summaryrefslogtreecommitdiff
path: root/debian/patches/debian-config.patch
blob: 45a8364ca6419b9896e574a67ddad983b0a36b3c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Description: Various Debian-specific configuration changes
 ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
 fewer problems with existing setups (http://bugs.debian.org/237021).
 .
 ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
 .
 ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
 worms.
 .
 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
 default.
 .
 sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
 PermitRootLogin default.
 .
 Document all of this, along with several sshd defaults set in
 debian/openssh-server.postinst.
Author: Colin Watson <cjwatson@debian.org>
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2013-05-16

Index: b/readconf.c
===================================================================
--- a/readconf.c
+++ b/readconf.c
@@ -1288,7 +1288,7 @@
 	if (options->forward_x11 == -1)
 		options->forward_x11 = 0;
 	if (options->forward_x11_trusted == -1)
-		options->forward_x11_trusted = 0;
+		options->forward_x11_trusted = 1;
 	if (options->forward_x11_timeout == -1)
 		options->forward_x11_timeout = 1200;
 	if (options->exit_on_forward_failure == -1)
Index: b/ssh_config
===================================================================
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -47,3 +48,7 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
Index: b/ssh_config.5
===================================================================
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -502,7 +518,8 @@
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
Index: b/sshd_config
===================================================================
--- a/sshd_config
+++ b/sshd_config
@@ -37,6 +37,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
+# See /usr/share/doc/openssh-server/README.Debian.gz.
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
Index: b/sshd_config.5
===================================================================
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,33 @@
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):