summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--readconf.c2
-rw-r--r--ssh.121
-rw-r--r--ssh_config7
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config2
-rw-r--r--sshd_config.525
6 files changed, 72 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index b9442fd5b..ee46ad623 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
1749 if (options->forward_x11 == -1) 1749 if (options->forward_x11 == -1)
1750 options->forward_x11 = 0; 1750 options->forward_x11 = 0;
1751 if (options->forward_x11_trusted == -1) 1751 if (options->forward_x11_trusted == -1)
1752 options->forward_x11_trusted = 0; 1752 options->forward_x11_trusted = 1;
1753 if (options->forward_x11_timeout == -1) 1753 if (options->forward_x11_timeout == -1)
1754 options->forward_x11_timeout = 1200; 1754 options->forward_x11_timeout = 1200;
1755 if (options->exit_on_forward_failure == -1) 1755 if (options->exit_on_forward_failure == -1)
diff --git a/ssh.1 b/ssh.1
index 05b7f107b..649d6c303 100644
--- a/ssh.1
+++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
755.Xr ssh_config 5 755.Xr ssh_config 5
756for more information. 756for more information.
757.Pp 757.Pp
758(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
759restrictions by default, because too many programs currently crash in this
760mode.
761Set the
762.Cm ForwardX11Trusted
763option to
764.Dq no
765to restore the upstream behaviour.
766This may change in future depending on client-side improvements.)
767.Pp
758.It Fl x 768.It Fl x
759Disables X11 forwarding. 769Disables X11 forwarding.
760.Pp 770.Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
763Trusted X11 forwardings are not subjected to the X11 SECURITY extension 773Trusted X11 forwardings are not subjected to the X11 SECURITY extension
764controls. 774controls.
765.Pp 775.Pp
776(Debian-specific: This option does nothing in the default configuration: it
777is equivalent to
778.Dq Cm ForwardX11Trusted No yes ,
779which is the default as described above.
780Set the
781.Cm ForwardX11Trusted
782option to
783.Dq no
784to restore the upstream behaviour.
785This may change in future depending on client-side improvements.)
786.Pp
766.It Fl y 787.It Fl y
767Send log information using the 788Send log information using the
768.Xr syslog 3 789.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 228e5abce..c9386aadd 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20# Host * 20Host *
21# ForwardAgent no 21# ForwardAgent no
22# ForwardX11 no 22# ForwardX11 no
23# ForwardX11Trusted yes
23# RhostsRSAAuthentication no 24# RhostsRSAAuthentication no
24# RSAAuthentication yes 25# RSAAuthentication yes
25# PasswordAuthentication yes 26# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48# VisualHostKey no 49# VisualHostKey no
49# ProxyCommand ssh -q -W %h:%p gateway.example.com 50# ProxyCommand ssh -q -W %h:%p gateway.example.com
50# RekeyLimit 1G 1h 51# RekeyLimit 1G 1h
52 SendEnv LANG LC_*
53 HashKnownHosts yes
54 GSSAPIAuthentication yes
55 GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index d4928b861..81b9b740f 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77Note that the Debian
78.Ic openssh-client
79package sets several options as standard in
80.Pa /etc/ssh/ssh_config
81which are not the default in
82.Xr ssh 1 :
83.Pp
84.Bl -bullet -offset indent -compact
85.It
86.Cm SendEnv No LANG LC_*
87.It
88.Cm HashKnownHosts No yes
89.It
90.Cm GSSAPIAuthentication No yes
91.El
92.Pp
77The configuration file has the following format: 93The configuration file has the following format:
78.Pp 94.Pp
79Empty lines and lines starting with 95Empty lines and lines starting with
@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
721Remote clients will be refused access after this time. 737Remote clients will be refused access after this time.
722.Pp 738.Pp
723The default is 739The default is
724.Dq no . 740.Dq yes
741(Debian-specific).
725.Pp 742.Pp
726See the X11 SECURITY extension specification for full details on 743See the X11 SECURITY extension specification for full details on
727the restrictions imposed on untrusted clients. 744the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 64786c935..d8338dbd2 100644
--- a/sshd_config
+++ b/sshd_config
@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
125#Banner none 125#Banner none
126 126
127# override default of no subsystems 127# override default of no subsystems
128Subsystem sftp /usr/libexec/sftp-server 128Subsystem sftp /usr/lib/openssh/sftp-server
129 129
130# Example of overriding settings on a per-user basis 130# Example of overriding settings on a per-user basis
131#Match User anoncvs 131#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 082859281..0be7250b0 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 .
66The exact list depends on whether the package was installed fresh or
67upgraded from various possible previous versions, but includes at least the
68following:
69.Pp
70.Bl -bullet -offset indent -compact
71.It
72.Cm ChallengeResponseAuthentication No no
73.It
74.Cm X11Forwarding No yes
75.It
76.Cm PrintMotd No no
77.It
78.Cm AcceptEnv No LANG LC_*
79.It
80.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
81.It
82.Cm UsePAM No yes
83.El
84.Pp
60The possible 85The possible
61keywords and their meanings are as follows (note that 86keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 87keywords are case-insensitive and arguments are case-sensitive):