From 44f0937b56758f662ff388d474213107e3290863 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery Forwarded: not-needed Last-Update: 2014-11-06 Patch-Name: debian-config.patch --- ssh_config.5 | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index a1005ba3d..598576997 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -71,6 +71,26 @@ Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. .Pp +Note that the Debian +.Ic openssh-client +package sets several options as standard in +.Pa /etc/ssh/ssh_config +which are not the default in +.Xr ssh 1 : +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm SendEnv No LANG Xo +.No LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT +.No LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME +.No LC_ALL +.Xc +.It +.Cm HashKnownHosts No yes +.It +.Cm GSSAPIAuthentication No yes +.El +.Pp The configuration file has the following format: .Pp Empty lines and lines starting with @@ -673,7 +693,8 @@ token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. .Pp The default is -.Dq no . +.Dq yes +(Debian-specific). .Pp See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. -- cgit v1.2.3