6 files changed, 73 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index 5f6c37fe4..f0769b574 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
-                options->forward_x11_trusted = 0;
+                options->forward_x11_trusted = 1;
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
diff --git a/ssh.1 b/ssh.1
index 217886319..e2cce49d3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
 directive in
 .Xr ssh_config 5
 for more information.
+.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
+.Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
 .It Fl y
 Send log information using the
 .Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 228e5abce..c9386aadd 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -48,3 +49,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index acd581bf5..844d1a0f5 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
diff --git a/sshd_config b/sshd_config
index 1dfd0f156..23a338fa3 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,7 +41,8 @@
 # Authentication:
 #LoginGraceTime 2m
-#PermitRootLogin no
+# See /usr/share/doc/openssh-server/README.Debian.gz.
+#PermitRootLogin without-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
diff --git a/sshd_config.5 b/sshd_config.5
index 355b44544..eb6bff85f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):

diff --git a/readconf.c b/readconf.c index 5f6c37fe4..f0769b574 100644 --- a/readconf.c +++ b/readconf.c
@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
1748	if (options->forward_x11 == -1)	1748	if (options->forward_x11 == -1)
1749	options->forward_x11 = 0;	1749	options->forward_x11 = 0;
1750	if (options->forward_x11_trusted == -1)	1750	if (options->forward_x11_trusted == -1)
1751	options->forward_x11_trusted = 0;	1751	options->forward_x11_trusted = 1;
1752	if (options->forward_x11_timeout == -1)	1752	if (options->forward_x11_timeout == -1)
1753	options->forward_x11_timeout = 1200;	1753	options->forward_x11_timeout = 1200;
1754	if (options->exit_on_forward_failure == -1)	1754	if (options->exit_on_forward_failure == -1)


diff --git a/ssh.1 b/ssh.1 index 217886319..e2cce49d3 100644 --- a/ssh.1 +++ b/ssh.1
@@ -670,12 +670,33 @@ option and the
670	directive in	670	directive in
671	.Xr ssh_config 5	671	.Xr ssh_config 5
672	for more information.	672	for more information.
		673	.Pp
		674	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		675	restrictions by default, because too many programs currently crash in this
		676	mode.
		677	Set the
		678	.Cm ForwardX11Trusted
		679	option to
		680	.Dq no
		681	to restore the upstream behaviour.
		682	This may change in future depending on client-side improvements.)
673	.It Fl x	683	.It Fl x
674	Disables X11 forwarding.	684	Disables X11 forwarding.
675	.It Fl Y	685	.It Fl Y
676	Enables trusted X11 forwarding.	686	Enables trusted X11 forwarding.
677	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	687	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
678	controls.	688	controls.
		689	.Pp
		690	(Debian-specific: This option does nothing in the default configuration: it
		691	is equivalent to
		692	.Dq Cm ForwardX11Trusted No yes ,
		693	which is the default as described above.
		694	Set the
		695	.Cm ForwardX11Trusted
		696	option to
		697	.Dq no
		698	to restore the upstream behaviour.
		699	This may change in future depending on client-side improvements.)
679	.It Fl y	700	.It Fl y
680	Send log information using the	701	Send log information using the
681	.Xr syslog 3	702	.Xr syslog 3


diff --git a/ssh_config b/ssh_config index 228e5abce..c9386aadd 100644 --- a/ssh_config +++ b/ssh_config
@@ -17,9 +17,10 @@
17	# list of available options, their meanings and defaults, please see the	17	# list of available options, their meanings and defaults, please see the
18	# ssh_config(5) man page.	18	# ssh_config(5) man page.
19		19
20	# Host *	20	Host *
21	# ForwardAgent no	21	# ForwardAgent no
22	# ForwardX11 no	22	# ForwardX11 no
		23	# ForwardX11Trusted yes
23	# RhostsRSAAuthentication no	24	# RhostsRSAAuthentication no
24	# RSAAuthentication yes	25	# RSAAuthentication yes
25	# PasswordAuthentication yes	26	# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48	# VisualHostKey no	49	# VisualHostKey no
49	# ProxyCommand ssh -q -W %h:%p gateway.example.com	50	# ProxyCommand ssh -q -W %h:%p gateway.example.com
50	# RekeyLimit 1G 1h	51	# RekeyLimit 1G 1h
		52	SendEnv LANG LC_*
		53	HashKnownHosts yes
		54	GSSAPIAuthentication yes
		55	GSSAPIDelegateCredentials no


diff --git a/ssh_config.5 b/ssh_config.5 index acd581bf5..844d1a0f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
75	file, and general defaults at the end.	75	file, and general defaults at the end.
76	.Pp	76	.Pp
		77	Note that the Debian
		78	.Ic openssh-client
		79	package sets several options as standard in
		80	.Pa /etc/ssh/ssh_config
		81	which are not the default in
		82	.Xr ssh 1 :
		83	.Pp
		84	.Bl -bullet -offset indent -compact
		85	.It
		86	.Cm SendEnv No LANG LC_*
		87	.It
		88	.Cm HashKnownHosts No yes
		89	.It
		90	.Cm GSSAPIAuthentication No yes
		91	.El
		92	.Pp
77	The configuration file has the following format:	93	The configuration file has the following format:
78	.Pp	94	.Pp
79	Empty lines and lines starting with	95	Empty lines and lines starting with
@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
716	Remote clients will be refused access after this time.	732	Remote clients will be refused access after this time.
717	.Pp	733	.Pp
718	The default is	734	The default is
719	.Dq no .	735	.Dq yes
		736	(Debian-specific).
720	.Pp	737	.Pp
721	See the X11 SECURITY extension specification for full details on	738	See the X11 SECURITY extension specification for full details on
722	the restrictions imposed on untrusted clients.	739	the restrictions imposed on untrusted clients.


diff --git a/sshd_config b/sshd_config index 1dfd0f156..23a338fa3 100644 --- a/sshd_config +++ b/sshd_config
@@ -41,7 +41,8 @@
41	# Authentication:	41	# Authentication:
42		42
43	#LoginGraceTime 2m	43	#LoginGraceTime 2m
44	#PermitRootLogin no	44	# See /usr/share/doc/openssh-server/README.Debian.gz.
		45	#PermitRootLogin without-password
45	#StrictModes yes	46	#StrictModes yes
46	#MaxAuthTries 6	47	#MaxAuthTries 6
47	#MaxSessions 10	48	#MaxSessions 10


diff --git a/sshd_config.5 b/sshd_config.5 index 355b44544..eb6bff85f 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm ChallengeResponseAuthentication No no
		73	.It
		74	.Cm X11Forwarding No yes
		75	.It
		76	.Cm PrintMotd No no
		77	.It
		78	.Cm AcceptEnv No LANG LC_*
		79	.It
		80	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		81	.It
		82	.Cm UsePAM No yes
		83	.El
		84	.Pp
60	The possible	85	The possible
61	keywords and their meanings are as follows (note that	86	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	87	keywords are case-insensitive and arguments are case-sensitive):