Date: Tue, 29 Feb 2000 13:00:55 +0800 From: Peter Wemm <peter@netplex.com.au> To: Mark Murray <mark@grondar.za> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, Mark Murray <markm@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh auth-krb5.c auth-krb4.c auth-passwd.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.8 sshd.c Message-ID: <20000229050055.4E5441CE2@overcee.netplex.com.au> In-Reply-To: Message from Mark Murray <mark@grondar.za> of "Mon, 28 Feb 2000 23:15:34 %2B0200." <200002282115.XAA71246@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: > > Unrelated to the commit I replied to, but could you verify that SSH X11 > > forwarding is disabled in the client by default? I just had the > > opportunity to toast Theo on bugtraq for making misleading statements > > about that setting on the OpenBSD side... :-) You might want to reenable > > forwarding on the server, unless you know of a specific security risk to > > the server associate associated with that (I don't offhand, but it doesn't > > mean one doesn't exist). > > At the moment, X11 forwarding is ON. I saw a convincing argument > on bugtraq today for turning it off. Yes, but the risk is to the ssh *client*, not the server. The client should have it off by default, not the server. It doesn't matter to sshd in the slightest if it's on or not as it's just shuffling bytes around. The client however is the only one that can make a judgement call about whether to trust a server. For example, you might like to have x11 forarding on locally but not remotely, and have that under ssh_config control. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000229050055.4E5441CE2>