From fanf@dotat.at  Sat Sep 29 00:31:48 2001
Return-Path: <fanf@dotat.at>
Received: from hand.dotat.at (host217-35-26-243.in-addr.btopenworld.com [217.35.26.243])
	by hub.freebsd.org (Postfix) with ESMTP id 2D08937B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 Sep 2001 00:31:47 -0700 (PDT)
Received: from fanf by hand.dotat.at with local (Exim 3.33 #2)
	id 15nEbB-0000Ja-00
	for FreeBSD-gnats-submit@freebsd.org; Sat, 29 Sep 2001 07:31:45 +0000
Message-Id: <E15nEbB-0000Ja-00@hand.dotat.at>
Date: Sat, 29 Sep 2001 07:31:45 +0000
From: Tony Finch <dot@dotat.at>
Reply-To: Tony Finch <dot@dotat.at>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject:
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         30907
>Category:       bin
>Synopsis:       [PATCH] ssh configuration oddities
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 29 00:40:00 PDT 2001
>Closed-Date:    Sun Aug 11 14:52:56 PDT 2002
>Last-Modified:  Sun Aug 11 14:52:56 PDT 2002
>Originator:     Tony Finch
>Release:        FreeBSD 4.4-STABLE-20010916-20010924-20010928 i386
>Organization:
dotat labs
>Environment:
System: FreeBSD hand.dotat.at 4.4-STABLE-20010928 FreeBSD 4.4-STABLE-20010928 #7: Sat Sep 29 00:37:30 GMT 2001 fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/SHARP i386
>Description:

Some of the configuration defaults mentioned in ssh.1 and sshd.8
are incorrect with respect to the code.

There are a few oddities too: the code seems unsure about the difference
between ChallengeResponseAuthentication and KbdInteractiveAuthentication
(which seems to be a partial alias for the former if you use protocol 2);
ssh recognises /etc/ssh/ssh_host_rsa_key but sshd doesn't; the version
addendum option isn't documented.

>How-To-Repeat:
>Fix:

Index: ssh.1
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/ssh.1,v
retrieving revision 1.4.2.8
diff -u -r1.4.2.8 ssh.1
--- ssh.1	2001/09/28 01:33:35	1.4.2.8
+++ ssh.1	2001/09/29 06:16:46
@@ -681,7 +681,7 @@
 .Dq no ,
 the check will not be executed.
 The default is
-.Dq yes .
+.Dq no .
 .It Cm Cipher
 Specifies the cipher to use for encrypting the session
 in protocol version 1.
@@ -795,7 +795,7 @@
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
 This option applies to protocol version 2 only and
 is similar to
 .Cm RhostsRSAAuthentication .
@@ -1099,6 +1099,8 @@
 The argument must be
 .Dq yes
 or
+.Dq no .
+The default is
 .Dq no .
 .It Cm XAuthLocation
 Specifies the location of the
Index: sshd.8
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshd.8,v
retrieving revision 1.5.2.7
diff -u -r1.5.2.7 sshd.8
--- sshd.8	2001/09/28 01:33:35	1.5.2.7
+++ sshd.8	2001/09/29 07:29:45
@@ -785,6 +785,12 @@
 is never used for remote command execution.
 The default is
 .Dq no .
+.It Cm VersionAddendum
+Alters the version string that
+.Nm sshd
+supplies to clients when they connect.
+By default, this string includes the operating system name
+and version information.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -796,7 +802,7 @@
 .It Cm X11Forwarding
 Specifies whether X11 forwarding is permitted.
 The default is
-.Dq no .
+.Dq yes .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
 .It Cm XAuthLocation
>Release-Note:
>Audit-Trail:

From: Tony Finch <dot@dotat.at>
To: freebsd-gnats-submit@FreeBSD.org, dot@dotat.at
Cc:  
Subject: Re: bin/30907: [PATCH] ssh configuration oddities
Date: Sat, 29 Sep 2001 07:56:34 +0000

 Some other things I forgot before submitting the PR:
 the ConnectionsPerPeriod option for sshd is still lurking
 around in the source but has no implementation; another
 weirdness about c-r-a and k-i-a is that the defaults
 for them disagree (client-side c-r-a is off and k-i-a
 is on, while server side c-r-a is on and k-i-a is off).
 
 [apologies for the lack of subject line on the PR: I
 broke my copy of send-pr :-( ]
 
 Tony.
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: ru 
Responsible-Changed-When: Sat Sep 29 04:42:09 PDT 2001 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30907 
State-Changed-From-To: open->closed 
State-Changed-By: fanf 
State-Changed-When: Sun Aug 11 14:52:23 PDT 2002 
State-Changed-Why:  
I've gone over this recently and I think it's all correct now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30907 
>Unformatted:
