[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929684: agent forwarding should be disabled by default

On Tue, May 28, 2019 at 02:21:47PM -0400, Antoine Beaupre wrote:
> There was a major security breach on the matrix.org servers, and they
> have posted a lenghty postmortem:
> 
> https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh-agent-forwarding-should-be-disabled
> 
> In there they specifically make this recommendation:
> 
> > We’d like to recommend that packages of openssh start having
> > secure-by-default configurations, as a number of the old options
> > just don’t need to exist on most newly provisioned machines.
> 
> They are specifically refering to `AllowAgentForwarding` which
> defaults to `yes` upstream and is unchanged in Debian.

Has anyone taken this up with upstream?  I would prefer not to diverge
even more configuration from upstream, and if it's a good idea then it
should be done as far upstream as possible.  I don't see anything
relevant on bugzilla.mindrot.org at the moment.

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: