From owner-cvs-all  Mon Feb 28 21: 1: 3 2000
Delivered-To: cvs-all@freebsd.org
Received: from overcee.netplex.com.au (overcee.netplex.com.au [202.12.86.7])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4EF0F37B8EA; Mon, 28 Feb 2000 21:00:57 -0800 (PST)
	(envelope-from peter@netplex.com.au)
Received: from netplex.com.au (localhost [127.0.0.1])
	by overcee.netplex.com.au (Postfix) with ESMTP
	id 4E5441CE2; Tue, 29 Feb 2000 13:00:55 +0800 (WST)
	(envelope-from peter@netplex.com.au)
X-Mailer: exmh version 2.1.1 10/15/1999
To: Mark Murray <mark@grondar.za>
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
	Mark Murray <markm@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/crypto/openssh auth-krb5.c auth-krb4.c auth-passwd.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.8 sshd.c 
In-Reply-To: Message from Mark Murray <mark@grondar.za> 
   of "Mon, 28 Feb 2000 23:15:34 +0200." <200002282115.XAA71246@grimreaper.grondar.za> 
Date: Tue, 29 Feb 2000 13:00:55 +0800
From: Peter Wemm <peter@netplex.com.au>
Message-Id: <20000229050055.4E5441CE2@overcee.netplex.com.au>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

Mark Murray wrote:
> > Unrelated to the commit I replied to, but could you verify that SSH X11
> > forwarding is disabled in the client by default?  I just had the
> > opportunity to toast Theo on bugtraq for making misleading statements
> > about that setting on the OpenBSD side... :-)  You might want to reenable
> > forwarding on the server, unless you know of a specific security risk to
> > the server associate associated with that (I don't offhand, but it doesn't
> > mean one doesn't exist).
> 
> At the moment, X11 forwarding is ON. I saw a convincing argument
> on bugtraq today for turning it off.

Yes, but the risk is to the ssh *client*, not the server.  The client
should have it off by default, not the server.  It doesn't matter to sshd
in the slightest if it's on or not as it's just shuffling bytes around. The
client however is the only one that can make a judgement call about whether
to trust a server.  For example, you might like to have x11 forarding on
locally but not remotely, and have that under ssh_config control.

Cheers,
-Peter



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message