1 Description: Various Debian-specific configuration changes
2 ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
3 fewer problems with existing setups (http://bugs.debian.org/237021).
5 ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
7 ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
10 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
13 sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
14 PermitRootLogin default.
16 Document all of this, along with several sshd defaults set in
17 debian/openssh-server.postinst.
18 Author: Colin Watson <cjwatson@debian.org>
19 Author: Russ Allbery <rra@debian.org>
21 Last-Update: 2010-02-28
24 ===================================================================
28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1)
31 - options->forward_x11_trusted = 0;
32 + options->forward_x11_trusted = 1;
33 if (options->forward_x11_timeout == -1)
34 options->forward_x11_timeout = 1200;
35 if (options->exit_on_forward_failure == -1)
37 ===================================================================
41 # list of available options, their meanings and defaults, please see the
42 # ssh_config(5) man page.
48 +# ForwardX11Trusted yes
49 # RhostsRSAAuthentication no
50 # RSAAuthentication yes
51 # PasswordAuthentication yes
53 # PermitLocalCommand no
55 # ProxyCommand ssh -q -W %h:%p gateway.example.com
58 + GSSAPIAuthentication yes
59 + GSSAPIDelegateCredentials no
61 ===================================================================
65 host-specific declarations should be given near the beginning of the
66 file, and general defaults at the end.
70 +package sets several options as standard in
71 +.Pa /etc/ssh/ssh_config
72 +which are not the default in
75 +.Bl -bullet -offset indent -compact
77 +.Cm SendEnv No LANG LC_*
79 +.Cm HashKnownHosts No yes
81 +.Cm GSSAPIAuthentication No yes
84 The configuration file has the following format:
86 Empty lines and lines starting with
88 Remote clients will be refused access after this time.
95 See the X11 SECURITY extension specification for full details on
96 the restrictions imposed on untrusted clients.
98 ===================================================================
105 +# See /usr/share/doc/openssh-server/README.Debian.gz.
109 Index: b/sshd_config.5
110 ===================================================================
115 in order to represent arguments containing spaces.
117 +Note that the Debian
119 +package sets several options as standard in
120 +.Pa /etc/ssh/sshd_config
121 +which are not the default in
123 +The exact list depends on whether the package was installed fresh or
124 +upgraded from various possible previous versions, but includes at least the
127 +.Bl -bullet -offset indent -compact
131 +.Cm ChallengeResponseAuthentication No no
133 +.Cm X11Forwarding No yes
137 +.Cm AcceptEnv No LANG LC_*
139 +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
145 keywords and their meanings are as follows (note that
146 keywords are case-insensitive and arguments are case-sensitive):