Bug#929684: agent forwarding should be disabled by default

Tue, 28 May 2019 11:24:20 -0700 

Package: openssh-server
Version: 1:7.9p1-10
Severity: wishlist

There was a major security breach on the matrix.org servers, and they
have posted a lenghty postmortem:

https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh-agent-forwarding-should-be-disabled

In there they specifically make this recommendation:

> We’d like to recommend that packages of openssh start having
> secure-by-default configurations, as a number of the old options
> just don’t need to exist on most newly provisioned machines.

They are specifically refering to `AllowAgentForwarding` which
defaults to `yes` upstream and is unchanged in Debian.

I would like to suggest we take that recommendation into consideration
and disable Agent Forwarding by default, on all SSH client and servers
managed by Debian packages. I would similarly recommend disabling X11
forwarding, especially considering we're going to switch to Wayland
either in buster or bullseye.

A.

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.6
ii  libaudit1              1:2.8.4-3
ii  libc6                  2.28-10
ii  libcom-err2            1.44.5-1
ii  libgssapi-krb5-2       1.17-2
ii  libkrb5-3              1.17-2
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1b-2
ii  libsystemd0            241-3
ii  libwrap0               7.6.q-28
ii  lsb-base               10.2019051400
ii  openssh-client         1:7.9p1-10
ii  openssh-sftp-server    1:7.9p1-10
ii  procps                 2:3.3.15-2
ii  ucf                    3.0038+nmu1
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd  241-3
ii  ncurses-term    6.1+20181013-2
ii  xauth           1:1.0.10-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
ii  monkeysphere  0.43-3
pn  rssh          <none>
ii  ssh-askpass   1:1.2.4.1-10
pn  ufw           <none>

-- debconf information excluded

Reply via email to