diff options
Diffstat (limited to 'debian/patches/debian-config.patch')
-rw-r--r-- | debian/patches/debian-config.patch | 285 |
1 files changed, 285 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 0000000..f32c3fd --- /dev/null +++ b/debian/patches/debian-config.patch @@ -0,0 +1,285 @@ +From aedb5d2ee2799e3a95b6913721533d2c42c496b3 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Sun, 9 Feb 2014 16:10:18 +0000 +Subject: Various Debian-specific configuration changes + +ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause +fewer problems with existing setups (http://bugs.debian.org/237021). + +ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). + +ssh: Enable HashKnownHosts by default to try to limit the spread of ssh +worms. + +ssh: Enable GSSAPIAuthentication by default. + +ssh: Include /etc/ssh/ssh_config.d/*.conf. + +sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable +PrintMotd. + +sshd: Enable X11Forwarding. + +sshd: Set 'AcceptEnv LANG LC_*' by default. + +sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. + +sshd: Include /etc/ssh/sshd_config.d/*.conf. + +regress: Run tests with 'UsePAM yes', to match sshd_config. + +Document all of this. + +Author: Russ Allbery <rra@debian.org> +Forwarded: not-needed +Last-Update: 2023-01-03 + +Patch-Name: debian-config.patch +--- + readconf.c | 2 +- + regress/test-exec.sh | 1 + + ssh.1 | 24 ++++++++++++++++++++++++ + ssh_config | 8 +++++++- + ssh_config.5 | 26 +++++++++++++++++++++++++- + sshd_config | 18 ++++++++++++------ + sshd_config.5 | 29 +++++++++++++++++++++++++++++ + 7 files changed, 99 insertions(+), 9 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 18e814039..6c8ad919f 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -2536,7 +2536,7 @@ fill_default_options(Options * options) + if (options->forward_x11 == -1) + options->forward_x11 = 0; + if (options->forward_x11_trusted == -1) +- options->forward_x11_trusted = 0; ++ options->forward_x11_trusted = 1; + if (options->forward_x11_timeout == -1) + options->forward_x11_timeout = 1200; + /* +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index df43f0214..a56108179 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -539,6 +539,7 @@ cat << EOF > $OBJ/sshd_config + AcceptEnv _XXX_TEST_* + AcceptEnv _XXX_TEST + Subsystem sftp $SFTPSERVER ++ UsePAM yes + EOF + + # This may be necessary if /usr/src and/or /usr/obj are group-writable, +diff --git a/ssh.1 b/ssh.1 +index d07cd7840..395abd40b 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -847,6 +847,16 @@ directive in + .Xr ssh_config 5 + for more information. + .Pp ++(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension ++restrictions by default, because too many programs currently crash in this ++mode. ++Set the ++.Cm ForwardX11Trusted ++option to ++.Dq no ++to restore the upstream behaviour. ++This may change in future depending on client-side improvements.) ++.Pp + .It Fl x + Disables X11 forwarding. + .Pp +@@ -855,6 +865,20 @@ Enables trusted X11 forwarding. + Trusted X11 forwardings are not subjected to the X11 SECURITY extension + controls. + .Pp ++(Debian-specific: In the default configuration, this option is equivalent to ++.Fl X , ++since ++.Cm ForwardX11Trusted ++defaults to ++.Dq yes ++as described above. ++Set the ++.Cm ForwardX11Trusted ++option to ++.Dq no ++to restore the upstream behaviour. ++This may change in future depending on client-side improvements.) ++.Pp + .It Fl y + Send log information using the + .Xr syslog 3 +diff --git a/ssh_config b/ssh_config +index 52aae8692..09a17cf18 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -17,9 +17,12 @@ + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. + +-# Host * ++Include /etc/ssh/ssh_config.d/*.conf ++ ++Host * + # ForwardAgent no + # ForwardX11 no ++# ForwardX11Trusted yes + # PasswordAuthentication yes + # HostbasedAuthentication no + # GSSAPIAuthentication no +@@ -46,3 +49,6 @@ + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h + # UserKnownHostsFile ~/.ssh/known_hosts.d/%k ++ SendEnv LANG LC_* ++ HashKnownHosts yes ++ GSSAPIAuthentication yes +diff --git a/ssh_config.5 b/ssh_config.5 +index 82d68650e..32851c984 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more + host-specific declarations should be given near the beginning of the + file, and general defaults at the end. + .Pp ++Note that the Debian ++.Ic openssh-client ++package sets several options as standard in ++.Pa /etc/ssh/ssh_config ++which are not the default in ++.Xr ssh 1 : ++.Pp ++.Bl -bullet -offset indent -compact ++.It ++.Cm Include /etc/ssh/ssh_config.d/*.conf ++.It ++.Cm SendEnv No LANG LC_* ++.It ++.Cm HashKnownHosts No yes ++.It ++.Cm GSSAPIAuthentication No yes ++.El ++.Pp ++.Pa /etc/ssh/ssh_config.d/*.conf ++files are included at the start of the system-wide configuration file, so ++options set there will override those in ++.Pa /etc/ssh/ssh_config. ++.Pp + The file contains keyword-argument pairs, one per line. + Lines starting with + .Ql # +@@ -802,11 +825,12 @@ elapsed. + .It Cm ForwardX11Trusted + If this option is set to + .Cm yes , ++(the Debian-specific default), + remote X11 clients will have full access to the original X11 display. + .Pp + If this option is set to + .Cm no +-(the default), ++(the upstream default), + remote X11 clients will be considered untrusted and prevented + from stealing or tampering with data belonging to trusted X11 + clients. +diff --git a/sshd_config b/sshd_config +index ecfe8d026..677f97d5d 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -10,6 +10,8 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++Include /etc/ssh/sshd_config.d/*.conf ++ + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys + #PasswordAuthentication yes + #PermitEmptyPasswords no + +-# Change to no to disable s/key passwords +-#KbdInteractiveAuthentication yes ++# Change to yes to enable challenge-response passwords (beware issues with ++# some PAM modules and threads) ++KbdInteractiveAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +-#PrintMotd yes ++PrintMotd no + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no +@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys + # no default banner path + #Banner none + ++# Allow client to pass locale environment variables ++AcceptEnv LANG LC_* ++ + # override default of no subsystems +-Subsystem sftp /usr/libexec/sftp-server ++Subsystem sftp /usr/lib/openssh/sftp-server + + # Example of overriding settings on a per-user basis + #Match User anoncvs +diff --git a/sshd_config.5 b/sshd_config.5 +index b9a19c7bd..b13f7665b 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes + .Pq \&" + in order to represent arguments containing spaces. + .Pp ++Note that the Debian ++.Ic openssh-server ++package sets several options as standard in ++.Pa /etc/ssh/sshd_config ++which are not the default in ++.Xr sshd 8 : ++.Pp ++.Bl -bullet -offset indent -compact ++.It ++.Cm Include /etc/ssh/sshd_config.d/*.conf ++.It ++.Cm KbdInteractiveAuthentication No no ++.It ++.Cm X11Forwarding No yes ++.It ++.Cm PrintMotd No no ++.It ++.Cm AcceptEnv No LANG LC_* ++.It ++.Cm Subsystem No sftp /usr/lib/openssh/sftp-server ++.It ++.Cm UsePAM No yes ++.El ++.Pp ++.Pa /etc/ssh/sshd_config.d/*.conf ++files are included at the start of the configuration file, so options set ++there will override those in ++.Pa /etc/ssh/sshd_config. ++.Pp + The possible + keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): |