From 2f55b62dd445d59b6e2be515cdaf09eb43d840f9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Sat, 13 Oct 2007 00:13:40 +0000 Subject: [PATCH] - switch from providing our own (severly outdated) configs to patching default configs with our defaults Changed files: openssh-config.patch -> 1.1 openssh.conf -> 1.7 opensshd.conf -> 1.21 --- openssh-config.patch | 106 +++++++++++++++++++++++++++++++++++++++++++ openssh.conf | 43 ------------------ opensshd.conf | 105 ------------------------------------------ 3 files changed, 106 insertions(+), 148 deletions(-) create mode 100644 openssh-config.patch delete mode 100644 openssh.conf delete mode 100644 opensshd.conf diff --git a/openssh-config.patch b/openssh-config.patch new file mode 100644 index 0000000..911a8d6 --- /dev/null +++ b/openssh-config.patch @@ -0,0 +1,106 @@ +--- openssh-4.6p1/sshd_config~ 2007-10-13 01:37:17.000000000 +0200 ++++ openssh-4.6p1/sshd_config 2007-10-13 01:47:12.000000000 +0200 +@@ -11,6 +11,7 @@ + # default value. + + #Port 22 ++Protocol 2 + #Protocol 2,1 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -34,6 +35,7 @@ + + #LoginGraceTime 2m + #PermitRootLogin yes ++PermitRootLogin no + #StrictModes yes + #MaxAuthTries 6 + +@@ -50,10 +51,13 @@ + #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes ++IgnoreRhosts yes + + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes ++PermitEmptyPasswords no + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes +@@ -66,6 +67,8 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++GSSAPIAuthentication yes ++GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -78,8 +79,16 @@ + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no ++UsePAM yes ++ ++# Set this to 'yes' to enable support for chrooted user environment. ++# You must create such environment before you can use this feature. ++#UseChroot yes + + #AllowTcpForwarding yes ++# Security advisory: ++# http://securitytracker.com/alerts/2004/Sep/1011143.html ++AllowTcpForwarding no + #GatewayPorts no + #X11Forwarding no + #X11DisplayOffset 10 +@@ -106,6 +109,9 @@ + # no default banner path + #Banner /some/path + ++# Accept locale-related environment variables ++AcceptEnv LANG LC_* ++ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + +--- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200 ++++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200 +@@ -20,12 +20,15 @@ + # Host * + # ForwardAgent no + # ForwardX11 no ++# ForwardX11Trusted yes + # RhostsRSAAuthentication no + # RSAAuthentication yes + # PasswordAuthentication yes + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +@@ -42,3 +45,19 @@ + # Tunnel no + # TunnelDevice any:any + # PermitLocalCommand no ++ ++Host * ++ GSSAPIAuthentication yes ++ GSSAPIDelegateCredentials no ++ ForwardAgent no ++ ForwardX11 no ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++ StrictHostKeyChecking no ++ ServerAliveInterval 60 ++ ServerAliveCountMax 10 ++ TCPKeepAlive no ++# Send locale-related environment variables ++ SendEnv LANG LC_* diff --git a/openssh.conf b/openssh.conf deleted file mode 100644 index 97962fb..0000000 --- a/openssh.conf +++ /dev/null @@ -1,43 +0,0 @@ -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for various options - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsAuthentication no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# BatchMode no -# CheckHostIP yes -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# EscapeChar ~ - -# Be paranoid by default -Host * - ForwardAgent no - ForwardX11 no - ForwardX11Trusted no - StrictHostKeyChecking no - ServerAliveInterval 60 - ServerAliveCountMax 10 - TCPKeepAlive no diff --git a/opensshd.conf b/opensshd.conf deleted file mode 100644 index c946bc6..0000000 --- a/opensshd.conf +++ /dev/null @@ -1,105 +0,0 @@ -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -Port 22 -Protocol 2 -#Protocol 2,1 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: - -LoginGraceTime 600 -PermitRootLogin no -StrictModes yes - -RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes -PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -#AFSTokenPassing no - -# Kerberos TGT Passing only works with the AFS kaserver -#KerberosTgtPassing no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -# Set this to 'yes' to enable support for chrooted user environment. -# You must create such environment before you can use this feature. -#UseChroot yes - -X11Forwarding no -X11DisplayOffset 10 -X11UseLocalhost yes -PrintMotd yes -#PrintLastLog yes -KeepAlive yes -UseLogin no - -# enabling this can cause some problems with for example pam_limit -UsePrivilegeSeparation no - -#Compression yes - -#MaxStartups 10 -# no default banner path -#Banner /some/path -#VerifyReverseMapping no - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Security advisory: -# http://securitytracker.com/alerts/2004/Sep/1011143.html -AllowTcpForwarding no -- 2.44.0