Hi,
This bug got mentioned on the openssh-unix-dev mailing list yesterday,
so I had a look.
The primary thrust of this report seems to be about the modification
From upstream of the default for ForwardX11Trusted to now be set.
Frankly, I'm astonished by this -- I have been aware of -Y since it was
introduced, and had rather assumed that the fact that I was not using it
was offering me some degree of protection. Yes, I can see now that it
gets a mention in the README.Debian, but I've managed to miss that for a
decade it seems.
However, in the place one might expect it to be documented (i.e. the ssh
man page) I see no mention of it. In the ssh_config man page it gets
just:
The default is “yes” (Debian-specific).
It seems to me it needs something along the lines of this near the -X
and -Y options' documentation:
***WARNING***
-Y option is basically irrelevant as the result of Debian
shipping a modified binary that treats -X the same way.
You'll need to set ForwardX11Trusted to "no" if you want the
documented behaviour that is provided upstream.
*************
The patch that makes this change is here:
http://sources.debian.net/src/openssh/1:6.7p1-3/debian/patches/debian-config.patch/
which includes mention of the fact that the change was introduced in
order to close this bug:
https://bugs.debian.org/237021
where Colin states in Message #47:
I think it's become clear that it's too far-reaching at this point in
Debian's release cycle; we need time to prepare the rest of the
distribution for this sort of thing if it's to become the default.
That was in 2004 while Sarge was (not) getting released -- we've had
5 complete release cycles since then, so it might be time to get rid of
this patch.
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature