Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-config.patch Gbp-Pq: Name debian-config.patch
This commit is contained in:
Colin Watson
Lu zhiping
parent
beb50438f4
commit
f8f63fbd2c
|
|
@ -2087,7 +2087,7 @@ fill_default_options(Options * options)
|
|||
if (options->forward_x11 == -1)
|
||||
options->forward_x11 = 0;
|
||||
if (options->forward_x11_trusted == -1)
|
||||
options->forward_x11_trusted = 0;
|
||||
options->forward_x11_trusted = 1;
|
||||
if (options->forward_x11_timeout == -1)
|
||||
options->forward_x11_timeout = 1200;
|
||||
/*
|
||||
|
|
|
|||
24
ssh.1
24
ssh.1
|
|
@ -809,6 +809,16 @@ directive in
|
|||
.Xr ssh_config 5
|
||||
for more information.
|
||||
.Pp
|
||||
(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
|
||||
restrictions by default, because too many programs currently crash in this
|
||||
mode.
|
||||
Set the
|
||||
.Cm ForwardX11Trusted
|
||||
option to
|
||||
.Dq no
|
||||
to restore the upstream behaviour.
|
||||
This may change in future depending on client-side improvements.)
|
||||
.Pp
|
||||
.It Fl x
|
||||
Disables X11 forwarding.
|
||||
.Pp
|
||||
|
|
@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
|
|||
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
|
||||
controls.
|
||||
.Pp
|
||||
(Debian-specific: In the default configuration, this option is equivalent to
|
||||
.Fl X ,
|
||||
since
|
||||
.Cm ForwardX11Trusted
|
||||
defaults to
|
||||
.Dq yes
|
||||
as described above.
|
||||
Set the
|
||||
.Cm ForwardX11Trusted
|
||||
option to
|
||||
.Dq no
|
||||
to restore the upstream behaviour.
|
||||
This may change in future depending on client-side improvements.)
|
||||
.Pp
|
||||
.It Fl y
|
||||
Send log information using the
|
||||
.Xr syslog 3
|
||||
|
|
|
|||
|
|
@ -17,9 +17,12 @@
|
|||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
Include /etc/ssh/ssh_config.d/*.conf
|
||||
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
# ForwardX11Trusted yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
|
|
@ -45,3 +48,6 @@
|
|||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
SendEnv LANG LC_*
|
||||
HashKnownHosts yes
|
||||
GSSAPIAuthentication yes
|
||||
|
|
|
|||
26
ssh_config.5
26
ssh_config.5
|
|
@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
|
|||
host-specific declarations should be given near the beginning of the
|
||||
file, and general defaults at the end.
|
||||
.Pp
|
||||
Note that the Debian
|
||||
.Ic openssh-client
|
||||
package sets several options as standard in
|
||||
.Pa /etc/ssh/ssh_config
|
||||
which are not the default in
|
||||
.Xr ssh 1 :
|
||||
.Pp
|
||||
.Bl -bullet -offset indent -compact
|
||||
.It
|
||||
.Cm Include /etc/ssh/ssh_config.d/*.conf
|
||||
.It
|
||||
.Cm SendEnv No LANG LC_*
|
||||
.It
|
||||
.Cm HashKnownHosts No yes
|
||||
.It
|
||||
.Cm GSSAPIAuthentication No yes
|
||||
.El
|
||||
.Pp
|
||||
.Pa /etc/ssh/ssh_config.d/*.conf
|
||||
files are included at the start of the system-wide configuration file, so
|
||||
options set there will override those in
|
||||
.Pa /etc/ssh/ssh_config.
|
||||
.Pp
|
||||
The file contains keyword-argument pairs, one per line.
|
||||
Lines starting with
|
||||
.Ql #
|
||||
|
|
@ -729,11 +752,12 @@ elapsed.
|
|||
.It Cm ForwardX11Trusted
|
||||
If this option is set to
|
||||
.Cm yes ,
|
||||
(the Debian-specific default),
|
||||
remote X11 clients will have full access to the original X11 display.
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm no
|
||||
(the default),
|
||||
(the upstream default),
|
||||
remote X11 clients will be considered untrusted and prevented
|
||||
from stealing or tampering with data belonging to trusted X11
|
||||
clients.
|
||||
|
|
|
|||
18
sshd_config
18
sshd_config
|
|
@ -10,6 +10,8 @@
|
|||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
|
|
@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
|
@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
PrintMotd no
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
|
|
@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
|
|
|||
|
|
@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
|
|||
.Pq \&"
|
||||
in order to represent arguments containing spaces.
|
||||
.Pp
|
||||
Note that the Debian
|
||||
.Ic openssh-server
|
||||
package sets several options as standard in
|
||||
.Pa /etc/ssh/sshd_config
|
||||
which are not the default in
|
||||
.Xr sshd 8 :
|
||||
.Pp
|
||||
.Bl -bullet -offset indent -compact
|
||||
.It
|
||||
.Cm Include /etc/ssh/sshd_config.d/*.conf
|
||||
.It
|
||||
.Cm ChallengeResponseAuthentication No no
|
||||
.It
|
||||
.Cm X11Forwarding No yes
|
||||
.It
|
||||
.Cm PrintMotd No no
|
||||
.It
|
||||
.Cm AcceptEnv No LANG LC_*
|
||||
.It
|
||||
.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
|
||||
.It
|
||||
.Cm UsePAM No yes
|
||||
.El
|
||||
.Pp
|
||||
.Pa /etc/ssh/sshd_config.d/*.conf
|
||||
files are included at the start of the configuration file, so options set
|
||||
there will override those in
|
||||
.Pa /etc/ssh/sshd_config.
|
||||
.Pp
|
||||
The possible
|
||||
keywords and their meanings are as follows (note that
|
||||
keywords are case-insensitive and arguments are case-sensitive):
|
||||
|
|
|
|||
Loading…
Reference in New Issue