Commit 4847e512 authored by Colin Watson's avatar Colin Watson

Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication by default.

sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.

sshd: Enable X11Forwarding.

sshd: Set 'AcceptEnv LANG LC_*' by default.

sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.

Document all of this.

Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04

Patch-Name: debian-config.patch
parent ba3f6b85
......@@ -1940,7 +1940,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
options->forward_x11_trusted = 0;
options->forward_x11_trusted = 1;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
......
......@@ -764,6 +764,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
restrictions by default, because too many programs currently crash in this
mode.
Set the
.Cm ForwardX11Trusted
option to
.Dq no
to restore the upstream behaviour.
This may change in future depending on client-side improvements.)
.Pp
.It Fl x
Disables X11 forwarding.
.Pp
......@@ -772,6 +782,17 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
(Debian-specific: This option does nothing in the default configuration: it
is equivalent to
.Dq Cm ForwardX11Trusted No yes ,
which is the default as described above.
Set the
.Cm ForwardX11Trusted
option to
.Dq no
to restore the upstream behaviour.
This may change in future depending on client-side improvements.)
.Pp
.It Fl y
Send log information using the
.Xr syslog 3
......
......@@ -17,9 +17,10 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
......@@ -46,3 +47,6 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
......@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
Note that the Debian
.Ic openssh-client
package sets several options as standard in
.Pa /etc/ssh/ssh_config
which are not the default in
.Xr ssh 1 :
.Pp
.Bl -bullet -offset indent -compact
.It
.Cm SendEnv No LANG LC_*
.It
.Cm HashKnownHosts No yes
.It
.Cm GSSAPIAuthentication No yes
.El
.Pp
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
......@@ -683,11 +699,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
(the Debian-specific default),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
.Cm no
(the default),
(the upstream default),
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
......
......@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
......@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
......@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
......
......@@ -55,6 +55,28 @@ Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
.Pp
Note that the Debian
.Ic openssh-server
package sets several options as standard in
.Pa /etc/ssh/sshd_config
which are not the default in
.Xr sshd 8 :
.Pp
.Bl -bullet -offset indent -compact
.It
.Cm ChallengeResponseAuthentication No no
.It
.Cm X11Forwarding No yes
.It
.Cm PrintMotd No no
.It
.Cm AcceptEnv No LANG LC_*
.It
.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
.It
.Cm UsePAM No yes
.El
.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment