diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..70e057ed5 --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,157 @@ | |||
1 | From f08f2d9c3fedf37f97f1b2d06f1fe36af4e5f1c3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | ||
4 | Subject: Various Debian-specific configuration changes | ||
5 | |||
6 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
7 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
8 | |||
9 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
10 | |||
11 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
12 | worms. | ||
13 | |||
14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | ||
15 | default. | ||
16 | |||
17 | sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside | ||
18 | PermitRootLogin default. | ||
19 | |||
20 | Document all of this, along with several sshd defaults set in | ||
21 | debian/openssh-server.postinst. | ||
22 | |||
23 | Author: Russ Allbery <rra@debian.org> | ||
24 | Forwarded: not-needed | ||
25 | Last-Update: 2014-02-12 | ||
26 | |||
27 | Patch-Name: debian-config.patch | ||
28 | --- | ||
29 | readconf.c | 2 +- | ||
30 | ssh_config | 7 ++++++- | ||
31 | ssh_config.5 | 19 ++++++++++++++++++- | ||
32 | sshd_config | 1 + | ||
33 | sshd_config.5 | 25 +++++++++++++++++++++++++ | ||
34 | 5 files changed, 51 insertions(+), 3 deletions(-) | ||
35 | |||
36 | diff --git a/readconf.c b/readconf.c | ||
37 | index 273552d..6ac8bea 100644 | ||
38 | --- a/readconf.c | ||
39 | +++ b/readconf.c | ||
40 | @@ -1618,7 +1618,7 @@ fill_default_options(Options * options) | ||
41 | if (options->forward_x11 == -1) | ||
42 | options->forward_x11 = 0; | ||
43 | if (options->forward_x11_trusted == -1) | ||
44 | - options->forward_x11_trusted = 0; | ||
45 | + options->forward_x11_trusted = 1; | ||
46 | if (options->forward_x11_timeout == -1) | ||
47 | options->forward_x11_timeout = 1200; | ||
48 | if (options->exit_on_forward_failure == -1) | ||
49 | diff --git a/ssh_config b/ssh_config | ||
50 | index 228e5ab..c9386aa 100644 | ||
51 | --- a/ssh_config | ||
52 | +++ b/ssh_config | ||
53 | @@ -17,9 +17,10 @@ | ||
54 | # list of available options, their meanings and defaults, please see the | ||
55 | # ssh_config(5) man page. | ||
56 | |||
57 | -# Host * | ||
58 | +Host * | ||
59 | # ForwardAgent no | ||
60 | # ForwardX11 no | ||
61 | +# ForwardX11Trusted yes | ||
62 | # RhostsRSAAuthentication no | ||
63 | # RSAAuthentication yes | ||
64 | # PasswordAuthentication yes | ||
65 | @@ -48,3 +49,7 @@ | ||
66 | # VisualHostKey no | ||
67 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
68 | # RekeyLimit 1G 1h | ||
69 | + SendEnv LANG LC_* | ||
70 | + HashKnownHosts yes | ||
71 | + GSSAPIAuthentication yes | ||
72 | + GSSAPIDelegateCredentials no | ||
73 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
74 | index 85f306c..cc91a5c 100644 | ||
75 | --- a/ssh_config.5 | ||
76 | +++ b/ssh_config.5 | ||
77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | ||
78 | host-specific declarations should be given near the beginning of the | ||
79 | file, and general defaults at the end. | ||
80 | .Pp | ||
81 | +Note that the Debian | ||
82 | +.Ic openssh-client | ||
83 | +package sets several options as standard in | ||
84 | +.Pa /etc/ssh/ssh_config | ||
85 | +which are not the default in | ||
86 | +.Xr ssh 1 : | ||
87 | +.Pp | ||
88 | +.Bl -bullet -offset indent -compact | ||
89 | +.It | ||
90 | +.Cm SendEnv No LANG LC_* | ||
91 | +.It | ||
92 | +.Cm HashKnownHosts No yes | ||
93 | +.It | ||
94 | +.Cm GSSAPIAuthentication No yes | ||
95 | +.El | ||
96 | +.Pp | ||
97 | The configuration file has the following format: | ||
98 | .Pp | ||
99 | Empty lines and lines starting with | ||
100 | @@ -648,7 +664,8 @@ token used for the session will be set to expire after 20 minutes. | ||
101 | Remote clients will be refused access after this time. | ||
102 | .Pp | ||
103 | The default is | ||
104 | -.Dq no . | ||
105 | +.Dq yes | ||
106 | +(Debian-specific). | ||
107 | .Pp | ||
108 | See the X11 SECURITY extension specification for full details on | ||
109 | the restrictions imposed on untrusted clients. | ||
110 | diff --git a/sshd_config b/sshd_config | ||
111 | index d9b8594..4db32f5 100644 | ||
112 | --- a/sshd_config | ||
113 | +++ b/sshd_config | ||
114 | @@ -41,6 +41,7 @@ | ||
115 | # Authentication: | ||
116 | |||
117 | #LoginGraceTime 2m | ||
118 | +# See /usr/share/doc/openssh-server/README.Debian.gz. | ||
119 | #PermitRootLogin yes | ||
120 | #StrictModes yes | ||
121 | #MaxAuthTries 6 | ||
122 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
123 | index 9fa6086..496530b 100644 | ||
124 | --- a/sshd_config.5 | ||
125 | +++ b/sshd_config.5 | ||
126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | ||
127 | .Pq \&" | ||
128 | in order to represent arguments containing spaces. | ||
129 | .Pp | ||
130 | +Note that the Debian | ||
131 | +.Ic openssh-server | ||
132 | +package sets several options as standard in | ||
133 | +.Pa /etc/ssh/sshd_config | ||
134 | +which are not the default in | ||
135 | +.Xr sshd 8 . | ||
136 | +The exact list depends on whether the package was installed fresh or | ||
137 | +upgraded from various possible previous versions, but includes at least the | ||
138 | +following: | ||
139 | +.Pp | ||
140 | +.Bl -bullet -offset indent -compact | ||
141 | +.It | ||
142 | +.Cm ChallengeResponseAuthentication No no | ||
143 | +.It | ||
144 | +.Cm X11Forwarding No yes | ||
145 | +.It | ||
146 | +.Cm PrintMotd No no | ||
147 | +.It | ||
148 | +.Cm AcceptEnv No LANG LC_* | ||
149 | +.It | ||
150 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
151 | +.It | ||
152 | +.Cm UsePAM No yes | ||
153 | +.El | ||
154 | +.Pp | ||
155 | The possible | ||
156 | keywords and their meanings are as follows (note that | ||
157 | keywords are case-insensitive and arguments are case-sensitive): | ||