On Fri, 12 Jun 2009, James Carlson wrote:
>Wyllys Ingersoll writes:
>> I filed the "ssh config update" fast track for Huie-Ying Lee.
>> The timer expires on 6/19/2009
>
>Previously, the configuration file had a list of all(?) the
>configuration options along with comments that described each one.
>Why is this one being deleted? Is it no longer accepted as an option?
>(That is, is it now impossible to disable TCP port forwarding?)
I think that shipping uncommented defaults in a any
configuration file is a big mistake. Explicitly set default is no longer
a default but an explicit configuration. We hit that problems recently,
as you probably remember, when we found out that S9 machines had
explicitly set Ciphers option in sshd_config. Changing the default to
offer new cipher modes then has no effect on such boxes and I don't
think that changing the configuration file is a correct thing either -
we don't know if setting the Ciphers option to that old, previously
default value, is not what the customer wants now.
another problem is that there is just a subset of existing
options in the sshd_config. I filed this CR some time ago:
6805294 sshd_config should not be shipped with explicit default
values
and I really think we should get rid of all those options there
as soon as possible. I do not think we should do that for S10 though.
we might put the default values into comments, that's what
OpenSSH does. However, this means again that any change must strictly
modify the sshd_config as well. No problem for OpenSSH, but a bigger
problem for us. I'd definitely prefer to point the admin to the
sshd_config(4) manual page, I don't see a reason why we should document
the default values at 2 different places. The part of that project would
have to be to carefuly revisit the sshd_config manual page and make sure
that it contains all the needed nformation about the default values.
cheers, J.
>Why not just change the way it installs, so that it installs as
>"AllowTcpForwarding yes" by default, and leaves it unchanged on
>upgrade or patch?
>
>> The release binding is micro (patch).
>
>Changing defaults in a patch seems a bit surprising. Are you sure you
>want to do that?
>
>
--
Jan Pechanec
