1 files changed, 198 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..c990a01c3
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,198 @@
+From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
+PermitRootLogin default.
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2015-08-19
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
+ ssh_config    |  7 ++++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config   |  3 ++-
+ sshd_config.5 | 25 +++++++++++++++++++++++++
+ 6 files changed, 73 insertions(+), 4 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index 5f6c37f..f0769b5 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        if (options->exit_on_forward_failure == -1)
+diff --git a/ssh.1 b/ssh.1
+index 2178863..e2cce49 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -670,12 +670,33 @@ option and the
+ directive in
+ .Xr ssh_config 5
+ for more information.
+.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+ .It Fl x
+ Disables X11 forwarding.
+ .It Fl Y
+ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+.Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
+diff --git a/ssh_config b/ssh_config
+index 228e5ab..c9386aa 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -48,3 +49,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+diff --git a/ssh_config.5 b/ssh_config.5
+index acd581b..844d1a0 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The configuration file has the following format:
+ .Pp
+ Empty lines and lines starting with
+@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+ The default is
+-.Dq no .
+.Dq yes
+(Debian-specific).
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+diff --git a/sshd_config b/sshd_config
+index 1dfd0f1..23a338f 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -41,7 +41,8 @@
+ # Authentication:
+ 
+ #LoginGraceTime 2m
+-#PermitRootLogin no
+# See /usr/share/doc/openssh-server/README.Debian.gz.
+#PermitRootLogin without-password
+ #StrictModes yes
+ #MaxAuthTries 6
+ #MaxSessions 10
+diff --git a/sshd_config.5 b/sshd_config.5
+index 355b445..eb6bff8 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..c990a01c3 --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,198 @@
	1	From 88ebb6a4a95f2f9ded930587c33f08cff0fc1db4 Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	15	default.
	16
	17	sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
	18	PermitRootLogin default.
	19
	20	Document all of this, along with several sshd defaults set in
	21	debian/openssh-server.postinst.
	22
	23	Author: Russ Allbery <rra@debian.org>
	24	Forwarded: not-needed
	25	Last-Update: 2015-08-19
	26
	27	Patch-Name: debian-config.patch
	28	---
	29	readconf.c \| 2 +-
	30	ssh.1 \| 21 +++++++++++++++++++++
	31	ssh_config \| 7 ++++++-
	32	ssh_config.5 \| 19 ++++++++++++++++++-
	33	sshd_config \| 3 ++-
	34	sshd_config.5 \| 25 +++++++++++++++++++++++++
	35	6 files changed, 73 insertions(+), 4 deletions(-)
	36
	37	diff --git a/readconf.c b/readconf.c
	38	index 5f6c37f..f0769b5 100644
	39	--- a/readconf.c
	40	+++ b/readconf.c
	41	@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
	42	if (options->forward_x11 == -1)
	43	options->forward_x11 = 0;
	44	if (options->forward_x11_trusted == -1)
	45	- options->forward_x11_trusted = 0;
	46	+ options->forward_x11_trusted = 1;
	47	if (options->forward_x11_timeout == -1)
	48	options->forward_x11_timeout = 1200;
	49	if (options->exit_on_forward_failure == -1)
	50	diff --git a/ssh.1 b/ssh.1
	51	index 2178863..e2cce49 100644
	52	--- a/ssh.1
	53	+++ b/ssh.1
	54	@@ -670,12 +670,33 @@ option and the
	55	directive in
	56	.Xr ssh_config 5
	57	for more information.
	58	+.Pp
	59	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
	60	+restrictions by default, because too many programs currently crash in this
	61	+mode.
	62	+Set the
	63	+.Cm ForwardX11Trusted
	64	+option to
	65	+.Dq no
	66	+to restore the upstream behaviour.
	67	+This may change in future depending on client-side improvements.)
	68	.It Fl x
	69	Disables X11 forwarding.
	70	.It Fl Y
	71	Enables trusted X11 forwarding.
	72	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
	73	controls.
	74	+.Pp
	75	+(Debian-specific: This option does nothing in the default configuration: it
	76	+is equivalent to
	77	+.Dq Cm ForwardX11Trusted No yes ,
	78	+which is the default as described above.
	79	+Set the
	80	+.Cm ForwardX11Trusted
	81	+option to
	82	+.Dq no
	83	+to restore the upstream behaviour.
	84	+This may change in future depending on client-side improvements.)
	85	.It Fl y
	86	Send log information using the
	87	.Xr syslog 3
	88	diff --git a/ssh_config b/ssh_config
	89	index 228e5ab..c9386aa 100644
	90	--- a/ssh_config
	91	+++ b/ssh_config
	92	@@ -17,9 +17,10 @@
	93	# list of available options, their meanings and defaults, please see the
	94	# ssh_config(5) man page.
	95
	96	-# Host *
	97	+Host *
	98	# ForwardAgent no
	99	# ForwardX11 no
	100	+# ForwardX11Trusted yes
	101	# RhostsRSAAuthentication no
	102	# RSAAuthentication yes
	103	# PasswordAuthentication yes
	104	@@ -48,3 +49,7 @@
	105	# VisualHostKey no
	106	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	107	# RekeyLimit 1G 1h
	108	+ SendEnv LANG LC_*
	109	+ HashKnownHosts yes
	110	+ GSSAPIAuthentication yes
	111	+ GSSAPIDelegateCredentials no
	112	diff --git a/ssh_config.5 b/ssh_config.5
	113	index acd581b..844d1a0 100644
	114	--- a/ssh_config.5
	115	+++ b/ssh_config.5
	116	@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
	117	host-specific declarations should be given near the beginning of the
	118	file, and general defaults at the end.
	119	.Pp
	120	+Note that the Debian
	121	+.Ic openssh-client
	122	+package sets several options as standard in
	123	+.Pa /etc/ssh/ssh_config
	124	+which are not the default in
	125	+.Xr ssh 1 :
	126	+.Pp
	127	+.Bl -bullet -offset indent -compact
	128	+.It
	129	+.Cm SendEnv No LANG LC_*
	130	+.It
	131	+.Cm HashKnownHosts No yes
	132	+.It
	133	+.Cm GSSAPIAuthentication No yes
	134	+.El
	135	+.Pp
	136	The configuration file has the following format:
	137	.Pp
	138	Empty lines and lines starting with
	139	@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
	140	Remote clients will be refused access after this time.
	141	.Pp
	142	The default is
	143	-.Dq no .
	144	+.Dq yes
	145	+(Debian-specific).
	146	.Pp
	147	See the X11 SECURITY extension specification for full details on
	148	the restrictions imposed on untrusted clients.
	149	diff --git a/sshd_config b/sshd_config
	150	index 1dfd0f1..23a338f 100644
	151	--- a/sshd_config
	152	+++ b/sshd_config
	153	@@ -41,7 +41,8 @@
	154	# Authentication:
	155
	156	#LoginGraceTime 2m
	157	-#PermitRootLogin no
	158	+# See /usr/share/doc/openssh-server/README.Debian.gz.
	159	+#PermitRootLogin without-password
	160	#StrictModes yes
	161	#MaxAuthTries 6
	162	#MaxSessions 10
	163	diff --git a/sshd_config.5 b/sshd_config.5
	164	index 355b445..eb6bff8 100644
	165	--- a/sshd_config.5
	166	+++ b/sshd_config.5
	167	@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
	168	.Pq \&"
	169	in order to represent arguments containing spaces.
	170	.Pp
	171	+Note that the Debian
	172	+.Ic openssh-server
	173	+package sets several options as standard in
	174	+.Pa /etc/ssh/sshd_config
	175	+which are not the default in
	176	+.Xr sshd 8 .
	177	+The exact list depends on whether the package was installed fresh or
	178	+upgraded from various possible previous versions, but includes at least the
	179	+following:
	180	+.Pp
	181	+.Bl -bullet -offset indent -compact
	182	+.It
	183	+.Cm ChallengeResponseAuthentication No no
	184	+.It
	185	+.Cm X11Forwarding No yes
	186	+.It
	187	+.Cm PrintMotd No no
	188	+.It
	189	+.Cm AcceptEnv No LANG LC_*
	190	+.It
	191	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	192	+.It
	193	+.Cm UsePAM No yes
	194	+.El
	195	+.Pp
	196	The possible
	197	keywords and their meanings are as follows (note that
	198	keywords are case-insensitive and arguments are case-sensitive):