1 files changed, 157 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..ac15d90e0
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,157 @@
+From 9cbb60f5e4932634db04c330c88abc49cc5567bd Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
+PermitRootLogin default.
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2014-02-12
+Patch-Name: debian-config.patch
+---
+ readconf.c    |    2 +-
+ ssh_config    |    7 ++++++-
+ ssh_config.5  |   19 ++++++++++++++++++-
+ sshd_config   |    1 +
+ sshd_config.5 |   25 +++++++++++++++++++++++++
+ 5 files changed, 51 insertions(+), 3 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index 32c4b42..5429fc2 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1640,7 +1640,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        if (options->exit_on_forward_failure == -1)
+diff --git a/ssh_config b/ssh_config
+index 228e5ab..c9386aa 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -48,3 +49,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1d500e9..22e6372 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The configuration file has the following format:
+ .Pp
+ Empty lines and lines starting with
+@@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+ The default is
+-.Dq no .
+.Dq yes
+(Debian-specific).
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+diff --git a/sshd_config b/sshd_config
+index d9b8594..4db32f5 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -41,6 +41,7 @@
+ # Authentication:
+ 
+ #LoginGraceTime 2m
+# See /usr/share/doc/openssh-server/README.Debian.gz.
+ #PermitRootLogin yes
+ #StrictModes yes
+ #MaxAuthTries 6
+diff --git a/sshd_config.5 b/sshd_config.5
+index 908e0bb..90fd3f4 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..ac15d90e0 --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,157 @@
	1	From 9cbb60f5e4932634db04c330c88abc49cc5567bd Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	15	default.
	16
	17	sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
	18	PermitRootLogin default.
	19
	20	Document all of this, along with several sshd defaults set in
	21	debian/openssh-server.postinst.
	22
	23	Author: Russ Allbery <rra@debian.org>
	24	Forwarded: not-needed
	25	Last-Update: 2014-02-12
	26
	27	Patch-Name: debian-config.patch
	28	---
	29	readconf.c \| 2 +-
	30	ssh_config \| 7 ++++++-
	31	ssh_config.5 \| 19 ++++++++++++++++++-
	32	sshd_config \| 1 +
	33	sshd_config.5 \| 25 +++++++++++++++++++++++++
	34	5 files changed, 51 insertions(+), 3 deletions(-)
	35
	36	diff --git a/readconf.c b/readconf.c
	37	index 32c4b42..5429fc2 100644
	38	--- a/readconf.c
	39	+++ b/readconf.c
	40	@@ -1640,7 +1640,7 @@ fill_default_options(Options * options)
	41	if (options->forward_x11 == -1)
	42	options->forward_x11 = 0;
	43	if (options->forward_x11_trusted == -1)
	44	- options->forward_x11_trusted = 0;
	45	+ options->forward_x11_trusted = 1;
	46	if (options->forward_x11_timeout == -1)
	47	options->forward_x11_timeout = 1200;
	48	if (options->exit_on_forward_failure == -1)
	49	diff --git a/ssh_config b/ssh_config
	50	index 228e5ab..c9386aa 100644
	51	--- a/ssh_config
	52	+++ b/ssh_config
	53	@@ -17,9 +17,10 @@
	54	# list of available options, their meanings and defaults, please see the
	55	# ssh_config(5) man page.
	56
	57	-# Host *
	58	+Host *
	59	# ForwardAgent no
	60	# ForwardX11 no
	61	+# ForwardX11Trusted yes
	62	# RhostsRSAAuthentication no
	63	# RSAAuthentication yes
	64	# PasswordAuthentication yes
	65	@@ -48,3 +49,7 @@
	66	# VisualHostKey no
	67	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	68	# RekeyLimit 1G 1h
	69	+ SendEnv LANG LC_*
	70	+ HashKnownHosts yes
	71	+ GSSAPIAuthentication yes
	72	+ GSSAPIDelegateCredentials no
	73	diff --git a/ssh_config.5 b/ssh_config.5
	74	index 1d500e9..22e6372 100644
	75	--- a/ssh_config.5
	76	+++ b/ssh_config.5
	77	@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
	78	host-specific declarations should be given near the beginning of the
	79	file, and general defaults at the end.
	80	.Pp
	81	+Note that the Debian
	82	+.Ic openssh-client
	83	+package sets several options as standard in
	84	+.Pa /etc/ssh/ssh_config
	85	+which are not the default in
	86	+.Xr ssh 1 :
	87	+.Pp
	88	+.Bl -bullet -offset indent -compact
	89	+.It
	90	+.Cm SendEnv No LANG LC_*
	91	+.It
	92	+.Cm HashKnownHosts No yes
	93	+.It
	94	+.Cm GSSAPIAuthentication No yes
	95	+.El
	96	+.Pp
	97	The configuration file has the following format:
	98	.Pp
	99	Empty lines and lines starting with
	100	@@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes.
	101	Remote clients will be refused access after this time.
	102	.Pp
	103	The default is
	104	-.Dq no .
	105	+.Dq yes
	106	+(Debian-specific).
	107	.Pp
	108	See the X11 SECURITY extension specification for full details on
	109	the restrictions imposed on untrusted clients.
	110	diff --git a/sshd_config b/sshd_config
	111	index d9b8594..4db32f5 100644
	112	--- a/sshd_config
	113	+++ b/sshd_config
	114	@@ -41,6 +41,7 @@
	115	# Authentication:
	116
	117	#LoginGraceTime 2m
	118	+# See /usr/share/doc/openssh-server/README.Debian.gz.
	119	#PermitRootLogin yes
	120	#StrictModes yes
	121	#MaxAuthTries 6
	122	diff --git a/sshd_config.5 b/sshd_config.5
	123	index 908e0bb..90fd3f4 100644
	124	--- a/sshd_config.5
	125	+++ b/sshd_config.5
	126	@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
	127	.Pq \&"
	128	in order to represent arguments containing spaces.
	129	.Pp
	130	+Note that the Debian
	131	+.Ic openssh-server
	132	+package sets several options as standard in
	133	+.Pa /etc/ssh/sshd_config
	134	+which are not the default in
	135	+.Xr sshd 8 .
	136	+The exact list depends on whether the package was installed fresh or
	137	+upgraded from various possible previous versions, but includes at least the
	138	+following:
	139	+.Pp
	140	+.Bl -bullet -offset indent -compact
	141	+.It
	142	+.Cm ChallengeResponseAuthentication No no
	143	+.It
	144	+.Cm X11Forwarding No yes
	145	+.It
	146	+.Cm PrintMotd No no
	147	+.It
	148	+.Cm AcceptEnv No LANG LC_*
	149	+.It
	150	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	151	+.It
	152	+.Cm UsePAM No yes
	153	+.El
	154	+.Pp
	155	The possible
	156	keywords and their meanings are as follows (note that
	157	keywords are case-insensitive and arguments are case-sensitive):