Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one
Hi!
* Christoph Anton Mitterer <calestyo@scientia.net> [2014-10-16 20:47:00 CEST]:
> Apparently Debian deviates in a few of OpenSSH's hardcoded default
> settings, namely:
> - ForwardX11Trusted having set to yes
> - ServerAliveInterval being set to 300, when BatchMode is set to yes.
>
> Even though I've read that before it wasn't clear to me, that you just
> changed the values in the default config files but really the hard coded
> ones in the binary.
>
> Especially for ForwardX11Trusted this seems a security issue to me, since
> you change to the insecure mode.
> Even if there was any good reason for this (why btw?)...
This is documented and explained in the documentation in
/usr/share/doc/openssh-client/README.Debian.gz and also referenced from
the changelog.Debian.gz file, which is the canonical point to look at
for changes within the Debian packaging.
> I don't have that strong feelings about ServerAliveInterval/BatchMode,
> since I wouldn't see at least any direct way how to exploit this in terms
> of security.
The following patch does this:
http://sources.debian.net/src/openssh/1:6.7p1-2/debian/patches/keepalive-extensions.patch/
This is just an informal response. I am not related to the packaging
of openssh, just wanted to point out where those things come from.
Enjoy,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
Reply to: