forked from pool/openssh
6dac324cb7
- enable support for SSHv1 protocol and discourage its usage (bsc#983307) - enable DSA by default for backward compatibility and discourage its usage (bsc#983784) [openssh-7.2p2-allow_DSS_by_default.patch] - upgrade to 7.2p2 upstream package without any SUSE patches Distilled upstream log: - OpenSSH 6.7 Potentially-incompatible changes: * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features: * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. OBS-URL: https://build.opensuse.org/request/show/407066 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
66 lines
2.3 KiB
Diff
66 lines
2.3 KiB
Diff
# HG changeset patch
|
|
# Parent 48bbbfeff186061b7fd4795bff15f15f571e2c8f
|
|
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
|
# configuration
|
|
# bnc#50836 (was suse #35836)
|
|
Enable Trusted X11 forwarding by default, since the security benefits of
|
|
having it disabled are negligible these days with XI2 being widely used.
|
|
|
|
diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
|
|
--- a/openssh-7.2p2/ssh_config
|
|
+++ b/openssh-7.2p2/ssh_config
|
|
@@ -12,19 +12,30 @@
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
-# Host *
|
|
+Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
+
|
|
+# If you do not trust your remote host (or its administrator), you
|
|
+# should not forward X11 connections to your local X11-display for
|
|
+# security reasons: Someone stealing the authentification data on the
|
|
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
+# keystrokes as you type, just like any other X11 client could do.
|
|
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
+# file if you want to have the remote X11 authentification data to
|
|
+# expire after twenty minutes after remote login.
|
|
+ ForwardX11Trusted yes
|
|
+
|
|
# RhostsRSAAuthentication no
|
|
# RSAAuthentication yes
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
# GSSAPIAuthentication no
|
|
# GSSAPIDelegateCredentials no
|
|
# BatchMode no
|
|
# CheckHostIP yes
|
|
diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
|
|
--- a/openssh-7.2p2/sshd_config
|
|
+++ b/openssh-7.2p2/sshd_config
|
|
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
#UsePAM no
|
|
|
|
#AllowAgentForwarding yes
|
|
#AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
-#X11Forwarding no
|
|
+X11Forwarding yes
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
#PrintMotd yes
|
|
#PrintLastLog yes
|
|
#TCPKeepAlive yes
|
|
#UseLogin no
|
|
#UsePrivilegeSeparation sandbox
|