Package: openssh-client Version: 1:6.7p1-2 Severity: important Tags: security
Hi. Apparently Debian deviates in a few of OpenSSH's hardcoded default settings, namely: - ForwardX11Trusted having set to yes - ServerAliveInterval being set to 300, when BatchMode is set to yes. Even though I've read that before it wasn't clear to me, that you just changed the values in the default config files but really the hard coded ones in the binary. Especially for ForwardX11Trusted this seems a security issue to me, since you change to the insecure mode. Even if there was any good reason for this (why btw?)... no one expects this, i.e. no one comming from non-Debian, and while one can probably demand admins and users to check their *config files* for different defaults on different platforms, one cannot expect that people re-read all manpages whether the program options themselves have changed; especially not in the case of well-known programs like ssh, which behave differently in every other place. I would perhaps agree to such step, if it closes a security issue but this acutally opens one (long story short: we've had an attack here in the faculty on two nodes from a compromised machine, which was at least made easier by this). :( I don't have that strong feelings about ServerAliveInterval/BatchMode, since I wouldn't see at least any direct way how to exploit this in terms of security. Yet I still think that such deviation is bad since everyone expects it not to happen,.. and there may be programs who expect the connection to remain open (and perhaps resume) and Debian sets a timeout which doesn't exist anywhere else. A proper solution would have been to add a new option like: DefaultBatchModeServerAliveInterval, which defaults to the same value as upstream (0) but which could be set to e.g. your 300s. Then this option could have been set in a Debian's default ssh_config an be used properly. That being said, could you possibly do the following: 1) No longer change the hard coded default of ForwardX11Trusted but rather add a ForwardX11Trusted=yes in new default ssh_config. Or completely stop seting it, if there is no longer any reason for it. For legacy users (who may be surprised) a NEWS entry should be added. 2) For ServerAliveInterval/BatchMode, I would suggest my solution above, again with a NEWS entriy. But as said, it's less important here. Thanks, Chris. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.18 ii libc6 2.19-11 ii libedit2 3.1-20140620-2 ii libgssapi-krb5-2 1.12.1+dfsg-10 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.1j-1 ii passwd 1:4.2-2+b1 ii zlib1g 1:1.2.8.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
