On Sun, 2015-02-22 at 22:31 +0000, Philip Hands wrote: > The primary thrust of this report seems to be about the modification > From upstream of the default for ForwardX11Trusted to now be set. Well my mean reason, was actually more that Debian really changes some default values in the program code, and not just in the default config file delivered. > Frankly, I'm astonished by this -- I have been aware of -Y since it was > introduced, and had rather assumed that the fact that I was not using it > was offering me some degree of protection. While I agree that the default of ForwardX11Trusted seems to be pretty ill-chosen, you have to remember that using X-forwarding is generally a really bad idea from a security POV. > Yes, I can see now that it > gets a mention in the README.Debian, but I've managed to miss that for a > decade it seems. That's basically the point of my criticism... no one should need to read through all Debian specific docs and manpages just to find all deviations (especially when some are undocumented even there). > However, in the place one might expect it to be documented (i.e. the ssh > man page) I see no mention of it. In the ssh_config man page it gets > just: > > The default is “yes” (Debian-specific). > > It seems to me it needs something along the lines of this near the -X > and -Y options' documentation: > > ***WARNING*** > > -Y option is basically irrelevant as the result of Debian > shipping a modified binary that treats -X the same way. > You'll need to set ForwardX11Trusted to "no" if you want the > documented behaviour that is provided upstream. > > ************* Nah,.. even that wouldn't be enough. People shouldn't be expected to re-read the manpages of standard tools for every new distro they log in to. I mean what would come next? Swapping the meaning of -i and -f for rm, with the excuse that this is documented somewhere (sorry for exaggerating)? Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature