[packages/openssh] do not lower ssh client security by default
gotar
gotar at pld-linux.org
Tue Aug 23 08:04:13 CEST 2016
commit ae957f1bc3196e53edce28c17e1f35232638e733
Author: Tomasz Pala <gotar at pld-linux.org>
Date: Tue Aug 23 07:59:32 2016 +0200
do not lower ssh client security by default
ForwardX11Trusted might be enabled on command line by using -Y instead
of -X, so there's no real need for doing it system-wide(!) default.
Moreover, the rationale behind trusting remote party might be obsolete:
http://dailypackage.fedorabook.com/index.php?/archives/48-Wednesday-Why-Trusted-and-Untrusted-X11-Forwarding-with-SSH.html
Either way, trusting some potentially malicious (especially without
StrictHostKeyChecking) )remote side MUST be conscious decision.
openssh-config.patch | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
---
diff --git a/openssh-config.patch b/openssh-config.patch
index 4d35a03..4bc53c3 100644
--- a/openssh-config.patch
+++ b/openssh-config.patch
@@ -81,7 +81,7 @@
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-@@ -42,3 +45,19 @@
+@@ -42,3 +45,18 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
@@ -89,10 +89,9 @@
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+ ForwardX11Trusted yes
-+ StrictHostKeyChecking no
++# to the original X11 server. As some X11 clients don't support the untrusted
++# mode correctly, you might consider changing this to 'yes' or using '-Y'.
++# ForwardX11Trusted no
+ ServerAliveInterval 60
+ ServerAliveCountMax 10
+ TCPKeepAlive no
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openssh.git/commitdiff/ae957f1bc3196e53edce28c17e1f35232638e733
More information about the pld-cvs-commit
mailing list