Bug#929684: agent forwarding should be disabled by default
On Tue, May 28, 2019 at 02:21:47PM -0400, Antoine Beaupre wrote:
> There was a major security breach on the matrix.org servers, and they
> have posted a lenghty postmortem:
> In there they specifically make this recommendation:
> > We’d like to recommend that packages of openssh start having
> > secure-by-default configurations, as a number of the old options
> > just don’t need to exist on most newly provisioned machines.
> They are specifically refering to `AllowAgentForwarding` which
> defaults to `yes` upstream and is unchanged in Debian.
Has anyone taken this up with upstream? I would prefer not to diverge
even more configuration from upstream, and if it's a good idea then it
should be done as far upstream as possible. I don't see anything
relevant on bugzilla.mindrot.org at the moment.
Colin Watson [email@example.com]