From 4f52dcf6ce616f6e674d6af0ceebb3e2f6b147a3 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. regress: Run tests with 'UsePAM yes', to match sshd_config. Document all of this. Author: Russ Allbery Forwarded: not-needed Last-Update: 2023-01-03 Patch-Name: debian-config.patch --- readconf.c | 2 +- regress/test-exec.sh | 1 + ssh.1 | 24 ++++++++++++++++++++++++ ssh_config | 8 +++++++- ssh_config.5 | 26 +++++++++++++++++++++++++- sshd_config | 18 ++++++++++++------ sshd_config.5 | 29 +++++++++++++++++++++++++++++ 7 files changed, 99 insertions(+), 9 deletions(-) diff --git a/readconf.c b/readconf.c index d68658185..720062bcc 100644 --- a/readconf.c +++ b/readconf.c @@ -2739,7 +2739,7 @@ fill_default_options(Options * options) if (options->forward_x11 == -1) options->forward_x11 = 0; if (options->forward_x11_trusted == -1) - options->forward_x11_trusted = 0; + options->forward_x11_trusted = 1; if (options->forward_x11_timeout == -1) options->forward_x11_timeout = 1200; /* diff --git a/regress/test-exec.sh b/regress/test-exec.sh index ad627941f..56e98159c 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -609,6 +609,7 @@ cat << EOF > $OBJ/sshd_config AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST Subsystem sftp $SFTPSERVER + UsePAM yes EOF # This may be necessary if /usr/src and/or /usr/obj are group-writable, diff --git a/ssh.1 b/ssh.1 index 0d56f3dc1..ddfe75b95 100644 --- a/ssh.1 +++ b/ssh.1 @@ -861,6 +861,16 @@ directive in .Xr ssh_config 5 for more information. .Pp +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension +restrictions by default, because too many programs currently crash in this +mode. +Set the +.Cm ForwardX11Trusted +option to +.Dq no +to restore the upstream behaviour. +This may change in future depending on client-side improvements.) +.Pp .It Fl x Disables X11 forwarding. .Pp @@ -869,6 +879,20 @@ Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. .Pp +(Debian-specific: In the default configuration, this option is equivalent to +.Fl X , +since +.Cm ForwardX11Trusted +defaults to +.Dq yes +as described above. +Set the +.Cm ForwardX11Trusted +option to +.Dq no +to restore the upstream behaviour. +This may change in future depending on client-side improvements.) +.Pp .It Fl y Send log information using the .Xr syslog 3 diff --git a/ssh_config b/ssh_config index 16197d15d..92d06ef38 100644 --- a/ssh_config +++ b/ssh_config @@ -17,9 +17,12 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Include /etc/ssh/ssh_config.d/*.conf + +Host * # ForwardAgent no # ForwardX11 no +# ForwardX11Trusted yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no @@ -46,3 +49,6 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # UserKnownHostsFile ~/.ssh/known_hosts.d/%k + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes diff --git a/ssh_config.5 b/ssh_config.5 index 41d4d7406..c2789a09d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. .Pp +Note that the Debian +.Ic openssh-client +package sets several options as standard in +.Pa /etc/ssh/ssh_config +which are not the default in +.Xr ssh 1 : +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm Include /etc/ssh/ssh_config.d/*.conf +.It +.Cm SendEnv No LANG LC_* +.It +.Cm HashKnownHosts No yes +.It +.Cm GSSAPIAuthentication No yes +.El +.Pp +.Pa /etc/ssh/ssh_config.d/*.conf +files are included at the start of the system-wide configuration file, so +options set there will override those in +.Pa /etc/ssh/ssh_config. +.Pp The file contains keyword-argument pairs, one per line. Lines starting with .Ql # @@ -901,11 +924,12 @@ elapsed. .It Cm ForwardX11Trusted If this option is set to .Cm yes , +(the Debian-specific default), remote X11 clients will have full access to the original X11 display. .Pp If this option is set to .Cm no -(the default), +(the upstream default), remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. diff --git a/sshd_config b/sshd_config index ecfe8d026..677f97d5d 100644 --- a/sshd_config +++ b/sshd_config @@ -10,6 +10,8 @@ # possible, but leave them commented. Uncommented options override the # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 @@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords -#KbdInteractiveAuthentication yes +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no @@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -#PrintMotd yes +PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no @@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys # no default banner path #Banner none +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + # override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/sshd_config.5 b/sshd_config.5 index 0e8891c4f..12083e839 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes .Pq \&" in order to represent arguments containing spaces. .Pp +Note that the Debian +.Ic openssh-server +package sets several options as standard in +.Pa /etc/ssh/sshd_config +which are not the default in +.Xr sshd 8 : +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm Include /etc/ssh/sshd_config.d/*.conf +.It +.Cm KbdInteractiveAuthentication No no +.It +.Cm X11Forwarding No yes +.It +.Cm PrintMotd No no +.It +.Cm AcceptEnv No LANG LC_* +.It +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server +.It +.Cm UsePAM No yes +.El +.Pp +.Pa /etc/ssh/sshd_config.d/*.conf +files are included at the start of the configuration file, so options set +there will override those in +.Pa /etc/ssh/sshd_config. +.Pp The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive):