1 files changed, 146 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..e804aa526
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,146 @@
+Description: Various Debian-specific configuration changes
+ ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+ fewer problems with existing setups (http://bugs.debian.org/237021).
+ .
+ ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ .
+ ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+ worms.
+ .
+ ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+ default.
+ .
+ sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
+ PermitRootLogin default.
+ .
+ Document all of this, along with several sshd defaults set in
+ debian/openssh-server.postinst.
+Author: Colin Watson <cjwatson@debian.org>
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2010-02-28
+Index: b/readconf.c
+===================================================================
+--- a/readconf.c
+++ b/readconf.c
+@@ -1223,7 +1223,7 @@
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        if (options->exit_on_forward_failure == -1)
+Index: b/ssh_config
+===================================================================
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -47,3 +48,7 @@
+ #   PermitLocalCommand no
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+Index: b/ssh_config.5
+===================================================================
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -71,6 +71,22 @@
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The configuration file has the following format:
+ .Pp
+ Empty lines and lines starting with
+@@ -482,7 +498,8 @@
+ Remote clients will be refused access after this time.
+ .Pp
+ The default is
+-.Dq no .
+.Dq yes
+(Debian-specific).
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
+++ b/sshd_config
+@@ -37,6 +37,7 @@
+ # Authentication:
+ 
+ #LoginGraceTime 2m
+# See /usr/share/doc/openssh-server/README.Debian.gz.
+ #PermitRootLogin yes
+ #StrictModes yes
+ #MaxAuthTries 6
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,33 @@
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..e804aa526 --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,146 @@
	1	Description: Various Debian-specific configuration changes
	2	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	3	fewer problems with existing setups (http://bugs.debian.org/237021).
	4	.
	5	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	6	.
	7	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	8	worms.
	9	.
	10	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	11	default.
	12	.
	13	sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
	14	PermitRootLogin default.
	15	.
	16	Document all of this, along with several sshd defaults set in
	17	debian/openssh-server.postinst.
	18	Author: Colin Watson <cjwatson@debian.org>
	19	Author: Russ Allbery <rra@debian.org>
	20	Forwarded: not-needed
	21	Last-Update: 2010-02-28
	22
	23	Index: b/readconf.c
	24	===================================================================
	25	--- a/readconf.c
	26	+++ b/readconf.c
	27	@@ -1223,7 +1223,7 @@
	28	if (options->forward_x11 == -1)
	29	options->forward_x11 = 0;
	30	if (options->forward_x11_trusted == -1)
	31	- options->forward_x11_trusted = 0;
	32	+ options->forward_x11_trusted = 1;
	33	if (options->forward_x11_timeout == -1)
	34	options->forward_x11_timeout = 1200;
	35	if (options->exit_on_forward_failure == -1)
	36	Index: b/ssh_config
	37	===================================================================
	38	--- a/ssh_config
	39	+++ b/ssh_config
	40	@@ -17,9 +17,10 @@
	41	# list of available options, their meanings and defaults, please see the
	42	# ssh_config(5) man page.
	43
	44	-# Host *
	45	+Host *
	46	# ForwardAgent no
	47	# ForwardX11 no
	48	+# ForwardX11Trusted yes
	49	# RhostsRSAAuthentication no
	50	# RSAAuthentication yes
	51	# PasswordAuthentication yes
	52	@@ -47,3 +48,7 @@
	53	# PermitLocalCommand no
	54	# VisualHostKey no
	55	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	56	+ SendEnv LANG LC_*
	57	+ HashKnownHosts yes
	58	+ GSSAPIAuthentication yes
	59	+ GSSAPIDelegateCredentials no
	60	Index: b/ssh_config.5
	61	===================================================================
	62	--- a/ssh_config.5
	63	+++ b/ssh_config.5
	64	@@ -71,6 +71,22 @@
	65	host-specific declarations should be given near the beginning of the
	66	file, and general defaults at the end.
	67	.Pp
	68	+Note that the Debian
	69	+.Ic openssh-client
	70	+package sets several options as standard in
	71	+.Pa /etc/ssh/ssh_config
	72	+which are not the default in
	73	+.Xr ssh 1 :
	74	+.Pp
	75	+.Bl -bullet -offset indent -compact
	76	+.It
	77	+.Cm SendEnv No LANG LC_*
	78	+.It
	79	+.Cm HashKnownHosts No yes
	80	+.It
	81	+.Cm GSSAPIAuthentication No yes
	82	+.El
	83	+.Pp
	84	The configuration file has the following format:
	85	.Pp
	86	Empty lines and lines starting with
	87	@@ -482,7 +498,8 @@
	88	Remote clients will be refused access after this time.
	89	.Pp
	90	The default is
	91	-.Dq no .
	92	+.Dq yes
	93	+(Debian-specific).
	94	.Pp
	95	See the X11 SECURITY extension specification for full details on
	96	the restrictions imposed on untrusted clients.
	97	Index: b/sshd_config
	98	===================================================================
	99	--- a/sshd_config
	100	+++ b/sshd_config
	101	@@ -37,6 +37,7 @@
	102	# Authentication:
	103
	104	#LoginGraceTime 2m
	105	+# See /usr/share/doc/openssh-server/README.Debian.gz.
	106	#PermitRootLogin yes
	107	#StrictModes yes
	108	#MaxAuthTries 6
	109	Index: b/sshd_config.5
	110	===================================================================
	111	--- a/sshd_config.5
	112	+++ b/sshd_config.5
	113	@@ -57,6 +57,33 @@
	114	.Pq \&"
	115	in order to represent arguments containing spaces.
	116	.Pp
	117	+Note that the Debian
	118	+.Ic openssh-server
	119	+package sets several options as standard in
	120	+.Pa /etc/ssh/sshd_config
	121	+which are not the default in
	122	+.Xr sshd 8 .
	123	+The exact list depends on whether the package was installed fresh or
	124	+upgraded from various possible previous versions, but includes at least the
	125	+following:
	126	+.Pp
	127	+.Bl -bullet -offset indent -compact
	128	+.It
	129	+.Cm Protocol No 2
	130	+.It
	131	+.Cm ChallengeResponseAuthentication No no
	132	+.It
	133	+.Cm X11Forwarding No yes
	134	+.It
	135	+.Cm PrintMotd No no
	136	+.It
	137	+.Cm AcceptEnv No LANG LC_*
	138	+.It
	139	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	140	+.It
	141	+.Cm UsePAM No yes
	142	+.El
	143	+.Pp
	144	The possible
	145	keywords and their meanings are as follows (note that
	146	keywords are case-insensitive and arguments are case-sensitive):