308 lines
8.8 KiB
Diff
308 lines
8.8 KiB
Diff
From 5fbe366def6557d221b9d955b7ab9bfbe88fd2b3 Mon Sep 17 00:00:00 2001
|
|
From: Colin Watson <cjwatson@debian.org>
|
|
Date: Sun, 9 Feb 2014 16:10:18 +0000
|
|
Subject: Various Debian-specific configuration changes
|
|
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
|
|
fewer problems with existing setups (http://bugs.debian.org/237021).
|
|
|
|
ssh: Set 'SendEnv LANG LC_* COLORTERM NO_COLOR' by default
|
|
(http://bugs.debian.org/264024).
|
|
|
|
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
|
|
worms.
|
|
|
|
ssh: Enable GSSAPIAuthentication by default.
|
|
|
|
ssh: Include /etc/ssh/ssh_config.d/*.conf.
|
|
|
|
sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
|
|
PrintMotd.
|
|
|
|
sshd: Enable X11Forwarding.
|
|
|
|
sshd: Set 'AcceptEnv LANG LC_* COLORTERM NO_COLOR' by default.
|
|
|
|
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
|
|
|
|
sshd: Include /etc/ssh/sshd_config.d/*.conf.
|
|
|
|
sshd: Document Debian's defaults for SshdAuthPath and SshdSessionPath.
|
|
|
|
regress: Run tests with 'UsePAM yes', to match sshd_config.
|
|
|
|
Document all of this.
|
|
|
|
Author: Russ Allbery <rra@debian.org>
|
|
Author: Luca Boccassi <bluca@debian.org>
|
|
Forwarded: not-needed
|
|
Last-Update: 2025-04-11
|
|
|
|
Patch-Name: debian-config.patch
|
|
---
|
|
readconf.c | 2 +-
|
|
regress/test-exec.sh | 1 +
|
|
ssh.1 | 24 ++++++++++++++++++++++++
|
|
ssh_config | 8 +++++++-
|
|
ssh_config.5 | 26 +++++++++++++++++++++++++-
|
|
sshd_config | 18 ++++++++++++------
|
|
sshd_config.5 | 33 +++++++++++++++++++++++++++++++--
|
|
7 files changed, 101 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/readconf.c b/readconf.c
|
|
index 8419b5451..fc625a00c 100644
|
|
--- a/readconf.c
|
|
+++ b/readconf.c
|
|
@@ -2860,7 +2860,7 @@ fill_default_options(Options * options)
|
|
if (options->forward_x11 == -1)
|
|
options->forward_x11 = 0;
|
|
if (options->forward_x11_trusted == -1)
|
|
- options->forward_x11_trusted = 0;
|
|
+ options->forward_x11_trusted = 1;
|
|
if (options->forward_x11_timeout == -1)
|
|
options->forward_x11_timeout = 1200;
|
|
/*
|
|
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
|
|
index 8a00c729c..486826928 100644
|
|
--- a/regress/test-exec.sh
|
|
+++ b/regress/test-exec.sh
|
|
@@ -634,6 +634,7 @@ cat << EOF > $OBJ/sshd_config
|
|
SshdSessionPath $SSHD_SESSION
|
|
SshdAuthPath $SSHD_AUTH
|
|
PerSourcePenalties no
|
|
+ UsePAM yes
|
|
EOF
|
|
|
|
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
|
|
diff --git a/ssh.1 b/ssh.1
|
|
index 3d849f02c..56bdfa3d9 100644
|
|
--- a/ssh.1
|
|
+++ b/ssh.1
|
|
@@ -873,6 +873,16 @@ directive in
|
|
.Xr ssh_config 5
|
|
for more information.
|
|
.Pp
|
|
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
|
|
+restrictions by default, because too many programs currently crash in this
|
|
+mode.
|
|
+Set the
|
|
+.Cm ForwardX11Trusted
|
|
+option to
|
|
+.Dq no
|
|
+to restore the upstream behaviour.
|
|
+This may change in future depending on client-side improvements.)
|
|
+.Pp
|
|
.It Fl x
|
|
Disables X11 forwarding.
|
|
.Pp
|
|
@@ -881,6 +891,20 @@ Enables trusted X11 forwarding.
|
|
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
|
|
controls.
|
|
.Pp
|
|
+(Debian-specific: In the default configuration, this option is equivalent to
|
|
+.Fl X ,
|
|
+since
|
|
+.Cm ForwardX11Trusted
|
|
+defaults to
|
|
+.Dq yes
|
|
+as described above.
|
|
+Set the
|
|
+.Cm ForwardX11Trusted
|
|
+option to
|
|
+.Dq no
|
|
+to restore the upstream behaviour.
|
|
+This may change in future depending on client-side improvements.)
|
|
+.Pp
|
|
.It Fl y
|
|
Send log information using the
|
|
.Xr syslog 3
|
|
diff --git a/ssh_config b/ssh_config
|
|
index 16197d15d..fc7930bfc 100644
|
|
--- a/ssh_config
|
|
+++ b/ssh_config
|
|
@@ -17,9 +17,12 @@
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
-# Host *
|
|
+Include /etc/ssh/ssh_config.d/*.conf
|
|
+
|
|
+Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
+# ForwardX11Trusted yes
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
# GSSAPIAuthentication no
|
|
@@ -46,3 +49,6 @@
|
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
# RekeyLimit 1G 1h
|
|
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
|
+ SendEnv LANG LC_* COLORTERM NO_COLOR
|
|
+ HashKnownHosts yes
|
|
+ GSSAPIAuthentication yes
|
|
diff --git a/ssh_config.5 b/ssh_config.5
|
|
index 0356de8b0..d8452237d 100644
|
|
--- a/ssh_config.5
|
|
+++ b/ssh_config.5
|
|
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
|
|
host-specific declarations should be given near the beginning of the
|
|
file, and general defaults at the end.
|
|
.Pp
|
|
+Note that the Debian
|
|
+.Ic openssh-client
|
|
+package sets several options as standard in
|
|
+.Pa /etc/ssh/ssh_config
|
|
+which are not the default in
|
|
+.Xr ssh 1 :
|
|
+.Pp
|
|
+.Bl -bullet -offset indent -compact
|
|
+.It
|
|
+.Cm Include /etc/ssh/ssh_config.d/*.conf
|
|
+.It
|
|
+.Cm SendEnv No LANG LC_* COLORTERM NO_COLOR
|
|
+.It
|
|
+.Cm HashKnownHosts No yes
|
|
+.It
|
|
+.Cm GSSAPIAuthentication No yes
|
|
+.El
|
|
+.Pp
|
|
+.Pa /etc/ssh/ssh_config.d/*.conf
|
|
+files are included at the start of the system-wide configuration file, so
|
|
+options set there will override those in
|
|
+.Pa /etc/ssh/ssh_config.
|
|
+.Pp
|
|
The file contains keyword-argument pairs, one per line.
|
|
Lines starting with
|
|
.Ql #
|
|
@@ -941,11 +964,12 @@ elapsed.
|
|
.It Cm ForwardX11Trusted
|
|
If this option is set to
|
|
.Cm yes ,
|
|
+(the Debian-specific default),
|
|
remote X11 clients will have full access to the original X11 display.
|
|
.Pp
|
|
If this option is set to
|
|
.Cm no
|
|
-(the default),
|
|
+(the upstream default),
|
|
remote X11 clients will be considered untrusted and prevented
|
|
from stealing or tampering with data belonging to trusted X11
|
|
clients.
|
|
diff --git a/sshd_config b/sshd_config
|
|
index 6ddae0370..01e8d9098 100644
|
|
--- a/sshd_config
|
|
+++ b/sshd_config
|
|
@@ -10,6 +10,8 @@
|
|
# possible, but leave them commented. Uncommented options override the
|
|
# default value.
|
|
|
|
+Include /etc/ssh/sshd_config.d/*.conf
|
|
+
|
|
#Port 22
|
|
#AddressFamily any
|
|
#ListenAddress 0.0.0.0
|
|
@@ -57,10 +59,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
#PasswordAuthentication yes
|
|
#PermitEmptyPasswords no
|
|
|
|
-# Change to "no" to disable keyboard-interactive authentication. Depending on
|
|
+# Change to "yes" to enable keyboard-interactive authentication. Depending on
|
|
# the system's configuration, this may involve passwords, challenge-response,
|
|
# one-time passwords or some combination of these and other methods.
|
|
-#KbdInteractiveAuthentication yes
|
|
+# Beware issues with some PAM modules and threads.
|
|
+KbdInteractiveAuthentication no
|
|
|
|
# Kerberos options
|
|
#KerberosAuthentication no
|
|
@@ -83,16 +86,16 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and KbdInteractiveAuthentication to 'no'.
|
|
-#UsePAM no
|
|
+UsePAM yes
|
|
|
|
#AllowAgentForwarding yes
|
|
#AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
-#X11Forwarding no
|
|
+X11Forwarding yes
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
-#PrintMotd yes
|
|
+PrintMotd no
|
|
#PrintLastLog yes
|
|
#TCPKeepAlive yes
|
|
#PermitUserEnvironment no
|
|
@@ -109,8 +112,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# no default banner path
|
|
#Banner none
|
|
|
|
+# Allow client to pass locale and color environment variables
|
|
+AcceptEnv LANG LC_* COLORTERM NO_COLOR
|
|
+
|
|
# override default of no subsystems
|
|
-Subsystem sftp /usr/libexec/sftp-server
|
|
+Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
# Example of overriding settings on a per-user basis
|
|
#Match User anoncvs
|
|
diff --git a/sshd_config.5 b/sshd_config.5
|
|
index 80a75fbb7..a5594102f 100644
|
|
--- a/sshd_config.5
|
|
+++ b/sshd_config.5
|
|
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
|
|
.Pq \&"
|
|
in order to represent arguments containing spaces.
|
|
.Pp
|
|
+Note that the Debian
|
|
+.Ic openssh-server
|
|
+package sets several options as standard in
|
|
+.Pa /etc/ssh/sshd_config
|
|
+which are not the default in
|
|
+.Xr sshd 8 :
|
|
+.Pp
|
|
+.Bl -bullet -offset indent -compact
|
|
+.It
|
|
+.Cm Include /etc/ssh/sshd_config.d/*.conf
|
|
+.It
|
|
+.Cm KbdInteractiveAuthentication No no
|
|
+.It
|
|
+.Cm X11Forwarding No yes
|
|
+.It
|
|
+.Cm PrintMotd No no
|
|
+.It
|
|
+.Cm AcceptEnv No LANG LC_* COLORTERM NO_COLOR
|
|
+.It
|
|
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
|
|
+.It
|
|
+.Cm UsePAM No yes
|
|
+.El
|
|
+.Pp
|
|
+.Pa /etc/ssh/sshd_config.d/*.conf
|
|
+files are included at the start of the configuration file, so options set
|
|
+there will override those in
|
|
+.Pa /etc/ssh/sshd_config.
|
|
+.Pp
|
|
The possible
|
|
keywords and their meanings are as follows (note that
|
|
keywords are case-insensitive and arguments are case-sensitive):
|
|
@@ -1889,14 +1918,14 @@ Overrides the default path to the
|
|
.Cm sshd-auth
|
|
binary that is invoked to complete user authentication.
|
|
The default is
|
|
-.Pa /usr/libexec/sshd-auth .
|
|
+.Pa /usr/lib/openssh/sshd-auth .
|
|
This option is intended for use by tests.
|
|
.It Cm SshdSessionPath
|
|
Overrides the default path to the
|
|
.Cm sshd-session
|
|
binary that is invoked to handle each connection.
|
|
The default is
|
|
-.Pa /usr/libexec/sshd-session .
|
|
+.Pa /usr/lib/openssh/sshd-session .
|
|
This option is intended for use by tests.
|
|
.It Cm StreamLocalBindMask
|
|
Sets the octal file creation mode mask
|