1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
From a007ad311226e5f9cced98329631dbe15a90246e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_* COLORTERM NO_COLOR' by default
(http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
ssh: Include /etc/ssh/ssh_config.d/*.conf.
sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_* COLORTERM NO_COLOR' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
sshd: Document Debian's defaults for SshdAuthPath and SshdSessionPath.
regress: Run tests with 'UsePAM yes', to match sshd_config.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Author: Luca Boccassi <bluca@debian.org>
Forwarded: not-needed
Last-Update: 2025-04-11
Patch-Name: debian-config.patch
---
readconf.c | 2 +-
regress/test-exec.sh | 1 +
ssh.1 | 24 ++++++++++++++++++++++++
ssh_config | 8 +++++++-
ssh_config.5 | 26 +++++++++++++++++++++++++-
sshd_config | 18 ++++++++++++------
sshd_config.5 | 33 +++++++++++++++++++++++++++++++--
7 files changed, 101 insertions(+), 11 deletions(-)
diff --git a/readconf.c b/readconf.c
index c568697cf..82a91cc30 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2897,7 +2897,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
- options->forward_x11_trusted = 0;
+ options->forward_x11_trusted = 1;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 34fb58fda..a1db94af1 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -622,6 +622,7 @@ cat << EOF > $OBJ/sshd_config
SshdSessionPath $SSHD_SESSION
SshdAuthPath $SSHD_AUTH
PerSourcePenalties no
+ UsePAM yes
EOF
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
diff --git a/ssh.1 b/ssh.1
index 3d849f02c..56bdfa3d9 100644
--- a/ssh.1
+++ b/ssh.1
@@ -873,6 +873,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl x
Disables X11 forwarding.
.Pp
@@ -881,6 +891,20 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl y
Send log information using the
.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 3ae9025ff..1c528ea65 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
# ForwardAgent no
# ForwardX11 no
+# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -45,3 +48,6 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+ SendEnv LANG LC_* COLORTERM NO_COLOR
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 9e3ebac9b..20fee59fb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
+.Cm SendEnv No LANG LC_* COLORTERM NO_COLOR
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
@@ -941,11 +964,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
+(the Debian-specific default),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
.Cm no
-(the default),
+(the upstream default),
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
diff --git a/sshd_config b/sshd_config
index 6ddae0370..01e8d9098 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -57,10 +59,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to "no" to disable keyboard-interactive authentication. Depending on
+# Change to "yes" to enable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
-#KbdInteractiveAuthentication yes
+# Beware issues with some PAM modules and threads.
+KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -83,16 +86,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
+PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
@@ -109,8 +112,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
+# Allow client to pass locale and color environment variables
+AcceptEnv LANG LC_* COLORTERM NO_COLOR
+
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index c8b364139..40728dfaf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
.Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
+.Cm KbdInteractiveAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_* COLORTERM NO_COLOR
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
@@ -1888,14 +1917,14 @@ Overrides the default path to the
.Cm sshd-auth
binary that is invoked to complete user authentication.
The default is
-.Pa /usr/libexec/sshd-auth .
+.Pa /usr/lib/openssh/sshd-auth .
This option is intended for use by tests.
.It Cm SshdSessionPath
Overrides the default path to the
.Cm sshd-session
binary that is invoked to handle each connection.
The default is
-.Pa /usr/libexec/sshd-session .
+.Pa /usr/lib/openssh/sshd-session .
This option is intended for use by tests.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
|
