1 files changed, 199 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..8129c1e58
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,199 @@
+From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2015-12-07
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
+ ssh_config    |  7 ++++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config   |  2 +-
+ sshd_config.5 | 25 +++++++++++++++++++++++++
+ 6 files changed, 72 insertions(+), 4 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index c02cdf63..d1091cbd 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1927,7 +1927,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        /*
+diff --git a/ssh.1 b/ssh.1
+index 22e56a7b..6aa57c46 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -785,6 +785,16 @@ directive in
+ .Xr ssh_config 5
+ for more information.
+ .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl x
+ Disables X11 forwarding.
+ .Pp
+@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+ .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
+diff --git a/ssh_config b/ssh_config
+index 4e879cd2..5190b06b 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -50,3 +51,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+diff --git a/ssh_config.5 b/ssh_config.5
+index 40617be4..8dce757e 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The file contains keyword-argument pairs, one per line.
+ Lines starting with
+ .Ql #
+@@ -711,11 +727,12 @@ elapsed.
+ .It Cm ForwardX11Trusted
+ If this option is set to
+ .Cm yes ,
+(the Debian-specific default),
+ remote X11 clients will have full access to the original X11 display.
+ .Pp
+ If this option is set to
+ .Cm no
+-(the default),
+(the upstream default),
+ remote X11 clients will be considered untrusted and prevented
+ from stealing or tampering with data belonging to trusted X11
+ clients.
+diff --git a/sshd_config b/sshd_config
+index 00e5a728..c0b84f8e 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -111,7 +111,7 @@ AuthorizedKeysFile  .ssh/authorized_keys
+ #Banner none
+ 
+ # override default of no subsystems
+-Subsystem      sftp    /usr/libexec/sftp-server
+Subsystem      sftp    /usr/lib/openssh/sftp-server
+ 
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+diff --git a/sshd_config.5 b/sshd_config.5
+index e45a8937..d6911a98 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..8129c1e58 --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,199 @@
	1	From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	15	default.
	16
	17	Document all of this, along with several sshd defaults set in
	18	debian/openssh-server.postinst.
	19
	20	Author: Russ Allbery <rra@debian.org>
	21	Forwarded: not-needed
	22	Last-Update: 2015-12-07
	23
	24	Patch-Name: debian-config.patch
	25	---
	26	readconf.c \| 2 +-
	27	ssh.1 \| 21 +++++++++++++++++++++
	28	ssh_config \| 7 ++++++-
	29	ssh_config.5 \| 19 ++++++++++++++++++-
	30	sshd_config \| 2 +-
	31	sshd_config.5 \| 25 +++++++++++++++++++++++++
	32	6 files changed, 72 insertions(+), 4 deletions(-)
	33
	34	diff --git a/readconf.c b/readconf.c
	35	index c02cdf63..d1091cbd 100644
	36	--- a/readconf.c
	37	+++ b/readconf.c
	38	@@ -1927,7 +1927,7 @@ fill_default_options(Options * options)
	39	if (options->forward_x11 == -1)
	40	options->forward_x11 = 0;
	41	if (options->forward_x11_trusted == -1)
	42	- options->forward_x11_trusted = 0;
	43	+ options->forward_x11_trusted = 1;
	44	if (options->forward_x11_timeout == -1)
	45	options->forward_x11_timeout = 1200;
	46	/*
	47	diff --git a/ssh.1 b/ssh.1
	48	index 22e56a7b..6aa57c46 100644
	49	--- a/ssh.1
	50	+++ b/ssh.1
	51	@@ -785,6 +785,16 @@ directive in
	52	.Xr ssh_config 5
	53	for more information.
	54	.Pp
	55	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
	56	+restrictions by default, because too many programs currently crash in this
	57	+mode.
	58	+Set the
	59	+.Cm ForwardX11Trusted
	60	+option to
	61	+.Dq no
	62	+to restore the upstream behaviour.
	63	+This may change in future depending on client-side improvements.)
	64	+.Pp
	65	.It Fl x
	66	Disables X11 forwarding.
	67	.Pp
	68	@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
	69	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
	70	controls.
	71	.Pp
	72	+(Debian-specific: This option does nothing in the default configuration: it
	73	+is equivalent to
	74	+.Dq Cm ForwardX11Trusted No yes ,
	75	+which is the default as described above.
	76	+Set the
	77	+.Cm ForwardX11Trusted
	78	+option to
	79	+.Dq no
	80	+to restore the upstream behaviour.
	81	+This may change in future depending on client-side improvements.)
	82	+.Pp
	83	.It Fl y
	84	Send log information using the
	85	.Xr syslog 3
	86	diff --git a/ssh_config b/ssh_config
	87	index 4e879cd2..5190b06b 100644
	88	--- a/ssh_config
	89	+++ b/ssh_config
	90	@@ -17,9 +17,10 @@
	91	# list of available options, their meanings and defaults, please see the
	92	# ssh_config(5) man page.
	93
	94	-# Host *
	95	+Host *
	96	# ForwardAgent no
	97	# ForwardX11 no
	98	+# ForwardX11Trusted yes
	99	# RhostsRSAAuthentication no
	100	# RSAAuthentication yes
	101	# PasswordAuthentication yes
	102	@@ -50,3 +51,7 @@
	103	# VisualHostKey no
	104	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	105	# RekeyLimit 1G 1h
	106	+ SendEnv LANG LC_*
	107	+ HashKnownHosts yes
	108	+ GSSAPIAuthentication yes
	109	+ GSSAPIDelegateCredentials no
	110	diff --git a/ssh_config.5 b/ssh_config.5
	111	index 40617be4..8dce757e 100644
	112	--- a/ssh_config.5
	113	+++ b/ssh_config.5
	114	@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
	115	host-specific declarations should be given near the beginning of the
	116	file, and general defaults at the end.
	117	.Pp
	118	+Note that the Debian
	119	+.Ic openssh-client
	120	+package sets several options as standard in
	121	+.Pa /etc/ssh/ssh_config
	122	+which are not the default in
	123	+.Xr ssh 1 :
	124	+.Pp
	125	+.Bl -bullet -offset indent -compact
	126	+.It
	127	+.Cm SendEnv No LANG LC_*
	128	+.It
	129	+.Cm HashKnownHosts No yes
	130	+.It
	131	+.Cm GSSAPIAuthentication No yes
	132	+.El
	133	+.Pp
	134	The file contains keyword-argument pairs, one per line.
	135	Lines starting with
	136	.Ql #
	137	@@ -711,11 +727,12 @@ elapsed.
	138	.It Cm ForwardX11Trusted
	139	If this option is set to
	140	.Cm yes ,
	141	+(the Debian-specific default),
	142	remote X11 clients will have full access to the original X11 display.
	143	.Pp
	144	If this option is set to
	145	.Cm no
	146	-(the default),
	147	+(the upstream default),
	148	remote X11 clients will be considered untrusted and prevented
	149	from stealing or tampering with data belonging to trusted X11
	150	clients.
	151	diff --git a/sshd_config b/sshd_config
	152	index 00e5a728..c0b84f8e 100644
	153	--- a/sshd_config
	154	+++ b/sshd_config
	155	@@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys
	156	#Banner none
	157
	158	# override default of no subsystems
	159	-Subsystem sftp /usr/libexec/sftp-server
	160	+Subsystem sftp /usr/lib/openssh/sftp-server
	161
	162	# Example of overriding settings on a per-user basis
	163	#Match User anoncvs
	164	diff --git a/sshd_config.5 b/sshd_config.5
	165	index e45a8937..d6911a98 100644
	166	--- a/sshd_config.5
	167	+++ b/sshd_config.5
	168	@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
	169	.Pq \&"
	170	in order to represent arguments containing spaces.
	171	.Pp
	172	+Note that the Debian
	173	+.Ic openssh-server
	174	+package sets several options as standard in
	175	+.Pa /etc/ssh/sshd_config
	176	+which are not the default in
	177	+.Xr sshd 8 .
	178	+The exact list depends on whether the package was installed fresh or
	179	+upgraded from various possible previous versions, but includes at least the
	180	+following:
	181	+.Pp
	182	+.Bl -bullet -offset indent -compact
	183	+.It
	184	+.Cm ChallengeResponseAuthentication No no
	185	+.It
	186	+.Cm X11Forwarding No yes
	187	+.It
	188	+.Cm PrintMotd No no
	189	+.It
	190	+.Cm AcceptEnv No LANG LC_*
	191	+.It
	192	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	193	+.It
	194	+.Cm UsePAM No yes
	195	+.El
	196	+.Pp
	197	The possible
	198	keywords and their meanings are as follows (note that
	199	keywords are case-insensitive and arguments are case-sensitive):