| diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config |
| |
| |
| @@ -44,3 +44,8 @@ |
| # VisualHostKey no |
| # ProxyCommand ssh -q -W %h:%p gateway.example.com |
| # RekeyLimit 1G 1h |
| +# |
| +# This system is following system-wide crypto policy. |
| +# To modify the system-wide ssh configuration, create a *.conf file under |
| +# /etc/ssh/ssh_config.d/ which will be automatically included below |
| +Include /etc/ssh/ssh_config.d/*.conf |
| diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat |
| |
| |
| @@ -0,0 +1,21 @@ |
| +# The options here are in the "Match final block" to be applied as the last |
| +# options and could be potentially overwritten by the user configuration |
| +Match final all |
| + # Follow system-wide Crypto Policy, if defined: |
| + Include /etc/crypto-policies/back-ends/openssh.config |
| + |
| + GSSAPIAuthentication yes |
| + |
| +# If this option is set to yes then remote X11 clients will have full access |
| +# to the original X11 display. As virtually no X11 client supports the untrusted |
| +# mode correctly we set this to yes. |
| + ForwardX11Trusted yes |
| + |
| +# Send locale-related environment variables |
| + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES |
| + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT |
| + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE |
| + SendEnv XMODIFIERS |
| + |
| +# Uncomment this if you want to use .local domain |
| +# Host *.local |
| +# CheckHostIP no |
| diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0 |
| |
| |
| @@ -872,9 +872,9 @@ DESCRIPTION |
| |
| SyslogFacility |
| Gives the facility code that is used when logging messages from |
| - sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, |
| - LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
| - default is AUTH. |
| + sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, |
| + LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
| + The default is AUTH. |
| |
| TCPKeepAlive |
| Specifies whether the system should send TCP keepalive messages |
| diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5 |
| |
| |
| @@ -1461,7 +1461,7 @@ By default no subsystems are defined. |
| .It Cm SyslogFacility |
| Gives the facility code that is used when logging messages from |
| .Xr sshd 8 . |
| -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
| +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, |
| LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
| The default is AUTH. |
| .It Cm TCPKeepAlive |
| diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config |
| |
| |
| @@ -10,20 +10,31 @@ |
| # possible, but leave them commented. Uncommented options override the |
| # default value. |
| |
| +# If you want to change the port on a SELinux system, you have to tell |
| +# SELinux about this change. |
| +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER |
| +# |
| #Port 22 |
| #AddressFamily any |
| #ListenAddress 0.0.0.0 |
| #ListenAddress :: |
| |
| -#HostKey /etc/ssh/ssh_host_rsa_key |
| -#HostKey /etc/ssh/ssh_host_ecdsa_key |
| -#HostKey /etc/ssh/ssh_host_ed25519_key |
| +HostKey /etc/ssh/ssh_host_rsa_key |
| +HostKey /etc/ssh/ssh_host_ecdsa_key |
| +HostKey /etc/ssh/ssh_host_ed25519_key |
| |
| # Ciphers and keying |
| #RekeyLimit default none |
| |
| +# This system is following system-wide crypto policy. The changes to |
| +# crypto properties (Ciphers, MACs, ...) will not have any effect here. |
| +# They will be overridden by command-line options passed to the server |
| +# on command line. |
| +# Please, check manual pages for update-crypto-policies(8) and sshd_config(5). |
| + |
| # Logging |
| #SyslogFacility AUTH |
| +SyslogFacility AUTHPRIV |
| #LogLevel INFO |
| |
| # Authentication: |
| @@ -56,9 +70,11 @@ AuthorizedKeysFile .ssh/authorized_keys |
| # To disable tunneled clear text passwords, change to no here! |
| #PasswordAuthentication yes |
| #PermitEmptyPasswords no |
| +PasswordAuthentication yes |
| |
| # Change to no to disable s/key passwords |
| #ChallengeResponseAuthentication yes |
| +ChallengeResponseAuthentication no |
| |
| # Kerberos options |
| #KerberosAuthentication no |
| @@ -67,8 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
| #KerberosGetAFSToken no |
| |
| # GSSAPI options |
| -#GSSAPIAuthentication no |
| -#GSSAPICleanupCredentials yes |
| +GSSAPIAuthentication yes |
| +GSSAPICleanupCredentials no |
| |
| # Set this to 'yes' to enable PAM authentication, account processing, |
| # and session processing. If this is enabled, PAM authentication will |
| @@ -79,16 +95,20 @@ AuthorizedKeysFile .ssh/authorized_keys |
| # If you just want the PAM account and session checks to run without |
| # PAM authentication, then enable this but set PasswordAuthentication |
| # and ChallengeResponseAuthentication to 'no'. |
| -#UsePAM no |
| +UsePAM yes |
| |
| #AllowAgentForwarding yes |
| #AllowTcpForwarding yes |
| #GatewayPorts no |
| -#X11Forwarding no |
| +X11Forwarding yes |
| #X11DisplayOffset 10 |
| #X11UseLocalhost yes |
| #PermitTTY yes |
| -#PrintMotd yes |
| + |
| +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, |
| +# as it is more configurable and versatile than the built-in version. |
| +PrintMotd no |
| + |
| #PrintLastLog yes |
| #TCPKeepAlive yes |
| #PermitUserEnvironment no |
| @@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys |
| # no default banner path |
| #Banner none |
| |
| +# Accept locale-related environment variables |
| +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES |
| +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT |
| +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE |
| +AcceptEnv XMODIFIERS |
| + |
| # override default of no subsystems |
| Subsystem sftp /usr/libexec/sftp-server |
| |