diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..aa370e52f --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,270 @@ | |||
1 | From a0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | ||
4 | Subject: Various Debian-specific configuration changes | ||
5 | |||
6 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
7 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
8 | |||
9 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
10 | |||
11 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
12 | worms. | ||
13 | |||
14 | ssh: Enable GSSAPIAuthentication by default. | ||
15 | |||
16 | ssh: Include /etc/ssh/ssh_config.d/*.conf. | ||
17 | |||
18 | sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable | ||
19 | PrintMotd. | ||
20 | |||
21 | sshd: Enable X11Forwarding. | ||
22 | |||
23 | sshd: Set 'AcceptEnv LANG LC_*' by default. | ||
24 | |||
25 | sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. | ||
26 | |||
27 | sshd: Include /etc/ssh/sshd_config.d/*.conf. | ||
28 | |||
29 | Document all of this. | ||
30 | |||
31 | Author: Russ Allbery <rra@debian.org> | ||
32 | Forwarded: not-needed | ||
33 | Last-Update: 2020-10-18 | ||
34 | |||
35 | Patch-Name: debian-config.patch | ||
36 | --- | ||
37 | readconf.c | 2 +- | ||
38 | ssh.1 | 24 ++++++++++++++++++++++++ | ||
39 | ssh_config | 8 +++++++- | ||
40 | ssh_config.5 | 26 +++++++++++++++++++++++++- | ||
41 | sshd_config | 18 ++++++++++++------ | ||
42 | sshd_config.5 | 29 +++++++++++++++++++++++++++++ | ||
43 | 6 files changed, 98 insertions(+), 9 deletions(-) | ||
44 | |||
45 | diff --git a/readconf.c b/readconf.c | ||
46 | index f4f273c96..e676b6be6 100644 | ||
47 | --- a/readconf.c | ||
48 | +++ b/readconf.c | ||
49 | @@ -2153,7 +2153,7 @@ fill_default_options(Options * options) | ||
50 | if (options->forward_x11 == -1) | ||
51 | options->forward_x11 = 0; | ||
52 | if (options->forward_x11_trusted == -1) | ||
53 | - options->forward_x11_trusted = 0; | ||
54 | + options->forward_x11_trusted = 1; | ||
55 | if (options->forward_x11_timeout == -1) | ||
56 | options->forward_x11_timeout = 1200; | ||
57 | /* | ||
58 | diff --git a/ssh.1 b/ssh.1 | ||
59 | index 76ddd89b5..ad48fc8c8 100644 | ||
60 | --- a/ssh.1 | ||
61 | +++ b/ssh.1 | ||
62 | @@ -812,6 +812,16 @@ directive in | ||
63 | .Xr ssh_config 5 | ||
64 | for more information. | ||
65 | .Pp | ||
66 | +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension | ||
67 | +restrictions by default, because too many programs currently crash in this | ||
68 | +mode. | ||
69 | +Set the | ||
70 | +.Cm ForwardX11Trusted | ||
71 | +option to | ||
72 | +.Dq no | ||
73 | +to restore the upstream behaviour. | ||
74 | +This may change in future depending on client-side improvements.) | ||
75 | +.Pp | ||
76 | .It Fl x | ||
77 | Disables X11 forwarding. | ||
78 | .Pp | ||
79 | @@ -820,6 +830,20 @@ Enables trusted X11 forwarding. | ||
80 | Trusted X11 forwardings are not subjected to the X11 SECURITY extension | ||
81 | controls. | ||
82 | .Pp | ||
83 | +(Debian-specific: In the default configuration, this option is equivalent to | ||
84 | +.Fl X , | ||
85 | +since | ||
86 | +.Cm ForwardX11Trusted | ||
87 | +defaults to | ||
88 | +.Dq yes | ||
89 | +as described above. | ||
90 | +Set the | ||
91 | +.Cm ForwardX11Trusted | ||
92 | +option to | ||
93 | +.Dq no | ||
94 | +to restore the upstream behaviour. | ||
95 | +This may change in future depending on client-side improvements.) | ||
96 | +.Pp | ||
97 | .It Fl y | ||
98 | Send log information using the | ||
99 | .Xr syslog 3 | ||
100 | diff --git a/ssh_config b/ssh_config | ||
101 | index 52aae8692..09a17cf18 100644 | ||
102 | --- a/ssh_config | ||
103 | +++ b/ssh_config | ||
104 | @@ -17,9 +17,12 @@ | ||
105 | # list of available options, their meanings and defaults, please see the | ||
106 | # ssh_config(5) man page. | ||
107 | |||
108 | -# Host * | ||
109 | +Include /etc/ssh/ssh_config.d/*.conf | ||
110 | + | ||
111 | +Host * | ||
112 | # ForwardAgent no | ||
113 | # ForwardX11 no | ||
114 | +# ForwardX11Trusted yes | ||
115 | # PasswordAuthentication yes | ||
116 | # HostbasedAuthentication no | ||
117 | # GSSAPIAuthentication no | ||
118 | @@ -46,3 +49,6 @@ | ||
119 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
120 | # RekeyLimit 1G 1h | ||
121 | # UserKnownHostsFile ~/.ssh/known_hosts.d/%k | ||
122 | + SendEnv LANG LC_* | ||
123 | + HashKnownHosts yes | ||
124 | + GSSAPIAuthentication yes | ||
125 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
126 | index 96ca7a5df..6d6c59521 100644 | ||
127 | --- a/ssh_config.5 | ||
128 | +++ b/ssh_config.5 | ||
129 | @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more | ||
130 | host-specific declarations should be given near the beginning of the | ||
131 | file, and general defaults at the end. | ||
132 | .Pp | ||
133 | +Note that the Debian | ||
134 | +.Ic openssh-client | ||
135 | +package sets several options as standard in | ||
136 | +.Pa /etc/ssh/ssh_config | ||
137 | +which are not the default in | ||
138 | +.Xr ssh 1 : | ||
139 | +.Pp | ||
140 | +.Bl -bullet -offset indent -compact | ||
141 | +.It | ||
142 | +.Cm Include /etc/ssh/ssh_config.d/*.conf | ||
143 | +.It | ||
144 | +.Cm SendEnv No LANG LC_* | ||
145 | +.It | ||
146 | +.Cm HashKnownHosts No yes | ||
147 | +.It | ||
148 | +.Cm GSSAPIAuthentication No yes | ||
149 | +.El | ||
150 | +.Pp | ||
151 | +.Pa /etc/ssh/ssh_config.d/*.conf | ||
152 | +files are included at the start of the system-wide configuration file, so | ||
153 | +options set there will override those in | ||
154 | +.Pa /etc/ssh/ssh_config. | ||
155 | +.Pp | ||
156 | The file contains keyword-argument pairs, one per line. | ||
157 | Lines starting with | ||
158 | .Ql # | ||
159 | @@ -742,11 +765,12 @@ elapsed. | ||
160 | .It Cm ForwardX11Trusted | ||
161 | If this option is set to | ||
162 | .Cm yes , | ||
163 | +(the Debian-specific default), | ||
164 | remote X11 clients will have full access to the original X11 display. | ||
165 | .Pp | ||
166 | If this option is set to | ||
167 | .Cm no | ||
168 | -(the default), | ||
169 | +(the upstream default), | ||
170 | remote X11 clients will be considered untrusted and prevented | ||
171 | from stealing or tampering with data belonging to trusted X11 | ||
172 | clients. | ||
173 | diff --git a/sshd_config b/sshd_config | ||
174 | index 2c48105f8..459c1b230 100644 | ||
175 | --- a/sshd_config | ||
176 | +++ b/sshd_config | ||
177 | @@ -10,6 +10,8 @@ | ||
178 | # possible, but leave them commented. Uncommented options override the | ||
179 | # default value. | ||
180 | |||
181 | +Include /etc/ssh/sshd_config.d/*.conf | ||
182 | + | ||
183 | #Port 22 | ||
184 | #AddressFamily any | ||
185 | #ListenAddress 0.0.0.0 | ||
186 | @@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
187 | #PasswordAuthentication yes | ||
188 | #PermitEmptyPasswords no | ||
189 | |||
190 | -# Change to no to disable s/key passwords | ||
191 | -#ChallengeResponseAuthentication yes | ||
192 | +# Change to yes to enable challenge-response passwords (beware issues with | ||
193 | +# some PAM modules and threads) | ||
194 | +ChallengeResponseAuthentication no | ||
195 | |||
196 | # Kerberos options | ||
197 | #KerberosAuthentication no | ||
198 | @@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
199 | # If you just want the PAM account and session checks to run without | ||
200 | # PAM authentication, then enable this but set PasswordAuthentication | ||
201 | # and ChallengeResponseAuthentication to 'no'. | ||
202 | -#UsePAM no | ||
203 | +UsePAM yes | ||
204 | |||
205 | #AllowAgentForwarding yes | ||
206 | #AllowTcpForwarding yes | ||
207 | #GatewayPorts no | ||
208 | -#X11Forwarding no | ||
209 | +X11Forwarding yes | ||
210 | #X11DisplayOffset 10 | ||
211 | #X11UseLocalhost yes | ||
212 | #PermitTTY yes | ||
213 | -#PrintMotd yes | ||
214 | +PrintMotd no | ||
215 | #PrintLastLog yes | ||
216 | #TCPKeepAlive yes | ||
217 | #PermitUserEnvironment no | ||
218 | @@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys | ||
219 | # no default banner path | ||
220 | #Banner none | ||
221 | |||
222 | +# Allow client to pass locale environment variables | ||
223 | +AcceptEnv LANG LC_* | ||
224 | + | ||
225 | # override default of no subsystems | ||
226 | -Subsystem sftp /usr/libexec/sftp-server | ||
227 | +Subsystem sftp /usr/lib/openssh/sftp-server | ||
228 | |||
229 | # Example of overriding settings on a per-user basis | ||
230 | #Match User anoncvs | ||
231 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
232 | index 32ae46476..472001dd1 100644 | ||
233 | --- a/sshd_config.5 | ||
234 | +++ b/sshd_config.5 | ||
235 | @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes | ||
236 | .Pq \&" | ||
237 | in order to represent arguments containing spaces. | ||
238 | .Pp | ||
239 | +Note that the Debian | ||
240 | +.Ic openssh-server | ||
241 | +package sets several options as standard in | ||
242 | +.Pa /etc/ssh/sshd_config | ||
243 | +which are not the default in | ||
244 | +.Xr sshd 8 : | ||
245 | +.Pp | ||
246 | +.Bl -bullet -offset indent -compact | ||
247 | +.It | ||
248 | +.Cm Include /etc/ssh/sshd_config.d/*.conf | ||
249 | +.It | ||
250 | +.Cm ChallengeResponseAuthentication No no | ||
251 | +.It | ||
252 | +.Cm X11Forwarding No yes | ||
253 | +.It | ||
254 | +.Cm PrintMotd No no | ||
255 | +.It | ||
256 | +.Cm AcceptEnv No LANG LC_* | ||
257 | +.It | ||
258 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
259 | +.It | ||
260 | +.Cm UsePAM No yes | ||
261 | +.El | ||
262 | +.Pp | ||
263 | +.Pa /etc/ssh/sshd_config.d/*.conf | ||
264 | +files are included at the start of the configuration file, so options set | ||
265 | +there will override those in | ||
266 | +.Pa /etc/ssh/sshd_config. | ||
267 | +.Pp | ||
268 | The possible | ||
269 | keywords and their meanings are as follows (note that | ||
270 | keywords are case-insensitive and arguments are case-sensitive): | ||