[packages/openssh.git] / openssh-config.patch

diff -urNp -x '*.orig' openssh-8.4p1.org/ssh_config openssh-8.4p1/ssh_config
--- openssh-8.4p1.org/ssh_config	2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1/ssh_config	2021-03-01 11:30:15.249892693 +0100
@@ -20,10 +20,13 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted no
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
@@ -44,3 +47,18 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+
+Host *
+	GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 server. As some X11 clients don't support the untrusted
+# mode correctly, you might consider changing this to 'yes' or using '-Y'.
+#	ForwardX11Trusted no
+	ServerAliveInterval 60
+	ServerAliveCountMax 10
+	TCPKeepAlive no
+	# Allow DSA keys
+#	PubkeyAcceptedKeyTypes +ssh-dss
+#	HostkeyAlgorithms +ssh-dss
+# Send locale-related environment variables, also pass some GIT vars
+	SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
--- openssh-8.4p1.org/sshd_config	2020-09-27 09:25:01.000000000 +0200
+++ openssh-8.4p1/sshd_config	2021-03-01 11:30:15.249892693 +0100
@@ -29,7 +29,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -57,6 +57,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
+# Allow DSA keys
+## PubkeyAcceptedKeyTypes +ssh-dss
+
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 
@@ -69,6 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -79,10 +83,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
 
 #AllowAgentForwarding yes
-#AllowTcpForwarding yes
+# Security advisory:
+# http://securitytracker.com/alerts/2004/Sep/1011143.html
+AllowTcpForwarding no
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
@@ -105,9 +111,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # no default banner path
 #Banner none
 
+# Accept locale-related environment variables, also accept some GIT vars
+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
+
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
+# Uncomment this if you want to use .local domain
+#Host *.local
+#	CheckHostIP no
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
Commit	Line	Data
7ae7664a AM	1	diff -urNp -x '*.orig' openssh-8.4p1.org/ssh_config openssh-8.4p1/ssh_config
	2	--- openssh-8.4p1.org/ssh_config 2020-09-27 09:25:01.000000000 +0200
	3	+++ openssh-8.4p1/ssh_config 2021-03-01 11:30:15.249892693 +0100
	4	@@ -20,10 +20,13 @@
	5	# Host *
	6	# ForwardAgent no
	7	# ForwardX11 no
	8	+# ForwardX11Trusted no
	9	# PasswordAuthentication yes
	10	# HostbasedAuthentication no
	11	# GSSAPIAuthentication no
	12	# GSSAPIDelegateCredentials no
	13	+# GSSAPIKeyExchange no
	14	+# GSSAPITrustDNS no
	15	# BatchMode no
	16	# CheckHostIP yes
	17	# AddressFamily any
	18	@@ -44,3 +47,18 @@
	19	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	20	# RekeyLimit 1G 1h
	21	# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
	22	+
	23	+Host *
	24	+ GSSAPIAuthentication yes
	25	+# If this option is set to yes then remote X11 clients will have full access
	26	+# to the original X11 server. As some X11 clients don't support the untrusted
	27	+# mode correctly, you might consider changing this to 'yes' or using '-Y'.
	28	+# ForwardX11Trusted no
	29	+ ServerAliveInterval 60
	30	+ ServerAliveCountMax 10
	31	+ TCPKeepAlive no
	32	+ # Allow DSA keys
	33	+# PubkeyAcceptedKeyTypes +ssh-dss
	34	+# HostkeyAlgorithms +ssh-dss
	35	+# Send locale-related environment variables, also pass some GIT vars
	36	+ SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
	37	diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
	38	--- openssh-8.4p1.org/sshd_config 2020-09-27 09:25:01.000000000 +0200
	39	+++ openssh-8.4p1/sshd_config 2021-03-01 11:30:15.249892693 +0100
	40	@@ -29,7 +29,7 @@
4c64cbae	41	# Authentication:
2f55b62d JR	42
2f55b62d JR	43	#LoginGraceTime 2m
f9d8b6a7	44	-#PermitRootLogin prohibit-password
2f55b62d JR	45	+PermitRootLogin no
	46	#StrictModes yes
	47	#MaxAuthTries 6
4c64cbae	48	#MaxSessions 10
7ae7664a	49	@@ -57,6 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
2f55b62d JR	50	#PasswordAuthentication yes
2f55b62d JR	51	#PermitEmptyPasswords no
7ae7664a	52
7b7580be	53	+# Allow DSA keys
aeeeb6db	54	+## PubkeyAcceptedKeyTypes +ssh-dss
7ae7664a	55	+
2f55b62d JR	56	# Change to no to disable s/key passwords
2f55b62d JR	57	#ChallengeResponseAuthentication yes
7ae7664a AM	58
7ae7664a AM	59	@@ -69,6 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
2f55b62d JR	60	# GSSAPI options
	61	#GSSAPIAuthentication no
	62	#GSSAPICleanupCredentials yes
	63	+GSSAPIAuthentication yes
2f55b62d	64
7ae7664a AM	65	# Set this to 'yes' to enable PAM authentication, account processing,
	66	# and session processing. If this is enabled, PAM authentication will
	67	@@ -79,10 +83,12 @@ AuthorizedKeysFile .ssh/authorized_keys
fc8529e5	68	# If you just want the PAM account and session checks to run without
2f55b62d JR	69	# PAM authentication, then enable this but set PasswordAuthentication
2f55b62d JR	70	# and ChallengeResponseAuthentication to 'no'.
fc8529e5	71	-#UsePAM no
2f55b62d	72	+UsePAM yes
2f55b62d	73
fc8529e5 AM	74	#AllowAgentForwarding yes
fc8529e5 AM	75	-#AllowTcpForwarding yes
2f55b62d JR	76	+# Security advisory:
	77	+# http://securitytracker.com/alerts/2004/Sep/1011143.html
	78	+AllowTcpForwarding no
	79	#GatewayPorts no
	80	#X11Forwarding no
	81	#X11DisplayOffset 10
7ae7664a	82	@@ -105,9 +111,16 @@ AuthorizedKeysFile .ssh/authorized_keys
2f55b62d	83	# no default banner path
7ae7664a	84	#Banner none
2f55b62d	85
d63b3d02	86	+# Accept locale-related environment variables, also accept some GIT vars
11890360	87	+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
2f55b62d JR	88	+
	89	# override default of no subsystems
	90	Subsystem sftp /usr/libexec/sftp-server
	91
06629a71 ER	92	+# Uncomment this if you want to use .local domain
	93	+#Host *.local
	94	+# CheckHostIP no
	95	+
	96	# Example of overriding settings on a per-user basis
	97	#Match User anoncvs
	98	# X11Forwarding no