On Fri Feb 08, 2002 at 05:38:40PM -0600, Bryan Paxton wrote: > > * Thu Feb 7 2002 Vincent Danen <[EMAIL PROTECTED]> 3.0.2p1-3mdk > > - disable agent forwarding by default > > > > Why? Can you explain security hole here? > > > > 1. It's not vital to the service > 2. Packet forward or tunneling of any kind can introduce holes and ways > of circumvention > 3. Past has shown that openssh, though well audited, can be, was, and > will surely be again vulnerable to attacks, this includes attacks > against agent forwarding. > > Of course, this is _my_ explanation for such a choice, and a good choice > IMHO. > In other words, Danen, may want to voice yourself ; )
Bryan's accurate for the most part. =) Personally, I like (and use) agent forwarding. However, this is not the default behaviour of OpenSSH and we received some... mail... from the openssh team regarding this and other non-standard changes made to the package. There isn't exactly a security *hole* with agent forwarding being enabled by default, but the reasoning Markus (from openssh team) gave was that it is a potentially dangerous option to enable and users should be concious of this (ie. the user enables it if they want, otherwise it's off), and I agree with his reasoning. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 21 days 2 hours 5 minutes.
msg54544/pgp00000.pgp
Description: PGP signature