--- openssh-4.6p1/sshd_config~ 2007-10-13 01:37:17.000000000 +0200 +++ openssh-4.6p1/sshd_config 2007-10-13 01:47:12.000000000 +0200 @@ -34,6 +35,7 @@ #LoginGraceTime 2m #PermitRootLogin yes +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 @@ -50,10 +51,13 @@ #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes +IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no +PasswordAuthentication yes +PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes @@ -66,6 +67,8 @@ # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -89,10 +89,12 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes -#AllowTcpForwarding yes +# Security advisory: +# http://securitytracker.com/alerts/2004/Sep/1011143.html +AllowTcpForwarding no #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 @@ -106,6 +109,9 @@ # no default banner path #Banner /some/path +# Accept locale-related environment variables, also accept some GIT vars +AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL + # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server @@ -119,6 +130,10 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +# Uncomment this if you want to use .local domain +#Host *.local +# CheckHostIP no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no --- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200 +++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200 @@ -20,12 +20,15 @@ # Host * # ForwardAgent no # ForwardX11 no +# ForwardX11Trusted yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any @@ -42,3 +45,19 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h + +Host * + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no + ForwardAgent no + ForwardX11 no +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + StrictHostKeyChecking no + ServerAliveInterval 60 + ServerAliveCountMax 10 + TCPKeepAlive no +# Send locale-related environment variables, also pass some GIT vars + SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL + HashKnownHosts yes