[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#237533: AllowTcpForwarding no should be default

severity 237533 wishlist
thanks

On Fri, Mar 12, 2004 at 12:27:03AM +0100, Florian Effenberger wrote:
> Package: ssh
> Version: 3.6.1p2-12
> 
> Due to security considerations, /etc/ssh/sshd_config should contain
>      
>         AllowTcpForwarding no

     AllowTcpForwarding
             Specifies whether TCP forwarding is permitted.  The
             default is ``yes''.  Note that disabling TCP forwarding
             does not improve security unless users are also denied
             shell access, as they can always install their own for-
             warders.

People running such locked-down configurations should definitely be able
to configure sshd themselves, and will almost certainly want to do so
anyway. Disabling port forwarding would, I believe, simply serve to
cause confusion among users with more ordinary setups.

I strongly disagree with adding more and more debconf questions to the
ssh package. It makes it more difficult to maintain and understand, and
the approach suffers badly from diminishing returns because after a
certain point people just maintain their own sshd_config files anyway.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: