disable features

Peter W peterw at usa.net
Thu Oct 25 04:10:18 EST 2001

On Wed, Oct 24, 2001 at 07:24:22PM +0200, Lutz Jaenicke wrote:
> On Wed, Oct 24, 2001 at 09:35:22AM -0400, Ed Phillips wrote:

> > Also, is there any particular reason that authentication forwarding has
> > been disabled in 2.X

> > In addition, if there is some reason not to use these features (bugs,
> > unreasonable security risks, etc.)... please let me know.
> Both X11 and agent forwarding introduce some risks. If you cannot trust
> the admin on the server (or have to consider the system being compromised),
> you may experience the following:

> * the malicious admin could access your forwarded agent connection

Also, IIRC, OpenSSH's client will attempt to use agent/keypair auth when 
initiating a new connection. This means 'ssh'/'sftp' will present your 
keypair "identity" to new servers unless explicitly asked not to do so.
For privacy reasons, you may wish to hide your keypair identities unless 
needed/warranted. It's probably a good thing for users to get in the habit 
of explicitly requesting services like X11 forwarding and agent forwarding 
instead of just expecting things to "work".

I guess I'm arguing that RSAAuthentication in ssh_config perhaps should 
default to "no" as well.


More information about the openssh-unix-dev mailing list