1 files changed, 181 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..7a78e5765
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,181 @@
+From c975d37df187e00832d6b6070731b8a8c16a6f56 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2015-11-29
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
+ ssh_config    |  7 ++++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config.5 | 25 +++++++++++++++++++++++++
+ 5 files changed, 71 insertions(+), 3 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index c0ba5a7..e4e1cba 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        if (options->exit_on_forward_failure == -1)
+diff --git a/ssh.1 b/ssh.1
+index 05b7f10..649d6c3 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -755,6 +755,16 @@ directive in
+ .Xr ssh_config 5
+ for more information.
+ .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl x
+ Disables X11 forwarding.
+ .Pp
+@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+ .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
+diff --git a/ssh_config b/ssh_config
+index 228e5ab..c9386aa 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -48,3 +49,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+diff --git a/ssh_config.5 b/ssh_config.5
+index d4928b8..81b9b74 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The configuration file has the following format:
+ .Pp
+ Empty lines and lines starting with
+@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+ The default is
+-.Dq no .
+.Dq yes
+(Debian-specific).
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+diff --git a/sshd_config.5 b/sshd_config.5
+index 0828592..0be7250 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..7a78e5765 --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,181 @@
	1	From c975d37df187e00832d6b6070731b8a8c16a6f56 Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	15	default.
	16
	17	Document all of this, along with several sshd defaults set in
	18	debian/openssh-server.postinst.
	19
	20	Author: Russ Allbery <rra@debian.org>
	21	Forwarded: not-needed
	22	Last-Update: 2015-11-29
	23
	24	Patch-Name: debian-config.patch
	25	---
	26	readconf.c \| 2 +-
	27	ssh.1 \| 21 +++++++++++++++++++++
	28	ssh_config \| 7 ++++++-
	29	ssh_config.5 \| 19 ++++++++++++++++++-
	30	sshd_config.5 \| 25 +++++++++++++++++++++++++
	31	5 files changed, 71 insertions(+), 3 deletions(-)
	32
	33	diff --git a/readconf.c b/readconf.c
	34	index c0ba5a7..e4e1cba 100644
	35	--- a/readconf.c
	36	+++ b/readconf.c
	37	@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
	38	if (options->forward_x11 == -1)
	39	options->forward_x11 = 0;
	40	if (options->forward_x11_trusted == -1)
	41	- options->forward_x11_trusted = 0;
	42	+ options->forward_x11_trusted = 1;
	43	if (options->forward_x11_timeout == -1)
	44	options->forward_x11_timeout = 1200;
	45	if (options->exit_on_forward_failure == -1)
	46	diff --git a/ssh.1 b/ssh.1
	47	index 05b7f10..649d6c3 100644
	48	--- a/ssh.1
	49	+++ b/ssh.1
	50	@@ -755,6 +755,16 @@ directive in
	51	.Xr ssh_config 5
	52	for more information.
	53	.Pp
	54	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
	55	+restrictions by default, because too many programs currently crash in this
	56	+mode.
	57	+Set the
	58	+.Cm ForwardX11Trusted
	59	+option to
	60	+.Dq no
	61	+to restore the upstream behaviour.
	62	+This may change in future depending on client-side improvements.)
	63	+.Pp
	64	.It Fl x
	65	Disables X11 forwarding.
	66	.Pp
	67	@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
	68	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
	69	controls.
	70	.Pp
	71	+(Debian-specific: This option does nothing in the default configuration: it
	72	+is equivalent to
	73	+.Dq Cm ForwardX11Trusted No yes ,
	74	+which is the default as described above.
	75	+Set the
	76	+.Cm ForwardX11Trusted
	77	+option to
	78	+.Dq no
	79	+to restore the upstream behaviour.
	80	+This may change in future depending on client-side improvements.)
	81	+.Pp
	82	.It Fl y
	83	Send log information using the
	84	.Xr syslog 3
	85	diff --git a/ssh_config b/ssh_config
	86	index 228e5ab..c9386aa 100644
	87	--- a/ssh_config
	88	+++ b/ssh_config
	89	@@ -17,9 +17,10 @@
	90	# list of available options, their meanings and defaults, please see the
	91	# ssh_config(5) man page.
	92
	93	-# Host *
	94	+Host *
	95	# ForwardAgent no
	96	# ForwardX11 no
	97	+# ForwardX11Trusted yes
	98	# RhostsRSAAuthentication no
	99	# RSAAuthentication yes
	100	# PasswordAuthentication yes
	101	@@ -48,3 +49,7 @@
	102	# VisualHostKey no
	103	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	104	# RekeyLimit 1G 1h
	105	+ SendEnv LANG LC_*
	106	+ HashKnownHosts yes
	107	+ GSSAPIAuthentication yes
	108	+ GSSAPIDelegateCredentials no
	109	diff --git a/ssh_config.5 b/ssh_config.5
	110	index d4928b8..81b9b74 100644
	111	--- a/ssh_config.5
	112	+++ b/ssh_config.5
	113	@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
	114	host-specific declarations should be given near the beginning of the
	115	file, and general defaults at the end.
	116	.Pp
	117	+Note that the Debian
	118	+.Ic openssh-client
	119	+package sets several options as standard in
	120	+.Pa /etc/ssh/ssh_config
	121	+which are not the default in
	122	+.Xr ssh 1 :
	123	+.Pp
	124	+.Bl -bullet -offset indent -compact
	125	+.It
	126	+.Cm SendEnv No LANG LC_*
	127	+.It
	128	+.Cm HashKnownHosts No yes
	129	+.It
	130	+.Cm GSSAPIAuthentication No yes
	131	+.El
	132	+.Pp
	133	The configuration file has the following format:
	134	.Pp
	135	Empty lines and lines starting with
	136	@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
	137	Remote clients will be refused access after this time.
	138	.Pp
	139	The default is
	140	-.Dq no .
	141	+.Dq yes
	142	+(Debian-specific).
	143	.Pp
	144	See the X11 SECURITY extension specification for full details on
	145	the restrictions imposed on untrusted clients.
	146	diff --git a/sshd_config.5 b/sshd_config.5
	147	index 0828592..0be7250 100644
	148	--- a/sshd_config.5
	149	+++ b/sshd_config.5
	150	@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
	151	.Pq \&"
	152	in order to represent arguments containing spaces.
	153	.Pp
	154	+Note that the Debian
	155	+.Ic openssh-server
	156	+package sets several options as standard in
	157	+.Pa /etc/ssh/sshd_config
	158	+which are not the default in
	159	+.Xr sshd 8 .
	160	+The exact list depends on whether the package was installed fresh or
	161	+upgraded from various possible previous versions, but includes at least the
	162	+following:
	163	+.Pp
	164	+.Bl -bullet -offset indent -compact
	165	+.It
	166	+.Cm ChallengeResponseAuthentication No no
	167	+.It
	168	+.Cm X11Forwarding No yes
	169	+.It
	170	+.Cm PrintMotd No no
	171	+.It
	172	+.Cm AcceptEnv No LANG LC_*
	173	+.It
	174	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	175	+.It
	176	+.Cm UsePAM No yes
	177	+.El
	178	+.Pp
	179	The possible
	180	keywords and their meanings are as follows (note that
	181	keywords are case-insensitive and arguments are case-sensitive):