5 files changed, 59 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c
index 0648867e8..29338b619 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1681,7 +1681,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
-                options->forward_x11_trusted = 0;
+                options->forward_x11_trusted = 1;
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
diff --git a/ssh_config b/ssh_config
index 228e5abce..91be1e760 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -48,3 +49,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+    SendEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index a1005ba3d..598576997 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,26 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG Xo
+.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
+.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
+.No LC_ALL
+.Xc
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -673,7 +693,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index d9b859407..4db32f509 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,6 +41,7 @@
 # Authentication:
 #LoginGraceTime 2m
+# See /usr/share/doc/openssh-server/README.Debian.gz.
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
diff --git a/sshd_config.5 b/sshd_config.5
index 7396b238c..09bb5fe33 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,35 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG Xo
+.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
+.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
+.No LC_ALL
+.Xc
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):

diff --git a/readconf.c b/readconf.c index 0648867e8..29338b619 100644 --- a/readconf.c +++ b/readconf.c
@@ -1681,7 +1681,7 @@ fill_default_options(Options * options)
1681	if (options->forward_x11 == -1)	1681	if (options->forward_x11 == -1)
1682	options->forward_x11 = 0;	1682	options->forward_x11 = 0;
1683	if (options->forward_x11_trusted == -1)	1683	if (options->forward_x11_trusted == -1)
1684	options->forward_x11_trusted = 0;	1684	options->forward_x11_trusted = 1;
1685	if (options->forward_x11_timeout == -1)	1685	if (options->forward_x11_timeout == -1)
1686	options->forward_x11_timeout = 1200;	1686	options->forward_x11_timeout = 1200;
1687	if (options->exit_on_forward_failure == -1)	1687	if (options->exit_on_forward_failure == -1)


diff --git a/ssh_config b/ssh_config index 228e5abce..91be1e760 100644 --- a/ssh_config +++ b/ssh_config
@@ -17,9 +17,10 @@
17	# list of available options, their meanings and defaults, please see the	17	# list of available options, their meanings and defaults, please see the
18	# ssh_config(5) man page.	18	# ssh_config(5) man page.
19		19
20	# Host *	20	Host *
21	# ForwardAgent no	21	# ForwardAgent no
22	# ForwardX11 no	22	# ForwardX11 no
		23	# ForwardX11Trusted yes
23	# RhostsRSAAuthentication no	24	# RhostsRSAAuthentication no
24	# RSAAuthentication yes	25	# RSAAuthentication yes
25	# PasswordAuthentication yes	26	# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48	# VisualHostKey no	49	# VisualHostKey no
49	# ProxyCommand ssh -q -W %h:%p gateway.example.com	50	# ProxyCommand ssh -q -W %h:%p gateway.example.com
50	# RekeyLimit 1G 1h	51	# RekeyLimit 1G 1h
		52	SendEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL
		53	HashKnownHosts yes
		54	GSSAPIAuthentication yes
		55	GSSAPIDelegateCredentials no


diff --git a/ssh_config.5 b/ssh_config.5 index a1005ba3d..598576997 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -71,6 +71,26 @@ Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	71	host-specific declarations should be given near the beginning of the
72	file, and general defaults at the end.	72	file, and general defaults at the end.
73	.Pp	73	.Pp
		74	Note that the Debian
		75	.Ic openssh-client
		76	package sets several options as standard in
		77	.Pa /etc/ssh/ssh_config
		78	which are not the default in
		79	.Xr ssh 1 :
		80	.Pp
		81	.Bl -bullet -offset indent -compact
		82	.It
		83	.Cm SendEnv No LANG Xo
		84	.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
		85	.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
		86	.No LC_ALL
		87	.Xc
		88	.It
		89	.Cm HashKnownHosts No yes
		90	.It
		91	.Cm GSSAPIAuthentication No yes
		92	.El
		93	.Pp
74	The configuration file has the following format:	94	The configuration file has the following format:
75	.Pp	95	.Pp
76	Empty lines and lines starting with	96	Empty lines and lines starting with
@@ -673,7 +693,8 @@ token used for the session will be set to expire after 20 minutes.
673	Remote clients will be refused access after this time.	693	Remote clients will be refused access after this time.
674	.Pp	694	.Pp
675	The default is	695	The default is
676	.Dq no .	696	.Dq yes
		697	(Debian-specific).
677	.Pp	698	.Pp
678	See the X11 SECURITY extension specification for full details on	699	See the X11 SECURITY extension specification for full details on
679	the restrictions imposed on untrusted clients.	700	the restrictions imposed on untrusted clients.


diff --git a/sshd_config b/sshd_config index d9b859407..4db32f509 100644 --- a/sshd_config +++ b/sshd_config
@@ -41,6 +41,7 @@
41	# Authentication:	41	# Authentication:
42		42
43	#LoginGraceTime 2m	43	#LoginGraceTime 2m
		44	# See /usr/share/doc/openssh-server/README.Debian.gz.
44	#PermitRootLogin yes	45	#PermitRootLogin yes
45	#StrictModes yes	46	#StrictModes yes
46	#MaxAuthTries 6	47	#MaxAuthTries 6


diff --git a/sshd_config.5 b/sshd_config.5 index 7396b238c..09bb5fe33 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,35 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm ChallengeResponseAuthentication No no
		73	.It
		74	.Cm X11Forwarding No yes
		75	.It
		76	.Cm PrintMotd No no
		77	.It
		78	.Cm AcceptEnv No LANG Xo
		79	.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT
		80	.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
		81	.No LC_ALL
		82	.Xc
		83	.It
		84	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		85	.It
		86	.Cm UsePAM No yes
		87	.El
		88	.Pp
60	The possible	89	The possible
61	keywords and their meanings are as follows (note that	90	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	91	keywords are case-insensitive and arguments are case-sensitive):