summaryrefslogtreecommitdiff
path: root/debian/patches/debian-config.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r--debian/patches/debian-config.patch195
1 files changed, 195 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..0a2b1c58d
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,195 @@
1From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes
5
6ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
7fewer problems with existing setups (http://bugs.debian.org/237021).
8
9ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
10
11ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
12worms.
13
14ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
15default.
16
17Document all of this, along with several sshd defaults set in
18debian/openssh-server.postinst.
19
20Author: Russ Allbery <rra@debian.org>
21Forwarded: not-needed
22Last-Update: 2015-12-07
23
24Patch-Name: debian-config.patch
25---
26 readconf.c | 2 +-
27 ssh.1 | 21 +++++++++++++++++++++
28 ssh_config | 7 ++++++-
29 ssh_config.5 | 19 ++++++++++++++++++-
30 sshd_config | 2 +-
31 sshd_config.5 | 25 +++++++++++++++++++++++++
32 6 files changed, 72 insertions(+), 4 deletions(-)
33
34diff --git a/readconf.c b/readconf.c
35index c0ba5a7..e4e1cba 100644
36--- a/readconf.c
37+++ b/readconf.c
38@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
39 if (options->forward_x11 == -1)
40 options->forward_x11 = 0;
41 if (options->forward_x11_trusted == -1)
42- options->forward_x11_trusted = 0;
43+ options->forward_x11_trusted = 1;
44 if (options->forward_x11_timeout == -1)
45 options->forward_x11_timeout = 1200;
46 if (options->exit_on_forward_failure == -1)
47diff --git a/ssh.1 b/ssh.1
48index 05b7f10..649d6c3 100644
49--- a/ssh.1
50+++ b/ssh.1
51@@ -755,6 +755,16 @@ directive in
52 .Xr ssh_config 5
53 for more information.
54 .Pp
55+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
56+restrictions by default, because too many programs currently crash in this
57+mode.
58+Set the
59+.Cm ForwardX11Trusted
60+option to
61+.Dq no
62+to restore the upstream behaviour.
63+This may change in future depending on client-side improvements.)
64+.Pp
65 .It Fl x
66 Disables X11 forwarding.
67 .Pp
68@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
69 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
70 controls.
71 .Pp
72+(Debian-specific: This option does nothing in the default configuration: it
73+is equivalent to
74+.Dq Cm ForwardX11Trusted No yes ,
75+which is the default as described above.
76+Set the
77+.Cm ForwardX11Trusted
78+option to
79+.Dq no
80+to restore the upstream behaviour.
81+This may change in future depending on client-side improvements.)
82+.Pp
83 .It Fl y
84 Send log information using the
85 .Xr syslog 3
86diff --git a/ssh_config b/ssh_config
87index 228e5ab..c9386aa 100644
88--- a/ssh_config
89+++ b/ssh_config
90@@ -17,9 +17,10 @@
91 # list of available options, their meanings and defaults, please see the
92 # ssh_config(5) man page.
93
94-# Host *
95+Host *
96 # ForwardAgent no
97 # ForwardX11 no
98+# ForwardX11Trusted yes
99 # RhostsRSAAuthentication no
100 # RSAAuthentication yes
101 # PasswordAuthentication yes
102@@ -48,3 +49,7 @@
103 # VisualHostKey no
104 # ProxyCommand ssh -q -W %h:%p gateway.example.com
105 # RekeyLimit 1G 1h
106+ SendEnv LANG LC_*
107+ HashKnownHosts yes
108+ GSSAPIAuthentication yes
109+ GSSAPIDelegateCredentials no
110diff --git a/ssh_config.5 b/ssh_config.5
111index d4928b8..81b9b74 100644
112--- a/ssh_config.5
113+++ b/ssh_config.5
114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
115 host-specific declarations should be given near the beginning of the
116 file, and general defaults at the end.
117 .Pp
118+Note that the Debian
119+.Ic openssh-client
120+package sets several options as standard in
121+.Pa /etc/ssh/ssh_config
122+which are not the default in
123+.Xr ssh 1 :
124+.Pp
125+.Bl -bullet -offset indent -compact
126+.It
127+.Cm SendEnv No LANG LC_*
128+.It
129+.Cm HashKnownHosts No yes
130+.It
131+.Cm GSSAPIAuthentication No yes
132+.El
133+.Pp
134 The configuration file has the following format:
135 .Pp
136 Empty lines and lines starting with
137@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
138 Remote clients will be refused access after this time.
139 .Pp
140 The default is
141-.Dq no .
142+.Dq yes
143+(Debian-specific).
144 .Pp
145 See the X11 SECURITY extension specification for full details on
146 the restrictions imposed on untrusted clients.
147diff --git a/sshd_config b/sshd_config
148index 64786c9..d8338db 100644
149--- a/sshd_config
150+++ b/sshd_config
151@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
152 #Banner none
153
154 # override default of no subsystems
155-Subsystem sftp /usr/libexec/sftp-server
156+Subsystem sftp /usr/lib/openssh/sftp-server
157
158 # Example of overriding settings on a per-user basis
159 #Match User anoncvs
160diff --git a/sshd_config.5 b/sshd_config.5
161index 0828592..0be7250 100644
162--- a/sshd_config.5
163+++ b/sshd_config.5
164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
165 .Pq \&"
166 in order to represent arguments containing spaces.
167 .Pp
168+Note that the Debian
169+.Ic openssh-server
170+package sets several options as standard in
171+.Pa /etc/ssh/sshd_config
172+which are not the default in
173+.Xr sshd 8 .
174+The exact list depends on whether the package was installed fresh or
175+upgraded from various possible previous versions, but includes at least the
176+following:
177+.Pp
178+.Bl -bullet -offset indent -compact
179+.It
180+.Cm ChallengeResponseAuthentication No no
181+.It
182+.Cm X11Forwarding No yes
183+.It
184+.Cm PrintMotd No no
185+.It
186+.Cm AcceptEnv No LANG LC_*
187+.It
188+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
189+.It
190+.Cm UsePAM No yes
191+.El
192+.Pp
193 The possible
194 keywords and their meanings are as follows (note that
195 keywords are case-insensitive and arguments are case-sensitive):