Bug#237533: AllowTcpForwarding no should be default
severity 237533 wishlist
thanks
On Fri, Mar 12, 2004 at 12:27:03AM +0100, Florian Effenberger wrote:
> Package: ssh
> Version: 3.6.1p2-12
>
> Due to security considerations, /etc/ssh/sshd_config should contain
>
> AllowTcpForwarding no
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
default is ``yes''. Note that disabling TCP forwarding
does not improve security unless users are also denied
shell access, as they can always install their own for-
warders.
People running such locked-down configurations should definitely be able
to configure sshd themselves, and will almost certainly want to do so
anyway. Disabling port forwarding would, I believe, simply serve to
cause confusion among users with more ordinary setups.
I strongly disagree with adding more and more debconf questions to the
ssh package. It makes it more difficult to maintain and understand, and
the approach suffers badly from diminishing returns because after a
certain point people just maintain their own sshd_config files anyway.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: