diff options
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | ssh.1 | 24 | ||||
-rw-r--r-- | ssh_config | 8 | ||||
-rw-r--r-- | ssh_config.5 | 26 | ||||
-rw-r--r-- | sshd_config | 18 | ||||
-rw-r--r-- | sshd_config.5 | 29 |
6 files changed, 98 insertions, 9 deletions
diff --git a/readconf.c b/readconf.c index f4f273c96..e676b6be6 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -2153,7 +2153,7 @@ fill_default_options(Options * options) | |||
2153 | if (options->forward_x11 == -1) | 2153 | if (options->forward_x11 == -1) |
2154 | options->forward_x11 = 0; | 2154 | options->forward_x11 = 0; |
2155 | if (options->forward_x11_trusted == -1) | 2155 | if (options->forward_x11_trusted == -1) |
2156 | options->forward_x11_trusted = 0; | 2156 | options->forward_x11_trusted = 1; |
2157 | if (options->forward_x11_timeout == -1) | 2157 | if (options->forward_x11_timeout == -1) |
2158 | options->forward_x11_timeout = 1200; | 2158 | options->forward_x11_timeout = 1200; |
2159 | /* | 2159 | /* |
@@ -812,6 +812,16 @@ directive in | |||
812 | .Xr ssh_config 5 | 812 | .Xr ssh_config 5 |
813 | for more information. | 813 | for more information. |
814 | .Pp | 814 | .Pp |
815 | (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
816 | restrictions by default, because too many programs currently crash in this | ||
817 | mode. | ||
818 | Set the | ||
819 | .Cm ForwardX11Trusted | ||
820 | option to | ||
821 | .Dq no | ||
822 | to restore the upstream behaviour. | ||
823 | This may change in future depending on client-side improvements.) | ||
824 | .Pp | ||
815 | .It Fl x | 825 | .It Fl x |
816 | Disables X11 forwarding. | 826 | Disables X11 forwarding. |
817 | .Pp | 827 | .Pp |
@@ -820,6 +830,20 @@ Enables trusted X11 forwarding. | |||
820 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 830 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
821 | controls. | 831 | controls. |
822 | .Pp | 832 | .Pp |
833 | (Debian-specific: In the default configuration, this option is equivalent to | ||
834 | .Fl X , | ||
835 | since | ||
836 | .Cm ForwardX11Trusted | ||
837 | defaults to | ||
838 | .Dq yes | ||
839 | as described above. | ||
840 | Set the | ||
841 | .Cm ForwardX11Trusted | ||
842 | option to | ||
843 | .Dq no | ||
844 | to restore the upstream behaviour. | ||
845 | This may change in future depending on client-side improvements.) | ||
846 | .Pp | ||
823 | .It Fl y | 847 | .It Fl y |
824 | Send log information using the | 848 | Send log information using the |
825 | .Xr syslog 3 | 849 | .Xr syslog 3 |
diff --git a/ssh_config b/ssh_config index 52aae8692..09a17cf18 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -17,9 +17,12 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | # Host * | 20 | Include /etc/ssh/ssh_config.d/*.conf |
21 | |||
22 | Host * | ||
21 | # ForwardAgent no | 23 | # ForwardAgent no |
22 | # ForwardX11 no | 24 | # ForwardX11 no |
25 | # ForwardX11Trusted yes | ||
23 | # PasswordAuthentication yes | 26 | # PasswordAuthentication yes |
24 | # HostbasedAuthentication no | 27 | # HostbasedAuthentication no |
25 | # GSSAPIAuthentication no | 28 | # GSSAPIAuthentication no |
@@ -46,3 +49,6 @@ | |||
46 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 49 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
47 | # RekeyLimit 1G 1h | 50 | # RekeyLimit 1G 1h |
48 | # UserKnownHostsFile ~/.ssh/known_hosts.d/%k | 51 | # UserKnownHostsFile ~/.ssh/known_hosts.d/%k |
52 | SendEnv LANG LC_* | ||
53 | HashKnownHosts yes | ||
54 | GSSAPIAuthentication yes | ||
diff --git a/ssh_config.5 b/ssh_config.5 index 96ca7a5df..6d6c59521 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more | |||
71 | host-specific declarations should be given near the beginning of the | 71 | host-specific declarations should be given near the beginning of the |
72 | file, and general defaults at the end. | 72 | file, and general defaults at the end. |
73 | .Pp | 73 | .Pp |
74 | Note that the Debian | ||
75 | .Ic openssh-client | ||
76 | package sets several options as standard in | ||
77 | .Pa /etc/ssh/ssh_config | ||
78 | which are not the default in | ||
79 | .Xr ssh 1 : | ||
80 | .Pp | ||
81 | .Bl -bullet -offset indent -compact | ||
82 | .It | ||
83 | .Cm Include /etc/ssh/ssh_config.d/*.conf | ||
84 | .It | ||
85 | .Cm SendEnv No LANG LC_* | ||
86 | .It | ||
87 | .Cm HashKnownHosts No yes | ||
88 | .It | ||
89 | .Cm GSSAPIAuthentication No yes | ||
90 | .El | ||
91 | .Pp | ||
92 | .Pa /etc/ssh/ssh_config.d/*.conf | ||
93 | files are included at the start of the system-wide configuration file, so | ||
94 | options set there will override those in | ||
95 | .Pa /etc/ssh/ssh_config. | ||
96 | .Pp | ||
74 | The file contains keyword-argument pairs, one per line. | 97 | The file contains keyword-argument pairs, one per line. |
75 | Lines starting with | 98 | Lines starting with |
76 | .Ql # | 99 | .Ql # |
@@ -742,11 +765,12 @@ elapsed. | |||
742 | .It Cm ForwardX11Trusted | 765 | .It Cm ForwardX11Trusted |
743 | If this option is set to | 766 | If this option is set to |
744 | .Cm yes , | 767 | .Cm yes , |
768 | (the Debian-specific default), | ||
745 | remote X11 clients will have full access to the original X11 display. | 769 | remote X11 clients will have full access to the original X11 display. |
746 | .Pp | 770 | .Pp |
747 | If this option is set to | 771 | If this option is set to |
748 | .Cm no | 772 | .Cm no |
749 | (the default), | 773 | (the upstream default), |
750 | remote X11 clients will be considered untrusted and prevented | 774 | remote X11 clients will be considered untrusted and prevented |
751 | from stealing or tampering with data belonging to trusted X11 | 775 | from stealing or tampering with data belonging to trusted X11 |
752 | clients. | 776 | clients. |
diff --git a/sshd_config b/sshd_config index 2c48105f8..459c1b230 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -10,6 +10,8 @@ | |||
10 | # possible, but leave them commented. Uncommented options override the | 10 | # possible, but leave them commented. Uncommented options override the |
11 | # default value. | 11 | # default value. |
12 | 12 | ||
13 | Include /etc/ssh/sshd_config.d/*.conf | ||
14 | |||
13 | #Port 22 | 15 | #Port 22 |
14 | #AddressFamily any | 16 | #AddressFamily any |
15 | #ListenAddress 0.0.0.0 | 17 | #ListenAddress 0.0.0.0 |
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
57 | #PasswordAuthentication yes | 59 | #PasswordAuthentication yes |
58 | #PermitEmptyPasswords no | 60 | #PermitEmptyPasswords no |
59 | 61 | ||
60 | # Change to no to disable s/key passwords | 62 | # Change to yes to enable challenge-response passwords (beware issues with |
61 | #ChallengeResponseAuthentication yes | 63 | # some PAM modules and threads) |
64 | ChallengeResponseAuthentication no | ||
62 | 65 | ||
63 | # Kerberos options | 66 | # Kerberos options |
64 | #KerberosAuthentication no | 67 | #KerberosAuthentication no |
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
81 | # If you just want the PAM account and session checks to run without | 84 | # If you just want the PAM account and session checks to run without |
82 | # PAM authentication, then enable this but set PasswordAuthentication | 85 | # PAM authentication, then enable this but set PasswordAuthentication |
83 | # and ChallengeResponseAuthentication to 'no'. | 86 | # and ChallengeResponseAuthentication to 'no'. |
84 | #UsePAM no | 87 | UsePAM yes |
85 | 88 | ||
86 | #AllowAgentForwarding yes | 89 | #AllowAgentForwarding yes |
87 | #AllowTcpForwarding yes | 90 | #AllowTcpForwarding yes |
88 | #GatewayPorts no | 91 | #GatewayPorts no |
89 | #X11Forwarding no | 92 | X11Forwarding yes |
90 | #X11DisplayOffset 10 | 93 | #X11DisplayOffset 10 |
91 | #X11UseLocalhost yes | 94 | #X11UseLocalhost yes |
92 | #PermitTTY yes | 95 | #PermitTTY yes |
93 | #PrintMotd yes | 96 | PrintMotd no |
94 | #PrintLastLog yes | 97 | #PrintLastLog yes |
95 | #TCPKeepAlive yes | 98 | #TCPKeepAlive yes |
96 | #PermitUserEnvironment no | 99 | #PermitUserEnvironment no |
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
107 | # no default banner path | 110 | # no default banner path |
108 | #Banner none | 111 | #Banner none |
109 | 112 | ||
113 | # Allow client to pass locale environment variables | ||
114 | AcceptEnv LANG LC_* | ||
115 | |||
110 | # override default of no subsystems | 116 | # override default of no subsystems |
111 | Subsystem sftp /usr/libexec/sftp-server | 117 | Subsystem sftp /usr/lib/openssh/sftp-server |
112 | 118 | ||
113 | # Example of overriding settings on a per-user basis | 119 | # Example of overriding settings on a per-user basis |
114 | #Match User anoncvs | 120 | #Match User anoncvs |
diff --git a/sshd_config.5 b/sshd_config.5 index 32ae46476..472001dd1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes | |||
56 | .Pq \&" | 56 | .Pq \&" |
57 | in order to represent arguments containing spaces. | 57 | in order to represent arguments containing spaces. |
58 | .Pp | 58 | .Pp |
59 | Note that the Debian | ||
60 | .Ic openssh-server | ||
61 | package sets several options as standard in | ||
62 | .Pa /etc/ssh/sshd_config | ||
63 | which are not the default in | ||
64 | .Xr sshd 8 : | ||
65 | .Pp | ||
66 | .Bl -bullet -offset indent -compact | ||
67 | .It | ||
68 | .Cm Include /etc/ssh/sshd_config.d/*.conf | ||
69 | .It | ||
70 | .Cm ChallengeResponseAuthentication No no | ||
71 | .It | ||
72 | .Cm X11Forwarding No yes | ||
73 | .It | ||
74 | .Cm PrintMotd No no | ||
75 | .It | ||
76 | .Cm AcceptEnv No LANG LC_* | ||
77 | .It | ||
78 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
79 | .It | ||
80 | .Cm UsePAM No yes | ||
81 | .El | ||
82 | .Pp | ||
83 | .Pa /etc/ssh/sshd_config.d/*.conf | ||
84 | files are included at the start of the configuration file, so options set | ||
85 | there will override those in | ||
86 | .Pa /etc/ssh/sshd_config. | ||
87 | .Pp | ||
59 | The possible | 88 | The possible |
60 | keywords and their meanings are as follows (note that | 89 | keywords and their meanings are as follows (note that |
61 | keywords are case-insensitive and arguments are case-sensitive): | 90 | keywords are case-insensitive and arguments are case-sensitive): |