disable features
Peter W
peterw at usa.net
Thu Oct 25 04:10:18 EST 2001
On Wed, Oct 24, 2001 at 07:24:22PM +0200, Lutz Jaenicke wrote:
> On Wed, Oct 24, 2001 at 09:35:22AM -0400, Ed Phillips wrote:
> > Also, is there any particular reason that authentication forwarding has
> > been disabled in 2.X
> > In addition, if there is some reason not to use these features (bugs,
> > unreasonable security risks, etc.)... please let me know.
>
> Both X11 and agent forwarding introduce some risks. If you cannot trust
> the admin on the server (or have to consider the system being compromised),
> you may experience the following:
> * the malicious admin could access your forwarded agent connection
Also, IIRC, OpenSSH's client will attempt to use agent/keypair auth when
initiating a new connection. This means 'ssh'/'sftp' will present your
keypair "identity" to new servers unless explicitly asked not to do so.
For privacy reasons, you may wish to hide your keypair identities unless
needed/warranted. It's probably a good thing for users to get in the habit
of explicitly requesting services like X11 forwarding and agent forwarding
instead of just expecting things to "work".
I guess I'm arguing that RSAAuthentication in ssh_config perhaps should
default to "no" as well.
-Peter
More information about the openssh-unix-dev
mailing list