On Tue, May 28, 2019 at 02:21:47PM -0400, Antoine Beaupre wrote: > There was a major security breach on the matrix.org servers, and they > have posted a lenghty postmortem: > > https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh-agent-forwarding-should-be-disabled > > In there they specifically make this recommendation: > > > We’d like to recommend that packages of openssh start having > > secure-by-default configurations, as a number of the old options > > just don’t need to exist on most newly provisioned machines. > > They are specifically refering to `AllowAgentForwarding` which > defaults to `yes` upstream and is unchanged in Debian.
Has anyone taken this up with upstream? I would prefer not to diverge even more configuration from upstream, and if it's a good idea then it should be done as far upstream as possible. I don't see anything relevant on bugzilla.mindrot.org at the moment. -- Colin Watson [[email protected]]
