7.4: DisableForwaring and Compression in man-pages

ilf ilf at zeromail.org
Thu Dec 22 02:18:27 AEDT 2016

Thanks for OpenSSH 7.4!

Damien Miller:
> * sshd(8): Add a sshd_config DisableForwaring option that disables 
>   X11, agent, TCP, tunnel and Unix domain socket forwarding, as well 
>   as anything else we might implement in the future. Like the 
>   'restrict' authorized_keys flag, this is intended to be a simple 
>   and future-proof way of restricting an account.

Nice. But I cannot find this mentioned in man sshd_config.5?

> * sshd(8): Remove support for pre-authentication compression. 
>   Doing compression early in the protocol probably seemed reasonable 
>   in the 1990s, but today it's clearly a bad idea in terms of both 
>   cryptography (cf. multiple compression oracle attacks in TLS) and 
>   attack surface. Pre-auth compression support has been disabled by 
>   default for >10 years. Support remains in the client.

Reading up on Compression, sshd_config.5 sais:

> Specifies whether compression is enabled after the user has 
> authenticated successfully. The argument must be yes, delayed (a 
> legacy synonym for yes) or no. The default is yes.

While ssh_config.5 sais:

> Specifies whether to use compression. The argument must be yes or no 
> (the default).

1. Why does ssh_config.5 not say that this is 

2. Why is the default "yes" in sshd_config.5 and "no" in ssh_config.5?

Thanks, and keep up the good work!


Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161221/06c029a9/attachment.bin>

More information about the openssh-unix-dev mailing list