Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one

To: 765632@bugs.debian.org
Subject: Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Fri, 17 Oct 2014 17:30:16 +0200
Message-id: <[🔎] 1413559816.1382.4.camel@scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 765632@bugs.debian.org
In-reply-to: <[🔎] 20141017113122.GA29841@anguilla.debian.or.at>
References: <[🔎] 20141016184700.13275.9748.reportbug@heisenberg.scientia.net> <[🔎] 20141017113122.GA29841@anguilla.debian.or.at>

Hi Gerfried

On Fri, 2014-10-17 at 13:31 +0200, Gerfried Fuchs wrote: 
>  This is documented and explained in the documentation in
> /usr/share/doc/openssh-client/README.Debian.gz and also referenced from
> the changelog.Debian.gz file, which is the canonical point to look at
> for changes within the Debian packaging.
Well I didn't say that it would be nowhere documented... and if it would
be just set in the config files, it would be okay (still a bit strange
because the default would enable less security, but okay...).
But no one coming from another system, perhaps logging again just via
SSH can be expected to read through all Debian manpages, README.Debian
files etc., just to find out whether the internal program defaults
themselves have been change.
I wouldn't want to log in to another system, just to see that rm
defaults to -r or something strange like that.

Quoting from README.Debian:
>OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
>ssh client to create an untrusted X cookie so that attacks on the
>forwarded X11 connection can't become attacks on X clients on the
>remote machine. However, this has some problems in implementation -
> notably a very short timeout of the untrusted cookie - breaks large
> numbers of existing setups, and generally seems immature. The Debian
> package therefore sets the default for this option to "yes" (in ssh
> itself,rather than in ssh_config).

I don't see why this issues shouldn't be adequately fixed by just
setting it in ssh_config and at least in the meantime, the timout is
apparently configuralbe (ForwardX11Timeout),... defaults to 20
minutes... and so far I haven't found any X client, which couldn't start
when ForwardX11Trusted=no - maybe I just picked the wrong.



>  The following patch does this:
> http://sources.debian.net/src/openssh/1:6.7p1-2/debian/patches/keepalive-extensions.patch/
Sure, I saw that myself, once I've noted that there are differences from
upstream... but I guess no one installs a package, and starts looking
for such differences, at least not in command line option defaults.


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

References:
- Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
  - From: Gerfried Fuchs <rhonda@deb.at>

Prev by Date: Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
Next by Date: Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
Previous by thread: Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
Next by thread: Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
Index(es):
- Date
- Thread