
6 files changed, 77 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c
index 70fac6824..4d92d174b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1950,7 +1950,7 @@ fill_default_options(Options * options)
1950 if (options->forward_x11 == -1) 1950 if (options->forward_x11 == -1)
1951 options->forward_x11 = 0; 1951 options->forward_x11 = 0;
1952 if (options->forward_x11_trusted == -1) 1952 if (options->forward_x11_trusted == -1)
1953 options->forward_x11_trusted = 0; 1953 options->forward_x11_trusted = 1;
1954 if (options->forward_x11_timeout == -1) 1954 if (options->forward_x11_timeout == -1)
1955 options->forward_x11_timeout = 1200; 1955 options->forward_x11_timeout = 1200;
1956 /* 1956 /*
diff --git a/ssh.1 b/ssh.1
index 22e56a7b9..6aa57c462 100644
--- a/ssh.1
+++ b/ssh.1
@@ -785,6 +785,16 @@ directive in
785.Xr ssh_config 5 785.Xr ssh_config 5
786for more information. 786for more information.
787.Pp 787.Pp
788(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
789restrictions by default, because too many programs currently crash in this
790mode.
791Set the
792.Cm ForwardX11Trusted
793option to
794.Dq no
795to restore the upstream behaviour.
796This may change in future depending on client-side improvements.)
797.Pp
788.It Fl x 798.It Fl x
789Disables X11 forwarding. 799Disables X11 forwarding.
790.Pp 800.Pp
@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
793Trusted X11 forwardings are not subjected to the X11 SECURITY extension 803Trusted X11 forwardings are not subjected to the X11 SECURITY extension
794controls. 804controls.
795.Pp 805.Pp
806(Debian-specific: This option does nothing in the default configuration: it
807is equivalent to
808.Dq Cm ForwardX11Trusted No yes ,
809which is the default as described above.
810Set the
811.Cm ForwardX11Trusted
812option to
813.Dq no
814to restore the upstream behaviour.
815This may change in future depending on client-side improvements.)
816.Pp
796.It Fl y 817.It Fl y
797Send log information using the 818Send log information using the
798.Xr syslog 3 819.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 4e879cd20..093c8366e 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -50,3 +51,6 @@
50# VisualHostKey no 51# VisualHostKey no
51# ProxyCommand ssh -q -W %h:%p gateway.example.com 52# ProxyCommand ssh -q -W %h:%p gateway.example.com
52# RekeyLimit 1G 1h 53# RekeyLimit 1G 1h
54 SendEnv LANG LC_*
55 HashKnownHosts yes
56 GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 093ea8a71..fc13fa510 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77Note that the Debian
78.Ic openssh-client
79package sets several options as standard in
80.Pa /etc/ssh/ssh_config
81which are not the default in
82.Xr ssh 1 :
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86.Cm SendEnv No LANG LC_*
87.It
88.Cm HashKnownHosts No yes
89.It
90.Cm GSSAPIAuthentication No yes
91.El
92.Pp
77The file contains keyword-argument pairs, one per line. 93The file contains keyword-argument pairs, one per line.
78Lines starting with 94Lines starting with
79.Ql # 95.Ql #
@@ -715,11 +731,12 @@ elapsed.
715.It Cm ForwardX11Trusted 731.It Cm ForwardX11Trusted
716If this option is set to 732If this option is set to
717.Cm yes , 733.Cm yes ,
734(the Debian-specific default),
718remote X11 clients will have full access to the original X11 display. 735remote X11 clients will have full access to the original X11 display.
719.Pp 736.Pp
720If this option is set to 737If this option is set to
721.Cm no 738.Cm no
722(the default), 739(the upstream default),
723remote X11 clients will be considered untrusted and prevented 740remote X11 clients will be considered untrusted and prevented
724from stealing or tampering with data belonging to trusted X11 741from stealing or tampering with data belonging to trusted X11
725clients. 742clients.
diff --git a/sshd_config b/sshd_config
index c01dd6561..f68edf367 100644
--- a/sshd_config
+++ b/sshd_config
@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
58#PasswordAuthentication yes 58#PasswordAuthentication yes
59#PermitEmptyPasswords no 59#PermitEmptyPasswords no
60 60
61# Change to no to disable s/key passwords 61# Change to yes to enable challenge-response passwords (beware issues with
62#ChallengeResponseAuthentication yes 62# some PAM modules and threads)
63ChallengeResponseAuthentication no
63 64
64# Kerberos options 65# Kerberos options
65#KerberosAuthentication no 66#KerberosAuthentication no
@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
82# If you just want the PAM account and session checks to run without 83# If you just want the PAM account and session checks to run without
83# PAM authentication, then enable this but set PasswordAuthentication 84# PAM authentication, then enable this but set PasswordAuthentication
84# and ChallengeResponseAuthentication to 'no'. 85# and ChallengeResponseAuthentication to 'no'.
85#UsePAM no 86UsePAM yes
86 87
87#AllowAgentForwarding yes 88#AllowAgentForwarding yes
88#AllowTcpForwarding yes 89#AllowTcpForwarding yes
89#GatewayPorts no 90#GatewayPorts no
90#X11Forwarding no 91X11Forwarding yes
91#X11DisplayOffset 10 92#X11DisplayOffset 10
92#X11UseLocalhost yes 93#X11UseLocalhost yes
93#PermitTTY yes 94#PermitTTY yes
94#PrintMotd yes 95PrintMotd no
95#PrintLastLog yes 96#PrintLastLog yes
96#TCPKeepAlive yes 97#TCPKeepAlive yes
97#UseLogin no 98#UseLogin no
@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
109# no default banner path 110# no default banner path
110#Banner none 111#Banner none
111 112
113# Allow client to pass locale environment variables
114AcceptEnv LANG LC_*
115
112# override default of no subsystems 116# override default of no subsystems
113Subsystem sftp /usr/libexec/sftp-server 117Subsystem sftp /usr/lib/openssh/sftp-server
114 118
115# Example of overriding settings on a per-user basis 119# Example of overriding settings on a per-user basis
116#Match User anoncvs 120#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 603c2ba7e..cc5d9fb0a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 :
66.Pp
67.Bl -bullet -offset indent -compact
68.It
69.Cm ChallengeResponseAuthentication No no
70.It
71.Cm X11Forwarding No yes
72.It
73.Cm PrintMotd No no
74.It
75.Cm AcceptEnv No LANG LC_*
76.It
77.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
78.It
79.Cm UsePAM No yes
80.El
81.Pp
60The possible 82The possible
61keywords and their meanings are as follows (note that 83keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 84keywords are case-insensitive and arguments are case-sensitive):