Bug#929684: agent forwarding should be disabled by default
On Tue, May 28, 2019 at 02:21:47PM -0400, Antoine Beaupre wrote:
> There was a major security breach on the matrix.org servers, and they
> have posted a lenghty postmortem:
>
> https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh-agent-forwarding-should-be-disabled
>
> In there they specifically make this recommendation:
>
> > We’d like to recommend that packages of openssh start having
> > secure-by-default configurations, as a number of the old options
> > just don’t need to exist on most newly provisioned machines.
>
> They are specifically refering to `AllowAgentForwarding` which
> defaults to `yes` upstream and is unchanged in Debian.
Has anyone taken this up with upstream? I would prefer not to diverge
even more configuration from upstream, and if it's a good idea then it
should be done as far upstream as possible. I don't see anything
relevant on bugzilla.mindrot.org at the moment.
--
Colin Watson [cjwatson@debian.org]
Reply to: