X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh-config.patch;h=a4865fdc7b101e274e72ccd7a4e6fbd5cfac700b;hb=8ecc35d44b263032a646174f776163c3a3cc3b37;hp=4aefe885857f6271b35d4a5d7769a004ed46c695;hpb=0fab2cabb21ce97f99ead369144d02cdf315decf;p=packages%2Fopenssh.git diff --git a/openssh-config.patch b/openssh-config.patch index 4aefe88..a4865fd 100644 --- a/openssh-config.patch +++ b/openssh-config.patch @@ -1,97 +1,92 @@ ---- openssh-4.6p1/sshd_config~ 2007-10-13 01:37:17.000000000 +0200 -+++ openssh-4.6p1/sshd_config 2007-10-13 01:47:12.000000000 +0200 -@@ -34,6 +35,7 @@ +diff -urNp -x '*.orig' openssh-8.8p1.org/ssh_config openssh-8.8p1/ssh_config +--- openssh-8.8p1.org/ssh_config 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/ssh_config 2021-12-09 20:12:26.796586510 +0100 +@@ -20,10 +20,13 @@ + # Host * + # ForwardAgent no + # ForwardX11 no ++# ForwardX11Trusted no + # PasswordAuthentication yes + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +@@ -44,3 +47,18 @@ + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h + # UserKnownHostsFile ~/.ssh/known_hosts.d/%k ++ ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 server. As some X11 clients don't support the untrusted ++# mode correctly, you might consider changing this to 'yes' or using '-Y'. ++# ForwardX11Trusted no ++ ServerAliveInterval 60 ++ ServerAliveCountMax 10 ++ TCPKeepAlive no ++ # Allow DSA keys ++# PubkeyAcceptedKeyTypes +ssh-dss ++# HostkeyAlgorithms +ssh-dss ++# Send locale-related environment variables, also pass some GIT vars ++ SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL +diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config +--- openssh-8.8p1.org/sshd_config 2021-09-26 16:03:19.000000000 +0200 ++++ openssh-8.8p1/sshd_config 2021-12-09 20:12:26.796586510 +0100 +@@ -29,7 +29,7 @@ + # Authentication: #LoginGraceTime 2m - #PermitRootLogin yes +-#PermitRootLogin prohibit-password +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 - -@@ -50,10 +51,13 @@ - #IgnoreUserKnownHosts no - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes -+IgnoreRhosts yes - - # To disable tunneled clear text passwords, change to no here! + #MaxSessions 10 +@@ -57,6 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no -+PasswordAuthentication yes -+PermitEmptyPasswords no ++# Allow DSA keys ++## PubkeyAcceptedKeyTypes +ssh-dss ++ # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -@@ -66,6 +67,8 @@ + #KbdInteractiveAuthentication yes + +@@ -69,6 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +GSSAPIAuthentication yes -+GSSAPICleanupCredentials yes - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -89,10 +89,12 @@ + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -79,7 +83,7 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. + # and KbdInteractiveAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes --#AllowTcpForwarding yes -+# Security advisory: -+# http://securitytracker.com/alerts/2004/Sep/1011143.html -+AllowTcpForwarding no - #GatewayPorts no - #X11Forwarding no - #X11DisplayOffset 10 -@@ -106,6 +109,9 @@ + #AllowTcpForwarding yes +@@ -105,9 +109,16 @@ AuthorizedKeysFile .ssh/authorized_keys # no default banner path - #Banner /some/path + #Banner none +# Accept locale-related environment variables, also accept some GIT vars -+AcceptEnv LANG LC_* LANGUAGE TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL ++AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL + # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server ---- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200 -+++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200 -@@ -20,12 +20,15 @@ - # Host * - # ForwardAgent no - # ForwardX11 no -+# ForwardX11Trusted yes - # RhostsRSAAuthentication no - # RSAAuthentication yes - # PasswordAuthentication yes - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP yes - # AddressFamily any -@@ -42,3 +45,19 @@ - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com - # RekeyLimit 1G 1h ++# Uncomment this if you want to use .local domain ++#Host *.local ++# CheckHostIP no + -+Host * -+ GSSAPIAuthentication yes -+ GSSAPIDelegateCredentials no -+ ForwardAgent no -+ ForwardX11 no -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+ StrictHostKeyChecking no -+ ServerAliveInterval 60 -+ ServerAliveCountMax 10 -+ TCPKeepAlive no -+# Send locale-related environment variables, also pass some GIT vars -+ SendEnv LANG LC_* LANGUAGE TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL -+ HashKnownHosts yes + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no