1 files changed, 238 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..4866d52ad
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,238 @@
+From a433d9baa031d7136a8cf3e3807ebff83a3a8634 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication by default.
+sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
+PrintMotd.
+sshd: Enable X11Forwarding.
+sshd: Set 'AcceptEnv LANG LC_*' by default.
+sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
+Document all of this.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2017-10-04
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
+ ssh_config    |  6 +++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config   | 16 ++++++++++------
+ sshd_config.5 | 22 ++++++++++++++++++++++
+ 6 files changed, 77 insertions(+), 9 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index 6b01f20d2..661b8bf40 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -2000,7 +2000,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        /*
+diff --git a/ssh.1 b/ssh.1
+index ad1ed0f86..1bcc8edab 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -782,6 +782,16 @@ directive in
+ .Xr ssh_config 5
+ for more information.
+ .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl x
+ Disables X11 forwarding.
+ .Pp
+@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+ .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
+diff --git a/ssh_config b/ssh_config
+index bcb9f153d..1b676fb2c 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   PasswordAuthentication yes
+ #   HostbasedAuthentication no
+ #   GSSAPIAuthentication no
+@@ -46,3 +47,6 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+diff --git a/ssh_config.5 b/ssh_config.5
+index a91355726..1a8e24bd1 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The file contains keyword-argument pairs, one per line.
+ Lines starting with
+ .Ql #
+@@ -699,11 +715,12 @@ elapsed.
+ .It Cm ForwardX11Trusted
+ If this option is set to
+ .Cm yes ,
+(the Debian-specific default),
+ remote X11 clients will have full access to the original X11 display.
+ .Pp
+ If this option is set to
+ .Cm no
+-(the default),
+(the upstream default),
+ remote X11 clients will be considered untrusted and prevented
+ from stealing or tampering with data belonging to trusted X11
+ clients.
+diff --git a/sshd_config b/sshd_config
+index 2c48105f8..ed8272f6d 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -57,8 +57,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
+ #PasswordAuthentication yes
+ #PermitEmptyPasswords no
+ 
+-# Change to no to disable s/key passwords
+-#ChallengeResponseAuthentication yes
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+ 
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -81,16 +82,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
+UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
+X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes
+-#PrintMotd yes
+PrintMotd no
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #PermitUserEnvironment no
+@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # no default banner path
+ #Banner none
+ 
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+ # override default of no subsystems
+-Subsystem      sftp    /usr/libexec/sftp-server
+Subsystem      sftp    /usr/lib/openssh/sftp-server
+ 
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+diff --git a/sshd_config.5 b/sshd_config.5
+index 23f71fd1d..ba50a30f1 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..4866d52ad --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,238 @@
	1	From a433d9baa031d7136a8cf3e3807ebff83a3a8634 Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication by default.
	15
	16	sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
	17	PrintMotd.
	18
	19	sshd: Enable X11Forwarding.
	20
	21	sshd: Set 'AcceptEnv LANG LC_*' by default.
	22
	23	sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
	24
	25	Document all of this.
	26
	27	Author: Russ Allbery <rra@debian.org>
	28	Forwarded: not-needed
	29	Last-Update: 2017-10-04
	30
	31	Patch-Name: debian-config.patch
	32	---
	33	readconf.c \| 2 +-
	34	ssh.1 \| 21 +++++++++++++++++++++
	35	ssh_config \| 6 +++++-
	36	ssh_config.5 \| 19 ++++++++++++++++++-
	37	sshd_config \| 16 ++++++++++------
	38	sshd_config.5 \| 22 ++++++++++++++++++++++
	39	6 files changed, 77 insertions(+), 9 deletions(-)
	40
	41	diff --git a/readconf.c b/readconf.c
	42	index 6b01f20d2..661b8bf40 100644
	43	--- a/readconf.c
	44	+++ b/readconf.c
	45	@@ -2000,7 +2000,7 @@ fill_default_options(Options * options)
	46	if (options->forward_x11 == -1)
	47	options->forward_x11 = 0;
	48	if (options->forward_x11_trusted == -1)
	49	- options->forward_x11_trusted = 0;
	50	+ options->forward_x11_trusted = 1;
	51	if (options->forward_x11_timeout == -1)
	52	options->forward_x11_timeout = 1200;
	53	/*
	54	diff --git a/ssh.1 b/ssh.1
	55	index ad1ed0f86..1bcc8edab 100644
	56	--- a/ssh.1
	57	+++ b/ssh.1
	58	@@ -782,6 +782,16 @@ directive in
	59	.Xr ssh_config 5
	60	for more information.
	61	.Pp
	62	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
	63	+restrictions by default, because too many programs currently crash in this
	64	+mode.
	65	+Set the
	66	+.Cm ForwardX11Trusted
	67	+option to
	68	+.Dq no
	69	+to restore the upstream behaviour.
	70	+This may change in future depending on client-side improvements.)
	71	+.Pp
	72	.It Fl x
	73	Disables X11 forwarding.
	74	.Pp
	75	@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
	76	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
	77	controls.
	78	.Pp
	79	+(Debian-specific: This option does nothing in the default configuration: it
	80	+is equivalent to
	81	+.Dq Cm ForwardX11Trusted No yes ,
	82	+which is the default as described above.
	83	+Set the
	84	+.Cm ForwardX11Trusted
	85	+option to
	86	+.Dq no
	87	+to restore the upstream behaviour.
	88	+This may change in future depending on client-side improvements.)
	89	+.Pp
	90	.It Fl y
	91	Send log information using the
	92	.Xr syslog 3
	93	diff --git a/ssh_config b/ssh_config
	94	index bcb9f153d..1b676fb2c 100644
	95	--- a/ssh_config
	96	+++ b/ssh_config
	97	@@ -17,9 +17,10 @@
	98	# list of available options, their meanings and defaults, please see the
	99	# ssh_config(5) man page.
	100
	101	-# Host *
	102	+Host *
	103	# ForwardAgent no
	104	# ForwardX11 no
	105	+# ForwardX11Trusted yes
	106	# PasswordAuthentication yes
	107	# HostbasedAuthentication no
	108	# GSSAPIAuthentication no
	109	@@ -46,3 +47,6 @@
	110	# VisualHostKey no
	111	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	112	# RekeyLimit 1G 1h
	113	+ SendEnv LANG LC_*
	114	+ HashKnownHosts yes
	115	+ GSSAPIAuthentication yes
	116	diff --git a/ssh_config.5 b/ssh_config.5
	117	index a91355726..1a8e24bd1 100644
	118	--- a/ssh_config.5
	119	+++ b/ssh_config.5
	120	@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
	121	host-specific declarations should be given near the beginning of the
	122	file, and general defaults at the end.
	123	.Pp
	124	+Note that the Debian
	125	+.Ic openssh-client
	126	+package sets several options as standard in
	127	+.Pa /etc/ssh/ssh_config
	128	+which are not the default in
	129	+.Xr ssh 1 :
	130	+.Pp
	131	+.Bl -bullet -offset indent -compact
	132	+.It
	133	+.Cm SendEnv No LANG LC_*
	134	+.It
	135	+.Cm HashKnownHosts No yes
	136	+.It
	137	+.Cm GSSAPIAuthentication No yes
	138	+.El
	139	+.Pp
	140	The file contains keyword-argument pairs, one per line.
	141	Lines starting with
	142	.Ql #
	143	@@ -699,11 +715,12 @@ elapsed.
	144	.It Cm ForwardX11Trusted
	145	If this option is set to
	146	.Cm yes ,
	147	+(the Debian-specific default),
	148	remote X11 clients will have full access to the original X11 display.
	149	.Pp
	150	If this option is set to
	151	.Cm no
	152	-(the default),
	153	+(the upstream default),
	154	remote X11 clients will be considered untrusted and prevented
	155	from stealing or tampering with data belonging to trusted X11
	156	clients.
	157	diff --git a/sshd_config b/sshd_config
	158	index 2c48105f8..ed8272f6d 100644
	159	--- a/sshd_config
	160	+++ b/sshd_config
	161	@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
	162	#PasswordAuthentication yes
	163	#PermitEmptyPasswords no
	164
	165	-# Change to no to disable s/key passwords
	166	-#ChallengeResponseAuthentication yes
	167	+# Change to yes to enable challenge-response passwords (beware issues with
	168	+# some PAM modules and threads)
	169	+ChallengeResponseAuthentication no
	170
	171	# Kerberos options
	172	#KerberosAuthentication no
	173	@@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys
	174	# If you just want the PAM account and session checks to run without
	175	# PAM authentication, then enable this but set PasswordAuthentication
	176	# and ChallengeResponseAuthentication to 'no'.
	177	-#UsePAM no
	178	+UsePAM yes
	179
	180	#AllowAgentForwarding yes
	181	#AllowTcpForwarding yes
	182	#GatewayPorts no
	183	-#X11Forwarding no
	184	+X11Forwarding yes
	185	#X11DisplayOffset 10
	186	#X11UseLocalhost yes
	187	#PermitTTY yes
	188	-#PrintMotd yes
	189	+PrintMotd no
	190	#PrintLastLog yes
	191	#TCPKeepAlive yes
	192	#PermitUserEnvironment no
	193	@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys
	194	# no default banner path
	195	#Banner none
	196
	197	+# Allow client to pass locale environment variables
	198	+AcceptEnv LANG LC_*
	199	+
	200	# override default of no subsystems
	201	-Subsystem sftp /usr/libexec/sftp-server
	202	+Subsystem sftp /usr/lib/openssh/sftp-server
	203
	204	# Example of overriding settings on a per-user basis
	205	#Match User anoncvs
	206	diff --git a/sshd_config.5 b/sshd_config.5
	207	index 23f71fd1d..ba50a30f1 100644
	208	--- a/sshd_config.5
	209	+++ b/sshd_config.5
	210	@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
	211	.Pq \&"
	212	in order to represent arguments containing spaces.
	213	.Pp
	214	+Note that the Debian
	215	+.Ic openssh-server
	216	+package sets several options as standard in
	217	+.Pa /etc/ssh/sshd_config
	218	+which are not the default in
	219	+.Xr sshd 8 :
	220	+.Pp
	221	+.Bl -bullet -offset indent -compact
	222	+.It
	223	+.Cm ChallengeResponseAuthentication No no
	224	+.It
	225	+.Cm X11Forwarding No yes
	226	+.It
	227	+.Cm PrintMotd No no
	228	+.It
	229	+.Cm AcceptEnv No LANG LC_*
	230	+.It
	231	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	232	+.It
	233	+.Cm UsePAM No yes
	234	+.El
	235	+.Pp
	236	The possible
	237	keywords and their meanings are as follows (note that
	238	keywords are case-insensitive and arguments are case-sensitive):