Hi Gerfried On Fri, 2014-10-17 at 13:31 +0200, Gerfried Fuchs wrote: > This is documented and explained in the documentation in > /usr/share/doc/openssh-client/README.Debian.gz and also referenced from > the changelog.Debian.gz file, which is the canonical point to look at > for changes within the Debian packaging. Well I didn't say that it would be nowhere documented... and if it would be just set in the config files, it would be okay (still a bit strange because the default would enable less security, but okay...). But no one coming from another system, perhaps logging again just via SSH can be expected to read through all Debian manpages, README.Debian files etc., just to find out whether the internal program defaults themselves have been change. I wouldn't want to log in to another system, just to see that rm defaults to -r or something strange like that.
Quoting from README.Debian: >OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the >ssh client to create an untrusted X cookie so that attacks on the >forwarded X11 connection can't become attacks on X clients on the >remote machine. However, this has some problems in implementation - > notably a very short timeout of the untrusted cookie - breaks large > numbers of existing setups, and generally seems immature. The Debian > package therefore sets the default for this option to "yes" (in ssh > itself,rather than in ssh_config). I don't see why this issues shouldn't be adequately fixed by just setting it in ssh_config and at least in the meantime, the timout is apparently configuralbe (ForwardX11Timeout),... defaults to 20 minutes... and so far I haven't found any X client, which couldn't start when ForwardX11Trusted=no - maybe I just picked the wrong. > The following patch does this: > http://sources.debian.net/src/openssh/1:6.7p1-2/debian/patches/keepalive-extensions.patch/ Sure, I saw that myself, once I've noted that there are differences from upstream... but I guess no one installs a package, and starts looking for such differences, at least not in command line option defaults. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
