[packages/openssh.git] / openssh-config.patch

--- openssh-4.6p1/sshd_config~	2007-10-13 01:37:17.000000000 +0200
+++ openssh-4.6p1/sshd_config	2007-10-13 01:47:12.000000000 +0200
@@ -41,7 +41,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin no
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -50,10 +51,13 @@
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
+IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
+PasswordAuthentication yes
+PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
@@ -66,6 +67,8 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -89,10 +89,12 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
 
 #AllowAgentForwarding yes
-#AllowTcpForwarding yes
+# Security advisory:
+# http://securitytracker.com/alerts/2004/Sep/1011143.html
+AllowTcpForwarding no
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
@@ -106,6 +109,9 @@
 # no default banner path
 #Banner /some/path
 
+# Accept locale-related environment variables, also accept some GIT vars
+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
+
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
@@ -119,6 +130,10 @@
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
+# Uncomment this if you want to use .local domain
+#Host *.local
+#	CheckHostIP no
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- openssh-4.6p1/ssh_config~	2006-06-13 05:01:10.000000000 +0200
+++ openssh-4.6p1/ssh_config	2007-10-13 02:00:16.000000000 +0200
@@ -20,12 +20,15 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
@@ -42,3 +45,19 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+
+Host *
+	GSSAPIAuthentication yes
+	GSSAPIDelegateCredentials no
+	ForwardAgent no
+	ForwardX11 no
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+	StrictHostKeyChecking no
+	ServerAliveInterval 60
+	ServerAliveCountMax 10
+	TCPKeepAlive no
+# Send locale-related environment variables, also pass some GIT vars
+	SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
+	HashKnownHosts yes
Commit	Line	Data
2f55b62d JR	1	--- openssh-4.6p1/sshd_config~ 2007-10-13 01:37:17.000000000 +0200
2f55b62d JR	2	+++ openssh-4.6p1/sshd_config 2007-10-13 01:47:12.000000000 +0200
4c64cbae AM	3	@@ -41,7 +41,7 @@
4c64cbae AM	4	# Authentication:
2f55b62d JR	5
2f55b62d JR	6	#LoginGraceTime 2m
4c64cbae	7	-#PermitRootLogin no
2f55b62d JR	8	+PermitRootLogin no
	9	#StrictModes yes
	10	#MaxAuthTries 6
4c64cbae	11	#MaxSessions 10
2f55b62d JR	12	@@ -50,10 +51,13 @@
	13	#IgnoreUserKnownHosts no
	14	# Don't read the user's ~/.rhosts and ~/.shosts files
	15	#IgnoreRhosts yes
	16	+IgnoreRhosts yes
	17
	18	# To disable tunneled clear text passwords, change to no here!
	19	#PasswordAuthentication yes
	20	#PermitEmptyPasswords no
	21	+PasswordAuthentication yes
	22	+PermitEmptyPasswords no
	23
	24	# Change to no to disable s/key passwords
	25	#ChallengeResponseAuthentication yes
	26	@@ -66,6 +67,8 @@
	27	# GSSAPI options
	28	#GSSAPIAuthentication no
	29	#GSSAPICleanupCredentials yes
	30	+GSSAPIAuthentication yes
	31	+GSSAPICleanupCredentials yes
	32
	33	# Set this to 'yes' to enable PAM authentication, account processing,
	34	# and session processing. If this is enabled, PAM authentication will
fc8529e5 AM	35	@@ -89,10 +89,12 @@
fc8529e5 AM	36	# If you just want the PAM account and session checks to run without
2f55b62d JR	37	# PAM authentication, then enable this but set PasswordAuthentication
2f55b62d JR	38	# and ChallengeResponseAuthentication to 'no'.
fc8529e5	39	-#UsePAM no
2f55b62d	40	+UsePAM yes
2f55b62d	41
fc8529e5 AM	42	#AllowAgentForwarding yes
fc8529e5 AM	43	-#AllowTcpForwarding yes
2f55b62d JR	44	+# Security advisory:
	45	+# http://securitytracker.com/alerts/2004/Sep/1011143.html
	46	+AllowTcpForwarding no
	47	#GatewayPorts no
	48	#X11Forwarding no
	49	#X11DisplayOffset 10
	50	@@ -106,6 +109,9 @@
	51	# no default banner path
	52	#Banner /some/path
	53
d63b3d02	54	+# Accept locale-related environment variables, also accept some GIT vars
11890360	55	+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
2f55b62d JR	56	+
	57	# override default of no subsystems
	58	Subsystem sftp /usr/libexec/sftp-server
	59
06629a71 ER	60	@@ -119,6 +130,10 @@
	61	# override default of no subsystems
	62	Subsystem sftp /usr/libexec/sftp-server
	63
	64	+# Uncomment this if you want to use .local domain
	65	+#Host *.local
	66	+# CheckHostIP no
	67	+
	68	# Example of overriding settings on a per-user basis
	69	#Match User anoncvs
	70	# X11Forwarding no
2f55b62d JR	71	--- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200
	72	+++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200
	73	@@ -20,12 +20,15 @@
	74	# Host *
	75	# ForwardAgent no
	76	# ForwardX11 no
	77	+# ForwardX11Trusted yes
	78	# RhostsRSAAuthentication no
	79	# RSAAuthentication yes
	80	# PasswordAuthentication yes
	81	# HostbasedAuthentication no
	82	# GSSAPIAuthentication no
	83	# GSSAPIDelegateCredentials no
	84	+# GSSAPIKeyExchange no
	85	+# GSSAPITrustDNS no
	86	# BatchMode no
	87	# CheckHostIP yes
	88	# AddressFamily any
	89	@@ -42,3 +45,19 @@
cf9d1078	90	# VisualHostKey no
08811ee8	91	# ProxyCommand ssh -q -W %h:%p gateway.example.com
0fab2cab	92	# RekeyLimit 1G 1h
2f55b62d JR	93	+
	94	+Host *
	95	+ GSSAPIAuthentication yes
	96	+ GSSAPIDelegateCredentials no
	97	+ ForwardAgent no
	98	+ ForwardX11 no
	99	+# If this option is set to yes then remote X11 clients will have full access
	100	+# to the original X11 display. As virtually no X11 client supports the untrusted
	101	+# mode correctly we set this to yes.
	102	+ ForwardX11Trusted yes
	103	+ StrictHostKeyChecking no
	104	+ ServerAliveInterval 60
	105	+ ServerAliveCountMax 10
	106	+ TCPKeepAlive no
d63b3d02	107	+# Send locale-related environment variables, also pass some GIT vars
11890360	108	+ SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
3e8be83d	109	+ HashKnownHosts yes