diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 238 |
1 files changed, 238 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..be6d7df30 --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,238 @@ | |||
1 | From e8e09061f8168f6f105f56fca10b6cd61b9f587a Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | ||
4 | Subject: Various Debian-specific configuration changes | ||
5 | |||
6 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
7 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
8 | |||
9 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
10 | |||
11 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
12 | worms. | ||
13 | |||
14 | ssh: Enable GSSAPIAuthentication by default. | ||
15 | |||
16 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable | ||
17 | PrintMotd. | ||
18 | |||
19 | sshd: Enable X11Forwarding. | ||
20 | |||
21 | sshd: Set 'AcceptEnv LANG LC_*' by default. | ||
22 | |||
23 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. | ||
24 | |||
25 | Document all of this. | ||
26 | |||
27 | Author: Russ Allbery <rra@debian.org> | ||
28 | Forwarded: not-needed | ||
29 | Last-Update: 2017-10-04 | ||
30 | |||
31 | Patch-Name: debian-config.patch | ||
32 | --- | ||
33 | readconf.c | 2 +- | ||
34 | ssh.1 | 21 +++++++++++++++++++++ | ||
35 | ssh_config | 6 +++++- | ||
36 | ssh_config.5 | 19 ++++++++++++++++++- | ||
37 | sshd_config | 16 ++++++++++------ | ||
38 | sshd_config.5 | 22 ++++++++++++++++++++++ | ||
39 | 6 files changed, 77 insertions(+), 9 deletions(-) | ||
40 | |||
41 | diff --git a/readconf.c b/readconf.c | ||
42 | index 50349e238..efcf2d628 100644 | ||
43 | --- a/readconf.c | ||
44 | +++ b/readconf.c | ||
45 | @@ -1916,7 +1916,7 @@ fill_default_options(Options * options) | ||
46 | if (options->forward_x11 == -1) | ||
47 | options->forward_x11 = 0; | ||
48 | if (options->forward_x11_trusted == -1) | ||
49 | - options->forward_x11_trusted = 0; | ||
50 | + options->forward_x11_trusted = 1; | ||
51 | if (options->forward_x11_timeout == -1) | ||
52 | options->forward_x11_timeout = 1200; | ||
53 | /* | ||
54 | diff --git a/ssh.1 b/ssh.1 | ||
55 | index f8fc26d2a..8a03db952 100644 | ||
56 | --- a/ssh.1 | ||
57 | +++ b/ssh.1 | ||
58 | @@ -768,6 +768,16 @@ directive in | ||
59 | .Xr ssh_config 5 | ||
60 | for more information. | ||
61 | .Pp | ||
62 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
63 | +restrictions by default, because too many programs currently crash in this | ||
64 | +mode. | ||
65 | +Set the | ||
66 | +.Cm ForwardX11Trusted | ||
67 | +option to | ||
68 | +.Dq no | ||
69 | +to restore the upstream behaviour. | ||
70 | +This may change in future depending on client-side improvements.) | ||
71 | +.Pp | ||
72 | .It Fl x | ||
73 | Disables X11 forwarding. | ||
74 | .Pp | ||
75 | @@ -776,6 +786,17 @@ Enables trusted X11 forwarding. | ||
76 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | ||
77 | controls. | ||
78 | .Pp | ||
79 | +(Debian-specific: This option does nothing in the default configuration: it | ||
80 | +is equivalent to | ||
81 | +.Dq Cm ForwardX11Trusted No yes , | ||
82 | +which is the default as described above. | ||
83 | +Set the | ||
84 | +.Cm ForwardX11Trusted | ||
85 | +option to | ||
86 | +.Dq no | ||
87 | +to restore the upstream behaviour. | ||
88 | +This may change in future depending on client-side improvements.) | ||
89 | +.Pp | ||
90 | .It Fl y | ||
91 | Send log information using the | ||
92 | .Xr syslog 3 | ||
93 | diff --git a/ssh_config b/ssh_config | ||
94 | index bcb9f153d..1b676fb2c 100644 | ||
95 | --- a/ssh_config | ||
96 | +++ b/ssh_config | ||
97 | @@ -17,9 +17,10 @@ | ||
98 | # list of available options, their meanings and defaults, please see the | ||
99 | # ssh_config(5) man page. | ||
100 | |||
101 | -# Host * | ||
102 | +Host * | ||
103 | # ForwardAgent no | ||
104 | # ForwardX11 no | ||
105 | +# ForwardX11Trusted yes | ||
106 | # PasswordAuthentication yes | ||
107 | # HostbasedAuthentication no | ||
108 | # GSSAPIAuthentication no | ||
109 | @@ -46,3 +47,6 @@ | ||
110 | # VisualHostKey no | ||
111 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
112 | # RekeyLimit 1G 1h | ||
113 | + SendEnv LANG LC_* | ||
114 | + HashKnownHosts yes | ||
115 | + GSSAPIAuthentication yes | ||
116 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
117 | index ca0528842..ed6e5d026 100644 | ||
118 | --- a/ssh_config.5 | ||
119 | +++ b/ssh_config.5 | ||
120 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | ||
121 | host-specific declarations should be given near the beginning of the | ||
122 | file, and general defaults at the end. | ||
123 | .Pp | ||
124 | +Note that the Debian | ||
125 | +.Ic openssh-client | ||
126 | +package sets several options as standard in | ||
127 | +.Pa /etc/ssh/ssh_config | ||
128 | +which are not the default in | ||
129 | +.Xr ssh 1 : | ||
130 | +.Pp | ||
131 | +.Bl -bullet -offset indent -compact | ||
132 | +.It | ||
133 | +.Cm SendEnv No LANG LC_* | ||
134 | +.It | ||
135 | +.Cm HashKnownHosts No yes | ||
136 | +.It | ||
137 | +.Cm GSSAPIAuthentication No yes | ||
138 | +.El | ||
139 | +.Pp | ||
140 | The file contains keyword-argument pairs, one per line. | ||
141 | Lines starting with | ||
142 | .Ql # | ||
143 | @@ -690,11 +706,12 @@ elapsed. | ||
144 | .It Cm ForwardX11Trusted | ||
145 | If this option is set to | ||
146 | .Cm yes , | ||
147 | +(the Debian-specific default), | ||
148 | remote X11 clients will have full access to the original X11 display. | ||
149 | .Pp | ||
150 | If this option is set to | ||
151 | .Cm no | ||
152 | -(the default), | ||
153 | +(the upstream default), | ||
154 | remote X11 clients will be considered untrusted and prevented | ||
155 | from stealing or tampering with data belonging to trusted X11 | ||
156 | clients. | ||
157 | diff --git a/sshd_config b/sshd_config | ||
158 | index 86263d713..de9cc9fe2 100644 | ||
159 | --- a/sshd_config | ||
160 | +++ b/sshd_config | ||
161 | @@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
162 | #PasswordAuthentication yes | ||
163 | #PermitEmptyPasswords no | ||
164 | |||
165 | -# Change to no to disable s/key passwords | ||
166 | -#ChallengeResponseAuthentication yes | ||
167 | +# Change to yes to enable challenge-response passwords (beware issues with | ||
168 | +# some PAM modules and threads) | ||
169 | +ChallengeResponseAuthentication no | ||
170 | |||
171 | # Kerberos options | ||
172 | #KerberosAuthentication no | ||
173 | @@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
174 | # If you just want the PAM account and session checks to run without | ||
175 | # PAM authentication, then enable this but set PasswordAuthentication | ||
176 | # and ChallengeResponseAuthentication to 'no'. | ||
177 | -#UsePAM no | ||
178 | +UsePAM yes | ||
179 | |||
180 | #AllowAgentForwarding yes | ||
181 | #AllowTcpForwarding yes | ||
182 | #GatewayPorts no | ||
183 | -#X11Forwarding no | ||
184 | +X11Forwarding yes | ||
185 | #X11DisplayOffset 10 | ||
186 | #X11UseLocalhost yes | ||
187 | #PermitTTY yes | ||
188 | -#PrintMotd yes | ||
189 | +PrintMotd no | ||
190 | #PrintLastLog yes | ||
191 | #TCPKeepAlive yes | ||
192 | #UseLogin no | ||
193 | @@ -108,8 +109,11 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
194 | # no default banner path | ||
195 | #Banner none | ||
196 | |||
197 | +# Allow client to pass locale environment variables | ||
198 | +AcceptEnv LANG LC_* | ||
199 | + | ||
200 | # override default of no subsystems | ||
201 | -Subsystem sftp /usr/libexec/sftp-server | ||
202 | +Subsystem sftp /usr/lib/openssh/sftp-server | ||
203 | |||
204 | # Example of overriding settings on a per-user basis | ||
205 | #Match User anoncvs | ||
206 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
207 | index 44b918463..4c7ee4254 100644 | ||
208 | --- a/sshd_config.5 | ||
209 | +++ b/sshd_config.5 | ||
210 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes | ||
211 | .Pq \&" | ||
212 | in order to represent arguments containing spaces. | ||
213 | .Pp | ||
214 | +Note that the Debian | ||
215 | +.Ic openssh-server | ||
216 | +package sets several options as standard in | ||
217 | +.Pa /etc/ssh/sshd_config | ||
218 | +which are not the default in | ||
219 | +.Xr sshd 8 : | ||
220 | +.Pp | ||
221 | +.Bl -bullet -offset indent -compact | ||
222 | +.It | ||
223 | +.Cm ChallengeResponseAuthentication No no | ||
224 | +.It | ||
225 | +.Cm X11Forwarding No yes | ||
226 | +.It | ||
227 | +.Cm PrintMotd No no | ||
228 | +.It | ||
229 | +.Cm AcceptEnv No LANG LC_* | ||
230 | +.It | ||
231 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
232 | +.It | ||
233 | +.Cm UsePAM No yes | ||
234 | +.El | ||
235 | +.Pp | ||
236 | The possible | ||
237 | keywords and their meanings are as follows (note that | ||
238 | keywords are case-insensitive and arguments are case-sensitive): | ||