rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Petr Šabata 81d24c
diff -up openssh/ssh_config.redhat openssh/ssh_config
Petr Šabata 81d24c
--- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
Petr Šabata 81d24c
+++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
Petr Šabata 81d24c
@@ -43,3 +43,10 @@
Petr Šabata 81d24c
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
Petr Šabata 81d24c
 #   RekeyLimit 1G 1h
Petr Šabata 81d24c
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
Petr Šabata 81d24c
+#
Petr Šabata 81d24c
+# This system is following system-wide crypto policy.
Petr Šabata 81d24c
+# To modify the crypto properties (Ciphers, MACs, ...), create a  *.conf
Petr Šabata 81d24c
+#  file under  /etc/ssh/ssh_config.d/  which will be automatically
Petr Šabata 81d24c
+# included below. For more information, see manual page for
Petr Šabata 81d24c
+#  update-crypto-policies(8)  and  ssh_config(5).
Petr Šabata 81d24c
+Include /etc/ssh/ssh_config.d/*.conf
Petr Šabata 81d24c
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
Petr Šabata 81d24c
--- openssh/ssh_config_redhat.redhat	2020-02-13 18:13:39.180641839 +0100
Petr Šabata 81d24c
+++ openssh/ssh_config_redhat	2020-02-13 18:13:39.180641839 +0100
Dmitry Belyavskiy 6e19d4
@@ -0,0 +1,15 @@
Petr Šabata 81d24c
+# The options here are in the "Match final block" to be applied as the last
Petr Šabata 81d24c
+# options and could be potentially overwritten by the user configuration
Petr Šabata 81d24c
+Match final all
Petr Šabata 81d24c
+	# Follow system-wide Crypto Policy, if defined:
Petr Šabata 81d24c
+	Include /etc/crypto-policies/back-ends/openssh.config
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	GSSAPIAuthentication yes
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+# If this option is set to yes then remote X11 clients will have full access
Petr Šabata 81d24c
+# to the original X11 display. As virtually no X11 client supports the untrusted
Petr Šabata 81d24c
+# mode correctly we set this to yes.
Petr Šabata 81d24c
+	ForwardX11Trusted yes
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+# Uncomment this if you want to use .local domain
Petr Šabata 81d24c
+# Host *.local
Petr Šabata 81d24c
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
Petr Šabata 81d24c
--- openssh/sshd_config.0.redhat	2020-02-12 14:30:04.000000000 +0100
Petr Šabata 81d24c
+++ openssh/sshd_config.0	2020-02-13 18:13:39.181641855 +0100
Petr Šabata 81d24c
@@ -970,9 +970,9 @@ DESCRIPTION
Petr Šabata 81d24c
 
Petr Šabata 81d24c
      SyslogFacility
Petr Šabata 81d24c
              Gives the facility code that is used when logging messages from
Petr Šabata 81d24c
-             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
Petr Šabata 81d24c
-             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
Petr Šabata 81d24c
-             default is AUTH.
Petr Šabata 81d24c
+             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
Petr Šabata 81d24c
+             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
Petr Šabata 81d24c
+             The default is AUTH.
Petr Šabata 81d24c
 
Petr Šabata 81d24c
      TCPKeepAlive
Petr Šabata 81d24c
              Specifies whether the system should send TCP keepalive messages
Petr Šabata 81d24c
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
Petr Šabata 81d24c
--- openssh/sshd_config.5.redhat	2020-02-11 23:28:35.000000000 +0100
Petr Šabata 81d24c
+++ openssh/sshd_config.5	2020-02-13 18:13:39.181641855 +0100
Petr Šabata 81d24c
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
Petr Šabata 81d24c
 .It Cm SyslogFacility
Petr Šabata 81d24c
 Gives the facility code that is used when logging messages from
Petr Šabata 81d24c
 .Xr sshd 8 .
Petr Šabata 81d24c
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
Petr Šabata 81d24c
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
Petr Šabata 81d24c
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
Petr Šabata 81d24c
 The default is AUTH.
Petr Šabata 81d24c
 .It Cm TCPKeepAlive
Petr Šabata 81d24c
diff -up openssh/sshd_config.redhat openssh/sshd_config
Petr Šabata 81d24c
--- openssh/sshd_config.redhat	2020-02-11 23:28:35.000000000 +0100
Petr Šabata 81d24c
+++ openssh/sshd_config	2020-02-13 18:20:16.349913681 +0100
Petr Šabata 81d24c
@@ -10,6 +10,14 @@
Petr Šabata 81d24c
 # possible, but leave them commented.  Uncommented options override the
Petr Šabata 81d24c
 # default value.
Petr Šabata 81d24c
Petr Šabata 81d24c
+# To modify the system-wide sshd configuration, create a  *.conf  file under
Petr Šabata 81d24c
+#  /etc/ssh/sshd_config.d/  which will be automatically included below
Petr Šabata 81d24c
+Include /etc/ssh/sshd_config.d/*.conf
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+# If you want to change the port on a SELinux system, you have to tell
Petr Šabata 81d24c
+# SELinux about this change.
Petr Šabata 81d24c
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Petr Šabata 81d24c
+#
Petr Šabata 81d24c
 #Port 22
Petr Šabata 81d24c
 #AddressFamily any
Petr Šabata 81d24c
 #ListenAddress 0.0.0.0
Petr Šabata 81d24c
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
Petr Šabata 81d24c
--- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
Petr Šabata 81d24c
+++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
Dmitry Belyavskiy 6e19d4
@@ -0,0 +1,22 @@
Petr Šabata 81d24c
+# This system is following system-wide crypto policy. The changes to
Petr Šabata 81d24c
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
Petr Šabata 81d24c
+# this or following included files. To override some configuration option,
Petr Šabata 81d24c
+# write it before this block or include it before this file.
Petr Šabata 81d24c
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Petr Šabata 81d24c
+Include /etc/crypto-policies/back-ends/opensshserver.config
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+SyslogFacility AUTHPRIV
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+ChallengeResponseAuthentication no
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+GSSAPIAuthentication yes
Petr Šabata 81d24c
+GSSAPICleanupCredentials no
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+UsePAM yes
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+X11Forwarding yes
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
Petr Šabata 81d24c
+# as it is more configurable and versatile than the built-in version.
Petr Šabata 81d24c
+PrintMotd no
Petr Šabata 81d24c
+