summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/NEWS6
-rw-r--r--debian/changelog14
-rw-r--r--debian/control1
-rw-r--r--debian/openssh-server.config13
-rw-r--r--debian/openssh-server.examples1
-rwxr-xr-xdebian/openssh-server.install3
-rw-r--r--debian/openssh-server.postinst195
-rw-r--r--debian/openssh-server.postrm10
-rw-r--r--debian/openssh-server.ucf-md5sum48
-rw-r--r--debian/patches/debian-config.patch71
11 files changed, 167 insertions, 199 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 5452ac780..f530b3269 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
22103d3e5566c54e08a59be750579a249e46747d7 2af54c22db774b37a15df5e599d08a83d4bbe5079
32103d3e5566c54e08a59be750579a249e46747d7 3af54c22db774b37a15df5e599d08a83d4bbe5079
4971a7653746a6972b907dfe0ce139c06e4a6f482 4971a7653746a6972b907dfe0ce139c06e4a6f482
5971a7653746a6972b907dfe0ce139c06e4a6f482 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.4p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
diff --git a/debian/NEWS b/debian/NEWS
index 3a331e1fd..590aa664b 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -27,6 +27,12 @@ openssh (1:7.4p1-1) UNRELEASED; urgency=medium
27 * sshd(8): Remove the UseLogin configuration directive and support for 27 * sshd(8): Remove the UseLogin configuration directive and support for
28 having /bin/login manage login sessions. 28 having /bin/login manage login sessions.
29 29
30 The unprivileged sshd process that deals with pre-authentication network
31 traffic is now subject to additional sandboxing restrictions by default:
32 that is, the default sshd_config now sets UsePrivilegeSeparation to
33 "sandbox" rather than "yes". This has been the case upstream for a while,
34 but until now the Debian configuration diverged unnecessarily.
35
30 -- Colin Watson <cjwatson@debian.org> Tue, 20 Dec 2016 22:21:15 +0000 36 -- Colin Watson <cjwatson@debian.org> Tue, 20 Dec 2016 22:21:15 +0000
31 37
32openssh (1:7.2p1-1) unstable; urgency=medium 38openssh (1:7.2p1-1) unstable; urgency=medium
diff --git a/debian/changelog b/debian/changelog
index c24cdc60b..80e03947f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -118,6 +118,20 @@ openssh (1:7.4p1-1) UNRELEASED; urgency=medium
118 * Remove entries related to protocol 1 from the default sshd_config 118 * Remove entries related to protocol 1 from the default sshd_config
119 generated on new installations. 119 generated on new installations.
120 * Remove some advice related to protocol 1 from README.Debian. 120 * Remove some advice related to protocol 1 from README.Debian.
121 * Start handling /etc/ssh/sshd_config using ucf. The immediate motivation
122 for this is to deal with deprecations of options related to protocol 1,
123 but something like this has been needed for a long time (closes:
124 #419574, #848089):
125 - sshd_config is now a slightly-patched version of upstream's, and only
126 contains non-default settings (closes: #147201).
127 - I've included as many historical md5sums of default versions of
128 sshd_config as I could reconstruct from version control, but I'm sure
129 I've missed some.
130 - Explicitly synchronise the debconf database with the current
131 configuration file state in openssh-server.config, to ensure that the
132 PermitRootLogin setting is properly preserved.
133 - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
134 than "yes", per upstream.
121 135
122 -- Colin Watson <cjwatson@debian.org> Mon, 05 Dec 2016 19:31:33 +0000 136 -- Colin Watson <cjwatson@debian.org> Mon, 05 Dec 2016 19:31:33 +0000
123 137
diff --git a/debian/control b/debian/control
index 98361086f..828d36269 100644
--- a/debian/control
+++ b/debian/control
@@ -109,6 +109,7 @@ Depends: adduser (>= 3.9),
109 openssh-client (= ${binary:Version}), 109 openssh-client (= ${binary:Version}),
110 openssh-sftp-server, 110 openssh-sftp-server,
111 procps, 111 procps,
112 ucf (>= 0.28),
112 ${misc:Depends}, 113 ${misc:Depends},
113 ${shlibs:Depends}, 114 ${shlibs:Depends},
114Recommends: libpam-systemd, 115Recommends: libpam-systemd,
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index dbde2cbb0..67a074ec2 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -16,8 +16,19 @@ get_config_option() {
16 /etc/ssh/sshd_config 2>/dev/null 16 /etc/ssh/sshd_config 2>/dev/null
17} 17}
18 18
19permit_root_login="$(get_config_option PermitRootLogin)"
20if [ -f /etc/ssh/sshd_config ]; then
21 # Make sure the debconf database is in sync with the current state
22 # of the system.
23 if [ "$permit_root_login" = yes ]; then
24 db_set openssh-server/permit-root-login false
25 else
26 db_set openssh-server/permit-root-login true
27 fi
28fi
29
19if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ 30if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
20 [ "$(get_config_option PermitRootLogin)" = yes ]; then 31 [ "$permit_root_login" = yes ]; then
21 if [ "$(getent shadow root | cut -d: -f2)" = "!" ]; then 32 if [ "$(getent shadow root | cut -d: -f2)" = "!" ]; then
22 db_set openssh-server/permit-root-login true 33 db_set openssh-server/permit-root-login true
23 else 34 else
diff --git a/debian/openssh-server.examples b/debian/openssh-server.examples
index ef6eb5468..9f15e1fa7 100644
--- a/debian/openssh-server.examples
+++ b/debian/openssh-server.examples
@@ -1,2 +1 @@
1sshd_config
2debian/systemd/ssh-session-cleanup.service debian/systemd/ssh-session-cleanup.service
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index f696de231..7fdf609a7 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -5,6 +5,9 @@ usr/share/man/man5/authorized_keys.5
5usr/share/man/man5/sshd_config.5 5usr/share/man/man5/sshd_config.5
6usr/share/man/man8/sshd.8 6usr/share/man/man8/sshd.8
7 7
8sshd_config => usr/share/openssh/sshd_config
9debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum
10
8debian/openssh-server.if-up => etc/network/if-up.d/openssh-server 11debian/openssh-server.if-up => etc/network/if-up.d/openssh-server
9debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server 12debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
10debian/systemd/ssh.socket lib/systemd/system 13debian/systemd/ssh.socket lib/systemd/system
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 5635a60a6..391efc43b 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -23,56 +23,6 @@ get_config_option() {
23} 23}
24 24
25 25
26set_config_option() {
27 option="$1"
28 value="$2"
29
30 perl -le '
31 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
32 while (<STDIN>) {
33 chomp;
34 (my $match = $_) =~ s/\s+/ /g;
35 if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
36 $_ = $match;
37 $done = 1;
38 }
39 print;
40 }
41 print "$option $value" unless $done;' \
42 "$option" "$value" \
43 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
44 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
45 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
46 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
47}
48
49
50rename_config_option() {
51 oldoption="$1"
52 newoption="$2"
53
54 value="$(get_config_option "$oldoption")"
55 [ "$value" ] || return 0
56
57 perl -le '
58 $oldoption = $ARGV[0]; $newoption = $ARGV[1];
59 while (<STDIN>) {
60 chomp;
61 (my $match = $_) =~ s/\s+/ /g;
62 # TODO: actually only one "=" allowed after option
63 if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
64 $_ = $match;
65 }
66 print;
67 }' \
68 "$oldoption" "$newoption" \
69 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
70 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
71 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
72 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
73}
74
75
76host_keys_required() { 26host_keys_required() {
77 hostkeys="$(get_config_option HostKey)" 27 hostkeys="$(get_config_option HostKey)"
78 if [ "$hostkeys" ]; then 28 if [ "$hostkeys" ]; then
@@ -122,137 +72,24 @@ create_keys() {
122} 72}
123 73
124 74
125fix_loglevel_silent() {
126 if [ "$(get_config_option LogLevel)" = SILENT ]; then
127 set_config_option LogLevel QUIET
128 fi
129}
130
131
132update_server_key_bits() {
133 if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
134 set_config_option ServerKeyBits 1024
135 fi
136}
137
138
139create_sshdconfig() { 75create_sshdconfig() {
140 if [ -e /etc/ssh/sshd_config ] ; then 76 # XXX cjwatson 2016-12-24: This debconf template is very confusingly
141 # Upgrade an existing sshd configuration. 77 # named; its description is "Disable SSH password authentication for
142 78 # root?", so true -> prohibit-password (the upstream default),
143 # This option was renamed in 3.8p1, but we never took care 79 # false -> yes.
144 # of adjusting the configuration file until now. 80 db_get openssh-server/permit-root-login
145 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then 81 permit_root_login="$RET"
146 rename_config_option KeepAlive TCPKeepAlive 82
147 fi 83 new_config="$(tempfile)"
148 84 cp -a /usr/share/openssh/sshd_config "$new_config"
149 # 'LogLevel SILENT' is now equivalent to QUIET. 85 if [ "$permit_root_login" != true ]; then
150 if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then 86 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
151 fix_loglevel_silent 87 "$new_config"
152 fi
153
154 # Changed upstream in 5.1p1, but we forgot to update the
155 # package-generated configuration file until now.
156 if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
157 update_server_key_bits
158 fi
159
160 if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
161 [ "$(get_config_option PermitRootLogin)" = yes ] &&
162 db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
163 set_config_option PermitRootLogin prohibit-password
164 fi
165
166 if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
167 [ "$(get_config_option PermitRootLogin)" = without-password ]; then
168 set_config_option PermitRootLogin prohibit-password
169 fi
170
171 return 0
172 fi 88 fi
173 89 ucf --three-way --debconf-ok \
174 cat <<EOF > /etc/ssh/sshd_config 90 --sum-file /usr/share/openssh/sshd_config.md5sum \
175# Package generated configuration file 91 "$new_config" /etc/ssh/sshd_config
176# See the sshd_config(5) manpage for details 92 ucfr openssh-server /etc/ssh/sshd_config
177
178# What ports, IPs and protocols we listen for
179Port 22
180# Use these options to restrict which interfaces/protocols sshd will bind to
181#ListenAddress ::
182#ListenAddress 0.0.0.0
183Protocol 2
184# HostKeys for protocol version 2
185HostKey /etc/ssh/ssh_host_rsa_key
186HostKey /etc/ssh/ssh_host_ecdsa_key
187HostKey /etc/ssh/ssh_host_ed25519_key
188#Privilege Separation is turned on for security
189UsePrivilegeSeparation yes
190
191# Logging
192SyslogFacility AUTH
193LogLevel INFO
194
195# Authentication:
196LoginGraceTime 120
197PermitRootLogin prohibit-password
198StrictModes yes
199
200PubkeyAuthentication yes
201#AuthorizedKeysFile %h/.ssh/authorized_keys
202
203# Don't read the user's ~/.rhosts and ~/.shosts files
204IgnoreRhosts yes
205# For this to work you will also need host keys in /etc/ssh_known_hosts
206HostbasedAuthentication no
207# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
208#IgnoreUserKnownHosts yes
209
210# To enable empty passwords, change to yes (NOT RECOMMENDED)
211PermitEmptyPasswords no
212
213# Change to yes to enable challenge-response passwords (beware issues with
214# some PAM modules and threads)
215ChallengeResponseAuthentication no
216
217# Change to no to disable tunnelled clear text passwords
218#PasswordAuthentication yes
219
220# Kerberos options
221#KerberosAuthentication no
222#KerberosGetAFSToken no
223#KerberosOrLocalPasswd yes
224#KerberosTicketCleanup yes
225
226# GSSAPI options
227#GSSAPIAuthentication no
228#GSSAPICleanupCredentials yes
229
230X11Forwarding yes
231X11DisplayOffset 10
232PrintMotd no
233PrintLastLog yes
234TCPKeepAlive yes
235#UseLogin no
236
237#MaxStartups 10:30:60
238#Banner /etc/issue.net
239
240# Allow client to pass locale environment variables
241AcceptEnv LANG LC_*
242
243Subsystem sftp /usr/lib/openssh/sftp-server
244
245# Set this to 'yes' to enable PAM authentication, account processing,
246# and session processing. If this is enabled, PAM authentication will
247# be allowed through the ChallengeResponseAuthentication and
248# PasswordAuthentication. Depending on your PAM configuration,
249# PAM authentication via ChallengeResponseAuthentication may bypass
250# the setting of "PermitRootLogin without-password".
251# If you just want the PAM account and session checks to run without
252# PAM authentication, then enable this but set PasswordAuthentication
253# and ChallengeResponseAuthentication to 'no'.
254UsePAM yes
255EOF
256} 93}
257 94
258fix_statoverride() { 95fix_statoverride() {
diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm
index 88e28a91e..ff16e5619 100644
--- a/debian/openssh-server.postrm
+++ b/debian/openssh-server.postrm
@@ -14,7 +14,15 @@ case $1 in
14 rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub 14 rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
15 rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub 15 rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub
16 rm -f /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub 16 rm -f /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub
17 rm -f /etc/ssh/sshd_config 17 for ext in .ucf-new .ucf-old .ucf-dist ""; do
18 rm -f "/etc/ssh/sshd_config$ext"
19 done
20 if which ucf >/dev/null 2>&1; then
21 ucf --purge /etc/ssh/sshd_config
22 fi
23 if which ucfr >/dev/null 2>&1; then
24 ucfr --purge openssh-server /etc/ssh/sshd_config
25 fi
18 rm -f /etc/ssh/sshd_not_to_be_run 26 rm -f /etc/ssh/sshd_not_to_be_run
19 rmdir --ignore-fail-on-non-empty /etc/ssh 27 rmdir --ignore-fail-on-non-empty /etc/ssh
20 28
diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
new file mode 100644
index 000000000..c9c89d429
--- /dev/null
+++ b/debian/openssh-server.ucf-md5sum
@@ -0,0 +1,48 @@
1# Historical md5sums of the default /etc/ssh/sshd_config up to and including
2# 1:7.3p1-5.
30d06fc337cee10609d4833dc88df740f
410dc68360f6658910a98a051273de22c
511f9e107b4d13bbcabe7f8e8da734371
616c827adcff44efaca05ec5eea6383d7
72eeff28468576c3f2e538314e177687b
8386c8b9079625b78f6d624ae506958ae
938fc7b31b3e3078848f0eec457d3e050
10395c5e13801f9b4f17c2cb54aa634fbd
11423d5796cee663af2d0f24c4d520b578
1242be2cb5b64bc91443b2e46969d2d539
1342cd8b7c5ea9e440d3efa50b9a1bb444
144f56ca8d0b5dfdaeb732becd3292ce5d
1554998a682a97af8449e9de0316eacf1d
165c0bdc1735accbdc062381149937ec4a
176357b54acf8e089c57544e06d1bbec53
186a621d8bc448987e5a8a613c40307a4c
19702a79962e60aa17c6d3df742e8ec670
207a69eff91ec92b4e065b8dd8846366b2
217c60e22f183b6219c684f15ce24153fd
228304e780c43d4a606f695c8965f48299
238b9e70ee87f4b822714e2ed7af5b70dc
248caefdd9e251b7cc1baa37874149a870
2590baeb1c778464d2da610f8268939719
26962a382e51f43f80109131838ca326ba
2796eaf22faba705a37905282f6ad69d64
289cb6cd83be1c21f73476be629b163c01
29a07a9865cd33b85a1426cd67954c6fa0
30ae1e844b43986e2a964cf84f46b50c5b
31b516afa5a1e298f4cd00952b36dd623f
32b69fc974ee9b5a111bd473ef54cdd232
33ba9c3f808c811d6f944ad10a508c4767
34bccf9af9c7027afd0895d8ff8e02761a
35bd3a2b95f8b4b180eed707794ad81e4d
36c34586b56496f81a10615c002685fc74
37c47555a21189a6b703d2c5d37d2c50ed
38cac079e87c0ae0d77eafc9b285e36348
39d224f92823483333432974f63cb6dc66
40d50ef9ef2aa51cb9f808f6a776260c0a
41e0029e1e9871d4d2b673ee6d70a38614
42e086e7eb521ccc5776371b2e198f0702
43e101f74dc7381527e9aefa1f78b01a7f
44e24f749808133a27d94fda84a89bb27b
45ec16c3dd0203f13885d74ce529719fda
46efcff5380823d4e3f5039620c2e08459
47f58056370a64dbd2017d7486421c281d
48fe396d52df77f1fbf710591d4dbf3311
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 8129c1e58..65175d589 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001 1From af54c22db774b37a15df5e599d08a83d4bbe5079 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -14,12 +14,20 @@ worms.
14ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by 14ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
15default. 15default.
16 16
17Document all of this, along with several sshd defaults set in 17sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
18debian/openssh-server.postinst. 18PrintMotd.
19
20sshd: Enable X11Forwarding.
21
22sshd: Set 'AcceptEnv LANG LC_*' by default.
23
24sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
25
26Document all of this.
19 27
20Author: Russ Allbery <rra@debian.org> 28Author: Russ Allbery <rra@debian.org>
21Forwarded: not-needed 29Forwarded: not-needed
22Last-Update: 2015-12-07 30Last-Update: 2016-12-24
23 31
24Patch-Name: debian-config.patch 32Patch-Name: debian-config.patch
25--- 33---
@@ -27,9 +35,9 @@ Patch-Name: debian-config.patch
27 ssh.1 | 21 +++++++++++++++++++++ 35 ssh.1 | 21 +++++++++++++++++++++
28 ssh_config | 7 ++++++- 36 ssh_config | 7 ++++++-
29 ssh_config.5 | 19 ++++++++++++++++++- 37 ssh_config.5 | 19 ++++++++++++++++++-
30 sshd_config | 2 +- 38 sshd_config | 16 ++++++++++------
31 sshd_config.5 | 25 +++++++++++++++++++++++++ 39 sshd_config.5 | 22 ++++++++++++++++++++++
32 6 files changed, 72 insertions(+), 4 deletions(-) 40 6 files changed, 78 insertions(+), 9 deletions(-)
33 41
34diff --git a/readconf.c b/readconf.c 42diff --git a/readconf.c b/readconf.c
35index c02cdf63..d1091cbd 100644 43index c02cdf63..d1091cbd 100644
@@ -149,12 +157,48 @@ index 40617be4..8dce757e 100644
149 from stealing or tampering with data belonging to trusted X11 157 from stealing or tampering with data belonging to trusted X11
150 clients. 158 clients.
151diff --git a/sshd_config b/sshd_config 159diff --git a/sshd_config b/sshd_config
152index 00e5a728..c0b84f8e 100644 160index 00e5a728..13cbe2c6 100644
153--- a/sshd_config 161--- a/sshd_config
154+++ b/sshd_config 162+++ b/sshd_config
155@@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys 163@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
164 #PasswordAuthentication yes
165 #PermitEmptyPasswords no
166
167-# Change to no to disable s/key passwords
168-#ChallengeResponseAuthentication yes
169+# Change to yes to enable challenge-response passwords (beware issues with
170+# some PAM modules and threads)
171+ChallengeResponseAuthentication no
172
173 # Kerberos options
174 #KerberosAuthentication no
175@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
176 # If you just want the PAM account and session checks to run without
177 # PAM authentication, then enable this but set PasswordAuthentication
178 # and ChallengeResponseAuthentication to 'no'.
179-#UsePAM no
180+UsePAM yes
181
182 #AllowAgentForwarding yes
183 #AllowTcpForwarding yes
184 #GatewayPorts no
185-#X11Forwarding no
186+X11Forwarding yes
187 #X11DisplayOffset 10
188 #X11UseLocalhost yes
189 #PermitTTY yes
190-#PrintMotd yes
191+PrintMotd no
192 #PrintLastLog yes
193 #TCPKeepAlive yes
194 #UseLogin no
195@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys
196 # no default banner path
156 #Banner none 197 #Banner none
157 198
199+# Allow client to pass locale environment variables
200+AcceptEnv LANG LC_*
201+
158 # override default of no subsystems 202 # override default of no subsystems
159-Subsystem sftp /usr/libexec/sftp-server 203-Subsystem sftp /usr/libexec/sftp-server
160+Subsystem sftp /usr/lib/openssh/sftp-server 204+Subsystem sftp /usr/lib/openssh/sftp-server
@@ -162,10 +206,10 @@ index 00e5a728..c0b84f8e 100644
162 # Example of overriding settings on a per-user basis 206 # Example of overriding settings on a per-user basis
163 #Match User anoncvs 207 #Match User anoncvs
164diff --git a/sshd_config.5 b/sshd_config.5 208diff --git a/sshd_config.5 b/sshd_config.5
165index e45a8937..d6911a98 100644 209index e45a8937..703a9cdd 100644
166--- a/sshd_config.5 210--- a/sshd_config.5
167+++ b/sshd_config.5 211+++ b/sshd_config.5
168@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 212@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
169 .Pq \&" 213 .Pq \&"
170 in order to represent arguments containing spaces. 214 in order to represent arguments containing spaces.
171 .Pp 215 .Pp
@@ -174,10 +218,7 @@ index e45a8937..d6911a98 100644
174+package sets several options as standard in 218+package sets several options as standard in
175+.Pa /etc/ssh/sshd_config 219+.Pa /etc/ssh/sshd_config
176+which are not the default in 220+which are not the default in
177+.Xr sshd 8 . 221+.Xr sshd 8 :
178+The exact list depends on whether the package was installed fresh or
179+upgraded from various possible previous versions, but includes at least the
180+following:
181+.Pp 222+.Pp
182+.Bl -bullet -offset indent -compact 223+.Bl -bullet -offset indent -compact
183+.It 224+.It