diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
| -rw-r--r-- | debian/patches/debian-config.patch | 49 |
1 files changed, 16 insertions, 33 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index dd33c00a6..aae4e7d34 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 0cce5c4c1de33c4172ce8ebc0f93e717995779f8 Mon Sep 17 00:00:00 2001 | 1 | From 6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d Mon Sep 17 00:00:00 2001 |
| 2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
| 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
| 4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
| @@ -14,15 +14,12 @@ worms. | |||
| 14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | 14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by |
| 15 | default. | 15 | default. |
| 16 | 16 | ||
| 17 | sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside | ||
| 18 | PermitRootLogin default. | ||
| 19 | |||
| 20 | Document all of this, along with several sshd defaults set in | 17 | Document all of this, along with several sshd defaults set in |
| 21 | debian/openssh-server.postinst. | 18 | debian/openssh-server.postinst. |
| 22 | 19 | ||
| 23 | Author: Russ Allbery <rra@debian.org> | 20 | Author: Russ Allbery <rra@debian.org> |
| 24 | Forwarded: not-needed | 21 | Forwarded: not-needed |
| 25 | Last-Update: 2015-08-19 | 22 | Last-Update: 2015-11-29 |
| 26 | 23 | ||
| 27 | Patch-Name: debian-config.patch | 24 | Patch-Name: debian-config.patch |
| 28 | --- | 25 | --- |
| @@ -30,15 +27,14 @@ Patch-Name: debian-config.patch | |||
| 30 | ssh.1 | 21 +++++++++++++++++++++ | 27 | ssh.1 | 21 +++++++++++++++++++++ |
| 31 | ssh_config | 7 ++++++- | 28 | ssh_config | 7 ++++++- |
| 32 | ssh_config.5 | 19 ++++++++++++++++++- | 29 | ssh_config.5 | 19 ++++++++++++++++++- |
| 33 | sshd_config | 3 ++- | ||
| 34 | sshd_config.5 | 25 +++++++++++++++++++++++++ | 30 | sshd_config.5 | 25 +++++++++++++++++++++++++ |
| 35 | 6 files changed, 73 insertions(+), 4 deletions(-) | 31 | 5 files changed, 71 insertions(+), 3 deletions(-) |
| 36 | 32 | ||
| 37 | diff --git a/readconf.c b/readconf.c | 33 | diff --git a/readconf.c b/readconf.c |
| 38 | index 5f6c37f..f0769b5 100644 | 34 | index c0ba5a7..e4e1cba 100644 |
| 39 | --- a/readconf.c | 35 | --- a/readconf.c |
| 40 | +++ b/readconf.c | 36 | +++ b/readconf.c |
| 41 | @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) | 37 | @@ -1749,7 +1749,7 @@ fill_default_options(Options * options) |
| 42 | if (options->forward_x11 == -1) | 38 | if (options->forward_x11 == -1) |
| 43 | options->forward_x11 = 0; | 39 | options->forward_x11 = 0; |
| 44 | if (options->forward_x11_trusted == -1) | 40 | if (options->forward_x11_trusted == -1) |
| @@ -48,14 +44,13 @@ index 5f6c37f..f0769b5 100644 | |||
| 48 | options->forward_x11_timeout = 1200; | 44 | options->forward_x11_timeout = 1200; |
| 49 | if (options->exit_on_forward_failure == -1) | 45 | if (options->exit_on_forward_failure == -1) |
| 50 | diff --git a/ssh.1 b/ssh.1 | 46 | diff --git a/ssh.1 b/ssh.1 |
| 51 | index 2178863..e2cce49 100644 | 47 | index 05b7f10..649d6c3 100644 |
| 52 | --- a/ssh.1 | 48 | --- a/ssh.1 |
| 53 | +++ b/ssh.1 | 49 | +++ b/ssh.1 |
| 54 | @@ -670,12 +670,33 @@ option and the | 50 | @@ -755,6 +755,16 @@ directive in |
| 55 | directive in | ||
| 56 | .Xr ssh_config 5 | 51 | .Xr ssh_config 5 |
| 57 | for more information. | 52 | for more information. |
| 58 | +.Pp | 53 | .Pp |
| 59 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | 54 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension |
| 60 | +restrictions by default, because too many programs currently crash in this | 55 | +restrictions by default, because too many programs currently crash in this |
| 61 | +mode. | 56 | +mode. |
| @@ -65,13 +60,14 @@ index 2178863..e2cce49 100644 | |||
| 65 | +.Dq no | 60 | +.Dq no |
| 66 | +to restore the upstream behaviour. | 61 | +to restore the upstream behaviour. |
| 67 | +This may change in future depending on client-side improvements.) | 62 | +This may change in future depending on client-side improvements.) |
| 63 | +.Pp | ||
| 68 | .It Fl x | 64 | .It Fl x |
| 69 | Disables X11 forwarding. | 65 | Disables X11 forwarding. |
| 70 | .It Fl Y | 66 | .Pp |
| 71 | Enables trusted X11 forwarding. | 67 | @@ -763,6 +773,17 @@ Enables trusted X11 forwarding. |
| 72 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | 68 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
| 73 | controls. | 69 | controls. |
| 74 | +.Pp | 70 | .Pp |
| 75 | +(Debian-specific: This option does nothing in the default configuration: it | 71 | +(Debian-specific: This option does nothing in the default configuration: it |
| 76 | +is equivalent to | 72 | +is equivalent to |
| 77 | +.Dq Cm ForwardX11Trusted No yes , | 73 | +.Dq Cm ForwardX11Trusted No yes , |
| @@ -82,6 +78,7 @@ index 2178863..e2cce49 100644 | |||
| 82 | +.Dq no | 78 | +.Dq no |
| 83 | +to restore the upstream behaviour. | 79 | +to restore the upstream behaviour. |
| 84 | +This may change in future depending on client-side improvements.) | 80 | +This may change in future depending on client-side improvements.) |
| 81 | +.Pp | ||
| 85 | .It Fl y | 82 | .It Fl y |
| 86 | Send log information using the | 83 | Send log information using the |
| 87 | .Xr syslog 3 | 84 | .Xr syslog 3 |
| @@ -110,7 +107,7 @@ index 228e5ab..c9386aa 100644 | |||
| 110 | + GSSAPIAuthentication yes | 107 | + GSSAPIAuthentication yes |
| 111 | + GSSAPIDelegateCredentials no | 108 | + GSSAPIDelegateCredentials no |
| 112 | diff --git a/ssh_config.5 b/ssh_config.5 | 109 | diff --git a/ssh_config.5 b/ssh_config.5 |
| 113 | index f25cedd..9a103f2 100644 | 110 | index 5bc04b0..aaa435a 100644 |
| 114 | --- a/ssh_config.5 | 111 | --- a/ssh_config.5 |
| 115 | +++ b/ssh_config.5 | 112 | +++ b/ssh_config.5 |
| 116 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | 113 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more |
| @@ -136,7 +133,7 @@ index f25cedd..9a103f2 100644 | |||
| 136 | The configuration file has the following format: | 133 | The configuration file has the following format: |
| 137 | .Pp | 134 | .Pp |
| 138 | Empty lines and lines starting with | 135 | Empty lines and lines starting with |
| 139 | @@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes. | 136 | @@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes. |
| 140 | Remote clients will be refused access after this time. | 137 | Remote clients will be refused access after this time. |
| 141 | .Pp | 138 | .Pp |
| 142 | The default is | 139 | The default is |
| @@ -146,22 +143,8 @@ index f25cedd..9a103f2 100644 | |||
| 146 | .Pp | 143 | .Pp |
| 147 | See the X11 SECURITY extension specification for full details on | 144 | See the X11 SECURITY extension specification for full details on |
| 148 | the restrictions imposed on untrusted clients. | 145 | the restrictions imposed on untrusted clients. |
| 149 | diff --git a/sshd_config b/sshd_config | ||
| 150 | index 1dfd0f1..23a338f 100644 | ||
| 151 | --- a/sshd_config | ||
| 152 | +++ b/sshd_config | ||
| 153 | @@ -41,7 +41,8 @@ | ||
| 154 | # Authentication: | ||
| 155 | |||
| 156 | #LoginGraceTime 2m | ||
| 157 | -#PermitRootLogin no | ||
| 158 | +# See /usr/share/doc/openssh-server/README.Debian.gz. | ||
| 159 | +#PermitRootLogin without-password | ||
| 160 | #StrictModes yes | ||
| 161 | #MaxAuthTries 6 | ||
| 162 | #MaxSessions 10 | ||
| 163 | diff --git a/sshd_config.5 b/sshd_config.5 | 146 | diff --git a/sshd_config.5 b/sshd_config.5 |
| 164 | index 355b445..eb6bff8 100644 | 147 | index 7e40a27..92c23bc 100644 |
| 165 | --- a/sshd_config.5 | 148 | --- a/sshd_config.5 |
| 166 | +++ b/sshd_config.5 | 149 | +++ b/sshd_config.5 |
| 167 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 150 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes |