diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 199 |
1 files changed, 199 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..8129c1e58 --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,199 @@ | |||
1 | From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | ||
4 | Subject: Various Debian-specific configuration changes | ||
5 | |||
6 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
7 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
8 | |||
9 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
10 | |||
11 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
12 | worms. | ||
13 | |||
14 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | ||
15 | default. | ||
16 | |||
17 | Document all of this, along with several sshd defaults set in | ||
18 | debian/openssh-server.postinst. | ||
19 | |||
20 | Author: Russ Allbery <rra@debian.org> | ||
21 | Forwarded: not-needed | ||
22 | Last-Update: 2015-12-07 | ||
23 | |||
24 | Patch-Name: debian-config.patch | ||
25 | --- | ||
26 | readconf.c | 2 +- | ||
27 | ssh.1 | 21 +++++++++++++++++++++ | ||
28 | ssh_config | 7 ++++++- | ||
29 | ssh_config.5 | 19 ++++++++++++++++++- | ||
30 | sshd_config | 2 +- | ||
31 | sshd_config.5 | 25 +++++++++++++++++++++++++ | ||
32 | 6 files changed, 72 insertions(+), 4 deletions(-) | ||
33 | |||
34 | diff --git a/readconf.c b/readconf.c | ||
35 | index c02cdf63..d1091cbd 100644 | ||
36 | --- a/readconf.c | ||
37 | +++ b/readconf.c | ||
38 | @@ -1927,7 +1927,7 @@ fill_default_options(Options * options) | ||
39 | if (options->forward_x11 == -1) | ||
40 | options->forward_x11 = 0; | ||
41 | if (options->forward_x11_trusted == -1) | ||
42 | - options->forward_x11_trusted = 0; | ||
43 | + options->forward_x11_trusted = 1; | ||
44 | if (options->forward_x11_timeout == -1) | ||
45 | options->forward_x11_timeout = 1200; | ||
46 | /* | ||
47 | diff --git a/ssh.1 b/ssh.1 | ||
48 | index 22e56a7b..6aa57c46 100644 | ||
49 | --- a/ssh.1 | ||
50 | +++ b/ssh.1 | ||
51 | @@ -785,6 +785,16 @@ directive in | ||
52 | .Xr ssh_config 5 | ||
53 | for more information. | ||
54 | .Pp | ||
55 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
56 | +restrictions by default, because too many programs currently crash in this | ||
57 | +mode. | ||
58 | +Set the | ||
59 | +.Cm ForwardX11Trusted | ||
60 | +option to | ||
61 | +.Dq no | ||
62 | +to restore the upstream behaviour. | ||
63 | +This may change in future depending on client-side improvements.) | ||
64 | +.Pp | ||
65 | .It Fl x | ||
66 | Disables X11 forwarding. | ||
67 | .Pp | ||
68 | @@ -793,6 +803,17 @@ Enables trusted X11 forwarding. | ||
69 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | ||
70 | controls. | ||
71 | .Pp | ||
72 | +(Debian-specific: This option does nothing in the default configuration: it | ||
73 | +is equivalent to | ||
74 | +.Dq Cm ForwardX11Trusted No yes , | ||
75 | +which is the default as described above. | ||
76 | +Set the | ||
77 | +.Cm ForwardX11Trusted | ||
78 | +option to | ||
79 | +.Dq no | ||
80 | +to restore the upstream behaviour. | ||
81 | +This may change in future depending on client-side improvements.) | ||
82 | +.Pp | ||
83 | .It Fl y | ||
84 | Send log information using the | ||
85 | .Xr syslog 3 | ||
86 | diff --git a/ssh_config b/ssh_config | ||
87 | index 4e879cd2..5190b06b 100644 | ||
88 | --- a/ssh_config | ||
89 | +++ b/ssh_config | ||
90 | @@ -17,9 +17,10 @@ | ||
91 | # list of available options, their meanings and defaults, please see the | ||
92 | # ssh_config(5) man page. | ||
93 | |||
94 | -# Host * | ||
95 | +Host * | ||
96 | # ForwardAgent no | ||
97 | # ForwardX11 no | ||
98 | +# ForwardX11Trusted yes | ||
99 | # RhostsRSAAuthentication no | ||
100 | # RSAAuthentication yes | ||
101 | # PasswordAuthentication yes | ||
102 | @@ -50,3 +51,7 @@ | ||
103 | # VisualHostKey no | ||
104 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
105 | # RekeyLimit 1G 1h | ||
106 | + SendEnv LANG LC_* | ||
107 | + HashKnownHosts yes | ||
108 | + GSSAPIAuthentication yes | ||
109 | + GSSAPIDelegateCredentials no | ||
110 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
111 | index 40617be4..8dce757e 100644 | ||
112 | --- a/ssh_config.5 | ||
113 | +++ b/ssh_config.5 | ||
114 | @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more | ||
115 | host-specific declarations should be given near the beginning of the | ||
116 | file, and general defaults at the end. | ||
117 | .Pp | ||
118 | +Note that the Debian | ||
119 | +.Ic openssh-client | ||
120 | +package sets several options as standard in | ||
121 | +.Pa /etc/ssh/ssh_config | ||
122 | +which are not the default in | ||
123 | +.Xr ssh 1 : | ||
124 | +.Pp | ||
125 | +.Bl -bullet -offset indent -compact | ||
126 | +.It | ||
127 | +.Cm SendEnv No LANG LC_* | ||
128 | +.It | ||
129 | +.Cm HashKnownHosts No yes | ||
130 | +.It | ||
131 | +.Cm GSSAPIAuthentication No yes | ||
132 | +.El | ||
133 | +.Pp | ||
134 | The file contains keyword-argument pairs, one per line. | ||
135 | Lines starting with | ||
136 | .Ql # | ||
137 | @@ -711,11 +727,12 @@ elapsed. | ||
138 | .It Cm ForwardX11Trusted | ||
139 | If this option is set to | ||
140 | .Cm yes , | ||
141 | +(the Debian-specific default), | ||
142 | remote X11 clients will have full access to the original X11 display. | ||
143 | .Pp | ||
144 | If this option is set to | ||
145 | .Cm no | ||
146 | -(the default), | ||
147 | +(the upstream default), | ||
148 | remote X11 clients will be considered untrusted and prevented | ||
149 | from stealing or tampering with data belonging to trusted X11 | ||
150 | clients. | ||
151 | diff --git a/sshd_config b/sshd_config | ||
152 | index 00e5a728..c0b84f8e 100644 | ||
153 | --- a/sshd_config | ||
154 | +++ b/sshd_config | ||
155 | @@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
156 | #Banner none | ||
157 | |||
158 | # override default of no subsystems | ||
159 | -Subsystem sftp /usr/libexec/sftp-server | ||
160 | +Subsystem sftp /usr/lib/openssh/sftp-server | ||
161 | |||
162 | # Example of overriding settings on a per-user basis | ||
163 | #Match User anoncvs | ||
164 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
165 | index e45a8937..d6911a98 100644 | ||
166 | --- a/sshd_config.5 | ||
167 | +++ b/sshd_config.5 | ||
168 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | ||
169 | .Pq \&" | ||
170 | in order to represent arguments containing spaces. | ||
171 | .Pp | ||
172 | +Note that the Debian | ||
173 | +.Ic openssh-server | ||
174 | +package sets several options as standard in | ||
175 | +.Pa /etc/ssh/sshd_config | ||
176 | +which are not the default in | ||
177 | +.Xr sshd 8 . | ||
178 | +The exact list depends on whether the package was installed fresh or | ||
179 | +upgraded from various possible previous versions, but includes at least the | ||
180 | +following: | ||
181 | +.Pp | ||
182 | +.Bl -bullet -offset indent -compact | ||
183 | +.It | ||
184 | +.Cm ChallengeResponseAuthentication No no | ||
185 | +.It | ||
186 | +.Cm X11Forwarding No yes | ||
187 | +.It | ||
188 | +.Cm PrintMotd No no | ||
189 | +.It | ||
190 | +.Cm AcceptEnv No LANG LC_* | ||
191 | +.It | ||
192 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
193 | +.It | ||
194 | +.Cm UsePAM No yes | ||
195 | +.El | ||
196 | +.Pp | ||
197 | The possible | ||
198 | keywords and their meanings are as follows (note that | ||
199 | keywords are case-insensitive and arguments are case-sensitive): | ||