diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..c990a01c3 --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,198 @@ | |||
1 | From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | ||
4 | Subject: Various Debian-specific configuration changes | ||
5 | |||
6 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
7 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
8 | |||
9 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
10 | |||
11 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
12 | worms. | ||
13 | |||
14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | ||
15 | default. | ||
16 | |||
17 | sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside | ||
18 | PermitRootLogin default. | ||
19 | |||
20 | Document all of this, along with several sshd defaults set in | ||
21 | debian/openssh-server.postinst. | ||
22 | |||
23 | Author: Russ Allbery <rra@debian.org> | ||
24 | Forwarded: not-needed | ||
25 | Last-Update: 2015-08-19 | ||
26 | |||
27 | Patch-Name: debian-config.patch | ||
28 | --- | ||
29 | readconf.c | 2 +- | ||
30 | ssh.1 | 21 +++++++++++++++++++++ | ||
31 | ssh_config | 7 ++++++- | ||
32 | ssh_config.5 | 19 ++++++++++++++++++- | ||
33 | sshd_config | 3 ++- | ||
34 | sshd_config.5 | 25 +++++++++++++++++++++++++ | ||
35 | 6 files changed, 73 insertions(+), 4 deletions(-) | ||
36 | |||
37 | diff --git a/readconf.c b/readconf.c | ||
38 | index 5f6c37f..f0769b5 100644 | ||
39 | --- a/readconf.c | ||
40 | +++ b/readconf.c | ||
41 | @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) | ||
42 | if (options->forward_x11 == -1) | ||
43 | options->forward_x11 = 0; | ||
44 | if (options->forward_x11_trusted == -1) | ||
45 | - options->forward_x11_trusted = 0; | ||
46 | + options->forward_x11_trusted = 1; | ||
47 | if (options->forward_x11_timeout == -1) | ||
48 | options->forward_x11_timeout = 1200; | ||
49 | if (options->exit_on_forward_failure == -1) | ||
50 | diff --git a/ssh.1 b/ssh.1 | ||
51 | index 2178863..e2cce49 100644 | ||
52 | --- a/ssh.1 | ||
53 | +++ b/ssh.1 | ||
54 | @@ -670,12 +670,33 @@ option and the | ||
55 | directive in | ||
56 | .Xr ssh_config 5 | ||
57 | for more information. | ||
58 | +.Pp | ||
59 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
60 | +restrictions by default, because too many programs currently crash in this | ||
61 | +mode. | ||
62 | +Set the | ||
63 | +.Cm ForwardX11Trusted | ||
64 | +option to | ||
65 | +.Dq no | ||
66 | +to restore the upstream behaviour. | ||
67 | +This may change in future depending on client-side improvements.) | ||
68 | .It Fl x | ||
69 | Disables X11 forwarding. | ||
70 | .It Fl Y | ||
71 | Enables trusted X11 forwarding. | ||
72 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | ||
73 | controls. | ||
74 | +.Pp | ||
75 | +(Debian-specific: This option does nothing in the default configuration: it | ||
76 | +is equivalent to | ||
77 | +.Dq Cm ForwardX11Trusted No yes , | ||
78 | +which is the default as described above. | ||
79 | +Set the | ||
80 | +.Cm ForwardX11Trusted | ||
81 | +option to | ||
82 | +.Dq no | ||
83 | +to restore the upstream behaviour. | ||
84 | +This may change in future depending on client-side improvements.) | ||
85 | .It Fl y | ||
86 | Send log information using the | ||
87 | .Xr syslog 3 | ||
88 | diff --git a/ssh_config b/ssh_config | ||
89 | index 228e5ab..c9386aa 100644 | ||
90 | --- a/ssh_config | ||
91 | +++ b/ssh_config | ||
92 | @@ -17,9 +17,10 @@ | ||
93 | # list of available options, their meanings and defaults, please see the | ||
94 | # ssh_config(5) man page. | ||
95 | |||
96 | -# Host * | ||
97 | +Host * | ||
98 | # ForwardAgent no | ||
99 | # ForwardX11 no | ||
100 | +# ForwardX11Trusted yes | ||
101 | # RhostsRSAAuthentication no | ||
102 | # RSAAuthentication yes | ||
103 | # PasswordAuthentication yes | ||
104 | @@ -48,3 +49,7 @@ | ||
105 | # VisualHostKey no | ||
106 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
107 | # RekeyLimit 1G 1h | ||
108 | + SendEnv LANG LC_* | ||
109 | + HashKnownHosts yes | ||
110 | + GSSAPIAuthentication yes | ||
111 | + GSSAPIDelegateCredentials no | ||
112 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
113 | index acd581b..844d1a0 100644 | ||
114 | --- a/ssh_config.5 | ||
115 | +++ b/ssh_config.5 | ||
116 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | ||
117 | host-specific declarations should be given near the beginning of the | ||
118 | file, and general defaults at the end. | ||
119 | .Pp | ||
120 | +Note that the Debian | ||
121 | +.Ic openssh-client | ||
122 | +package sets several options as standard in | ||
123 | +.Pa /etc/ssh/ssh_config | ||
124 | +which are not the default in | ||
125 | +.Xr ssh 1 : | ||
126 | +.Pp | ||
127 | +.Bl -bullet -offset indent -compact | ||
128 | +.It | ||
129 | +.Cm SendEnv No LANG LC_* | ||
130 | +.It | ||
131 | +.Cm HashKnownHosts No yes | ||
132 | +.It | ||
133 | +.Cm GSSAPIAuthentication No yes | ||
134 | +.El | ||
135 | +.Pp | ||
136 | The configuration file has the following format: | ||
137 | .Pp | ||
138 | Empty lines and lines starting with | ||
139 | @@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes. | ||
140 | Remote clients will be refused access after this time. | ||
141 | .Pp | ||
142 | The default is | ||
143 | -.Dq no . | ||
144 | +.Dq yes | ||
145 | +(Debian-specific). | ||
146 | .Pp | ||
147 | See the X11 SECURITY extension specification for full details on | ||
148 | the restrictions imposed on untrusted clients. | ||
149 | diff --git a/sshd_config b/sshd_config | ||
150 | index 1dfd0f1..23a338f 100644 | ||
151 | --- a/sshd_config | ||
152 | +++ b/sshd_config | ||
153 | @@ -41,7 +41,8 @@ | ||
154 | # Authentication: | ||
155 | |||
156 | #LoginGraceTime 2m | ||
157 | -#PermitRootLogin no | ||
158 | +# See /usr/share/doc/openssh-server/README.Debian.gz. | ||
159 | +#PermitRootLogin without-password | ||
160 | #StrictModes yes | ||
161 | #MaxAuthTries 6 | ||
162 | #MaxSessions 10 | ||
163 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
164 | index 355b445..eb6bff8 100644 | ||
165 | --- a/sshd_config.5 | ||
166 | +++ b/sshd_config.5 | ||
167 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | ||
168 | .Pq \&" | ||
169 | in order to represent arguments containing spaces. | ||
170 | .Pp | ||
171 | +Note that the Debian | ||
172 | +.Ic openssh-server | ||
173 | +package sets several options as standard in | ||
174 | +.Pa /etc/ssh/sshd_config | ||
175 | +which are not the default in | ||
176 | +.Xr sshd 8 . | ||
177 | +The exact list depends on whether the package was installed fresh or | ||
178 | +upgraded from various possible previous versions, but includes at least the | ||
179 | +following: | ||
180 | +.Pp | ||
181 | +.Bl -bullet -offset indent -compact | ||
182 | +.It | ||
183 | +.Cm ChallengeResponseAuthentication No no | ||
184 | +.It | ||
185 | +.Cm X11Forwarding No yes | ||
186 | +.It | ||
187 | +.Cm PrintMotd No no | ||
188 | +.It | ||
189 | +.Cm AcceptEnv No LANG LC_* | ||
190 | +.It | ||
191 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
192 | +.It | ||
193 | +.Cm UsePAM No yes | ||
194 | +.El | ||
195 | +.Pp | ||
196 | The possible | ||
197 | keywords and their meanings are as follows (note that | ||
198 | keywords are case-insensitive and arguments are case-sensitive): | ||