From 95609eb93da9cb411d7ae1d7d9abeba219fdf463 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 6 Apr 2016 07:25:01 +0200 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- config-archive/etc/ssh/ssh_config | 16 +- config-archive/etc/ssh/ssh_config.1 | 4 +- config-archive/etc/ssh/ssh_config.2 | 6 +- config-archive/etc/ssh/ssh_config.3 | 58 +++++++ config-archive/etc/ssh/ssh_config.dist | 6 +- config-archive/etc/ssh/sshd_config | 3 +- config-archive/etc/ssh/sshd_config.1 | 7 +- config-archive/etc/ssh/sshd_config.2 | 87 +++-------- config-archive/etc/ssh/sshd_config.3 | 7 +- config-archive/etc/ssh/sshd_config.4 | 26 +++- config-archive/etc/ssh/sshd_config.5 | 12 +- config-archive/etc/ssh/sshd_config.6 | 18 +-- config-archive/etc/ssh/sshd_config.7 | 20 ++- config-archive/etc/ssh/sshd_config.8 | 199 ++++++++++++++++++++++++ config-archive/etc/ssh/sshd_config.dist | 18 +-- cups/subscriptions.conf | 16 +- ssh/ssh_config | 6 +- ssh/sshd_config | 18 +-- 18 files changed, 368 insertions(+), 159 deletions(-) create mode 100644 config-archive/etc/ssh/ssh_config.3 create mode 100644 config-archive/etc/ssh/sshd_config.8 diff --git a/config-archive/etc/ssh/ssh_config b/config-archive/etc/ssh/ssh_config index 9bec822b..506a0c37 100644 --- a/config-archive/etc/ssh/ssh_config +++ b/config-archive/etc/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -30,7 +30,8 @@ Host * # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes -# AddressFamily any + AddressFamily any +# AddressFamily inet # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity @@ -42,17 +43,6 @@ Host * # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ -# AllowedCertPurpose sslserver -# MandatoryCRL no -# CACertificateFile /etc/ssh/ca/ca-bundle.crt -# CACertificatePath /etc/ssh/ca/crt -# CARevocationFile /etc/ssh/ca/ca-bundle.crl -# CARevocationPath /etc/ssh/ca/crl -# UserCACertificateFile ~/.ssh/ca-bundle.crt -# UserCACertificatePath ~/.ssh/crt -# UserCARevocationFile ~/.ssh/ca-bundle.crl -# UserCARevocationPath ~/.ssh/crl -# VAType none # Tunnel no # TunnelDevice any:any # PermitLocalCommand no diff --git a/config-archive/etc/ssh/ssh_config.1 b/config-archive/etc/ssh/ssh_config.1 index 2c541179..9bec822b 100644 --- a/config-archive/etc/ssh/ssh_config.1 +++ b/config-archive/etc/ssh/ssh_config.1 @@ -58,5 +58,7 @@ Host * # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h -# SendEnv LANG LC_* +# Send locale environment variables #367017 +#SendEnv LANG LC_* diff --git a/config-archive/etc/ssh/ssh_config.2 b/config-archive/etc/ssh/ssh_config.2 index cc30b7b7..2c541179 100644 --- a/config-archive/etc/ssh/ssh_config.2 +++ b/config-archive/etc/ssh/ssh_config.2 @@ -17,7 +17,9 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Host * +# ForwardAgent no +# ForwardX11 no ForwardAgent yes ForwardX11 yes # RhostsRSAAuthentication no @@ -56,3 +58,5 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com + +# SendEnv LANG LC_* diff --git a/config-archive/etc/ssh/ssh_config.3 b/config-archive/etc/ssh/ssh_config.3 new file mode 100644 index 00000000..cc30b7b7 --- /dev/null +++ b/config-archive/etc/ssh/ssh_config.3 @@ -0,0 +1,58 @@ +# $OpenBSD$ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * + ForwardAgent yes + ForwardX11 yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# AllowedCertPurpose sslserver +# MandatoryCRL no +# CACertificateFile /etc/ssh/ca/ca-bundle.crt +# CACertificatePath /etc/ssh/ca/crt +# CARevocationFile /etc/ssh/ca/ca-bundle.crl +# CARevocationPath /etc/ssh/ca/crl +# UserCACertificateFile ~/.ssh/ca-bundle.crt +# UserCACertificatePath ~/.ssh/crt +# UserCARevocationFile ~/.ssh/ca-bundle.crl +# UserCARevocationPath ~/.ssh/crl +# VAType none +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/config-archive/etc/ssh/ssh_config.dist b/config-archive/etc/ssh/ssh_config.dist index 42874fe9..0f76947f 100644 --- a/config-archive/etc/ssh/ssh_config.dist +++ b/config-archive/etc/ssh/ssh_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -34,8 +34,10 @@ # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 +# Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index 9c2183fd..4db817fc 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -42,6 +42,7 @@ #LoginGraceTime 2m #PermitRootLogin no +#PermitRootLogin prohibit-password PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 index f6717754..9c2183fd 100644 --- a/config-archive/etc/ssh/sshd_config.1 +++ b/config-archive/etc/ssh/sshd_config.1 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ +# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -85,7 +85,6 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -114,8 +113,8 @@ UsePrivilegeSeparation sandbox # Default for new installations. #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid +#UseDNS no +#PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none diff --git a/config-archive/etc/ssh/sshd_config.2 b/config-archive/etc/ssh/sshd_config.2 index 7bbd37f7..f6717754 100644 --- a/config-archive/etc/ssh/sshd_config.2 +++ b/config-archive/etc/ssh/sshd_config.2 @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -26,72 +26,6 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -137,7 +71,6 @@ PermitRootLogin yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no -#PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -194,13 +127,29 @@ UsePrivilegeSeparation sandbox # Default for new installations. # Allow client to pass locale environment variables AcceptEnv LANG LC_* +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes - + # disable hpn performance boosts #HPNDisabled no diff --git a/config-archive/etc/ssh/sshd_config.3 b/config-archive/etc/ssh/sshd_config.3 index 75517570..7bbd37f7 100644 --- a/config-archive/etc/ssh/sshd_config.3 +++ b/config-archive/etc/ssh/sshd_config.3 @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -153,8 +154,8 @@ PasswordAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -170,6 +171,7 @@ UsePAM yes X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes @@ -213,6 +215,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/config-archive/etc/ssh/sshd_config.4 b/config-archive/etc/ssh/sshd_config.4 index fac258de..75517570 100644 --- a/config-archive/etc/ssh/sshd_config.4 +++ b/config-archive/etc/ssh/sshd_config.4 @@ -27,8 +27,8 @@ # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # "key type names" for X.509 certificates with DSA key # Note first defined is used in signature operations! @@ -95,6 +95,9 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -116,6 +119,11 @@ PermitRootLogin yes # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -166,16 +174,17 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none @@ -190,18 +199,21 @@ Subsystem sftp /usr/lib64/misc/sftp-server # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. +# disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/config-archive/etc/ssh/sshd_config.5 b/config-archive/etc/ssh/sshd_config.5 index 176bf48d..fac258de 100644 --- a/config-archive/etc/ssh/sshd_config.5 +++ b/config-archive/etc/ssh/sshd_config.5 @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -103,13 +103,17 @@ # Authentication: #LoginGraceTime 2m -PermitRootLogin no +#PermitRootLogin no +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -139,6 +143,7 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -175,6 +180,9 @@ PrintLastLog no # no default banner path #Banner none +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server diff --git a/config-archive/etc/ssh/sshd_config.6 b/config-archive/etc/ssh/sshd_config.6 index 9f5583ea..176bf48d 100644 --- a/config-archive/etc/ssh/sshd_config.6 +++ b/config-archive/etc/ssh/sshd_config.6 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -175,22 +175,6 @@ PrintLastLog no # no default banner path #Banner none -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server diff --git a/config-archive/etc/ssh/sshd_config.7 b/config-archive/etc/ssh/sshd_config.7 index f3c6c252..9f5583ea 100644 --- a/config-archive/etc/ssh/sshd_config.7 +++ b/config-archive/etc/ssh/sshd_config.7 @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -175,8 +175,24 @@ PrintLastLog no # no default banner path #Banner none +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems -Subsystem sftp /usr/lib/misc/sftp-server +Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels diff --git a/config-archive/etc/ssh/sshd_config.8 b/config-archive/etc/ssh/sshd_config.8 new file mode 100644 index 00000000..f3c6c252 --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.8 @@ -0,0 +1,199 @@ +# $OpenBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index 1647cbe4..20d455d1 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,7 +107,7 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -141,20 +141,6 @@ UsePrivilegeSeparation sandbox # Default for new installations. # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - - -# allow the use of the none cipher -#NoneEnabled no - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/cups/subscriptions.conf b/cups/subscriptions.conf index 3c7f0acd..ef7da0de 100644 --- a/cups/subscriptions.conf +++ b/cups/subscriptions.conf @@ -1,12 +1,20 @@ # Subscription configuration file for CUPS v2.0.3 -# Written by cupsd on 2016-04-05 17:09 -NextSubscriptionId 260 - +# Written by cupsd on 2016-04-06 07:23 +NextSubscriptionId 262 + +Events printer-changed +Owner root +LeaseDuration 86400 +Interval 60 +ExpirationTime 1460006606 +NextEventId 1 + + Events all Owner anonymous Recipient dbus:// LeaseDuration 86400 Interval 0 -ExpirationTime 1459955367 +ExpirationTime 1460006606 NextEventId 1 diff --git a/ssh/ssh_config b/ssh/ssh_config index 506a0c37..41a60140 100644 --- a/ssh/ssh_config +++ b/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -37,8 +37,10 @@ Host * # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 +# Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/ssh/sshd_config b/ssh/sshd_config index 4db817fc..bc9f32ba 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -109,7 +109,7 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -146,20 +146,6 @@ AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - - -# allow the use of the none cipher -#NoneEnabled no - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no -- 2.39.5