Debian Bug report logs - #320104
ssh: Xforwarding is disabled and is not a debconf option either

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssh: Xforwarding is disabled and is not a debconf option either

Date: Wed, 27 Jul 2005 00:51:07 +0100

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal


1) disabling of X forwarding on the server end is pointless as
   there is absolutely zero risk at the server end.

2) ssh -X is a choice made by the client: they take the risk.
   (and having the ssh_config option ForwardX11 no is a GOOD
    idea in this respect and is very sensible - unlike X11Forwarding no
    in sshd_config)

please either enable X11forwarding Yes in sshd_config, or provide
a debconf option to say yes or no and if it makes you happy put the
default option as no.


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.11-1-686 #1 Fri May 20 07:34:54 UTC 2005 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  debconf                     1.4.52       Debian configuration management sy
ii  dpkg                        1.13.9       Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libpam-modules              0.77-0.se5   Pluggable Authentication Modules f
ii  libpam-runtime              0.77-0.se5   Runtime support for the PAM librar
ii  libpam0g                    0.77-0.se5   Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7g-1     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-3    compression library - runtime

-- debconf information excluded

Message #10 received at 320104-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 320104-close@bugs.debian.org

Subject: Bug#320104: fixed in openssh 1:4.2p1-1

Date: Wed, 14 Sep 2005 08:02:06 -0700

Source: openssh
Source-Version: 1:4.2p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.2p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.2p1-1_powerpc.udeb
openssh-client_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.2p1-1_powerpc.deb
openssh-server-udeb_4.2p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.2p1-1_powerpc.udeb
openssh-server_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.2p1-1_powerpc.deb
openssh_4.2p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.2p1-1.diff.gz
openssh_4.2p1-1.dsc
  to pool/main/o/openssh/openssh_4.2p1-1.dsc
openssh_4.2p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
ssh-askpass-gnome_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.2p1-1_powerpc.deb
ssh_4.2p1-1_all.deb
  to pool/main/o/openssh/ssh_4.2p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Sep 2005 15:16:14 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 181162 208648 320104 324695 326065
Changes: 
 openssh (1:4.2p1-1) unstable; urgency=low
 .
   * New upstream release.
     - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts
       to be incorrectly activated for dynamic ("-D") port forwardings when
       no listen address was explicitly specified (closes: #326065).
     - Add a new compression method ("Compression delayed") that delays zlib
       compression until after authentication, eliminating the risk of zlib
       vulnerabilities being exploited by unauthenticated users. Note that
       users of OpenSSH versions earlier than 3.5 will need to disable
       compression on the client or set "Compression yes" (losing this
       security benefit) on the server.
     - Increase the default size of new RSA/DSA keys generated by ssh-keygen
       from 1024 to 2048 bits (closes: #181162).
     - Many bugfixes and improvements to connection multiplexing.
     - Don't pretend to accept $HOME (closes: #208648).
   * debian/rules: Resynchronise CFLAGS with that generated by configure.
   * openssh-client and openssh-server conflict with pre-split ssh to avoid
     problems when ssh is left un-upgraded (closes: #324695).
   * Set X11Forwarding to yes in the default sshd_config (new installs only).
     At least when X11UseLocalhost is turned on, which is the default, the
     security risks of using X11 forwarding are risks to the client, not to
     the server (closes: #320104).
Files: 
 178047b053c1ccd0c09b5aa42c663da2 953 net standard openssh_4.2p1-1.dsc
 93295701e6bcd76fabd6a271654ed15c 928420 net standard openssh_4.2p1.orig.tar.gz
 de8b13991036a157fb89a1277c36ed70 153306 net standard openssh_4.2p1-1.diff.gz
 359f8fed6358af698de006f923175263 1052 net extra ssh_4.2p1-1_all.deb
 8d7e3e8de54516bfb1db71fa13049378 582104 net standard openssh-client_4.2p1-1_powerpc.deb
 dfd29170f38c83a123da23a0164c4f57 215660 net optional openssh-server_4.2p1-1_powerpc.deb
 f25a5d4fc687897338e15e6e40853eca 85428 gnome optional ssh-askpass-gnome_4.2p1-1_powerpc.deb
 243723651a92cd52e1f43a1d03155c4f 157496 debian-installer optional openssh-client-udeb_4.2p1-1_powerpc.udeb
 51bade95482a43d7e69a5a95c3400677 165090 debian-installer optional openssh-server-udeb_4.2p1-1_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKDam9t0zAhD6TNERAuvRAJ4lO0peam3SlphI+YRp9ifRD3mhQQCfZsh1
dWajDTamDn77FM5FLgtTUd8=
=q11C
-----END PGP SIGNATURE-----

Message #15 received at 320104@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>, 320104@bugs.debian.org

Subject: Re: Bug#320104: ssh: Xforwarding is disabled and is not a debconf option either

Date: Wed, 14 Sep 2005 15:12:21 +0100

On Wed, Jul 27, 2005 at 12:51:07AM +0100, Luke Kenneth Casson Leighton wrote:
> 1) disabling of X forwarding on the server end is pointless as
>    there is absolutely zero risk at the server end.

This is only true when X11UseLocalhost is enabled (as it is by default).
Apart from that, you're quite right, and I'll turn it on by default in
the next upload - probably for new installs only, though, as editing
people's sshd_config files tends to attract flames. :-)

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #20 received at 320104@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: 320104@bugs.debian.org

Subject: Re: Bug#320104 acknowledged by developer (Bug#320104: fixed in openssh 1:4.2p1-1)

Date: Fri, 16 Sep 2005 14:56:26 +0100

thank you!

>    * Set X11Forwarding to yes in the default sshd_config (new installs only).
>      At least when X11UseLocalhost is turned on, which is the default, the
>      security risks of using X11 forwarding are risks to the client, not to
>      the server (closes: #320104).

Send a report that this bug log contains spam.