Bug#237533: marked as done (AllowTcpForwarding no should be default)

To: Colin Watson <cjwatson@debian.org>
Cc: Matthew Vernon <matthew@debian.org>
Subject: Bug#237533: marked as done (AllowTcpForwarding no should be default)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 11 Mar 2004 18:03:27 -0800
Message-id: <[🔎] handler.237533.D237533.107905649129530.ackdone@bugs.debian.org>
In-reply-to: <20040312015446.GB32364@riva.ucam.org>
References: <20040312015446.GB32364@riva.ucam.org> <[🔎] 000e01c407c0$5e144b00$0500a8c0@effenberger>

Your message dated Fri, 12 Mar 2004 01:54:46 +0000
with message-id <20040312015446.GB32364@riva.ucam.org>
and subject line Bug#237533: AllowTcpForwarding no should be default
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Mar 2004 23:27:12 +0000
>From floeff@arcor.de Thu Mar 11 15:27:12 2004
Return-path: <floeff@arcor.de>
Received: from newsread1.arcor-online.net (postman.arcor.de) [151.189.0.146] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B1Za3-0001Fn-00; Thu, 11 Mar 2004 15:27:11 -0800
Received: from floeff1 (pD9546243.dip.t-dialin.net [217.84.98.67])
	(authenticated bits=0)
	by postman.arcor.de (8.13.0.PreAlpha4/8.13.0.PreAlpha4) with ESMTP id i2BNR8ck026989
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO)
	for <submit@bugs.debian.org>; Fri, 12 Mar 2004 00:27:10 +0100 (MET)
Message-ID: <[🔎] 000e01c407c0$5e144b00$0500a8c0@effenberger>
From: "Florian Effenberger" <floeff@arcor.de>
To: <submit@bugs.debian.org>
Subject: AllowTcpForwarding no should be default
Date: Fri, 12 Mar 2004 00:27:03 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_08 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no 
	version=2.60-bugs.debian.org_2004_03_08
X-Spam-Level: 

Package: ssh
Version: 3.6.1p2-12

Due to security considerations, /etc/ssh/sshd_config should contain
     
        AllowTcpForwarding no


---------------------------------------
Received: (at 237533-done) by bugs.debian.org; 12 Mar 2004 01:54:51 +0000
>From cjwatson@flatline.org.uk Thu Mar 11 17:54:51 2004
Return-path: <cjwatson@flatline.org.uk>
Received: from chiark.greenend.org.uk [193.201.200.170] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B1bsx-0007g7-00; Thu, 11 Mar 2004 17:54:51 -0800
Received: from [192.168.124.112] (helo=riva.lab.dotat.at)
	by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp
	id 1B1bsu-00014z-00; Fri, 12 Mar 2004 01:54:49 +0000
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
	id 1B1bss-0000i5-00; Fri, 12 Mar 2004 01:54:46 +0000
Date: Fri, 12 Mar 2004 01:54:46 +0000
From: Colin Watson <cjwatson@debian.org>
To: Florian Effenberger <floeff@arcor.de>, 237533-done@bugs.debian.org
Cc: Roger Ward <roger.ward@national-net.com>
Subject: Re: Bug#237533: AllowTcpForwarding no should be default
Message-ID: <20040312015446.GB32364@riva.ucam.org>
References: <[🔎] 000e01c407c0$5e144b00$0500a8c0@effenberger> <[🔎] 4050FBBA.6080807@national-net.com> <[🔎] 001101c407c4$a4d69fd0$0500a8c0@effenberger>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 001101c407c4$a4d69fd0$0500a8c0@effenberger>
User-Agent: Mutt/1.3.28i
Delivered-To: 237533-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_08 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_08
X-Spam-Level: 

On Fri, Mar 12, 2004 at 12:57:33AM +0100, Florian Effenberger wrote:
> It becomes a big risk when someone has set up a firewall, but a user can
> access them via SSH Port Forwarding. Most people don't know about this.

That's a strange concern. If you can do it by ssh port forwarding, you
can just do it using an ssh session. If you don't have minimal trust in
users not to break your system, don't give them ssh access. If you are
setting up a system where users have ssh access to a restricted
environment, you should read sshd_config(5) and configure sshd
appropriately. The Debian package only needs to provide sensible
defaults for most users.

> Maybe at least print out an information when debconf occurs, warning the
> user of the Port Forwarding risks?

The risks aren't worth mentioning in most setups, and would only be
noise (the ssh package is already quite noisy, and there are other bugs
open objecting to its noisiness). People with the rare case of setups
where it matters should read the documentation.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

References:
- Bug#237533: AllowTcpForwarding no should be default
  - From: "Florian Effenberger" <floeff@arcor.de>

Prev by Date: Bug#237533: AllowTcpForwarding no should be default
Next by Date: Bug#117318: acquire a university diploma
Previous by thread: Bug#237533: AllowTcpForwarding no should be default
Next by thread: Bug#117318: acquire a university diploma
Index(es):
- Date
- Thread