7.4: DisableForwaring and Compression in man-pages
ilf
ilf at zeromail.org
Thu Dec 22 02:18:27 AEDT 2016
Thanks for OpenSSH 7.4!
Damien Miller:
> * sshd(8): Add a sshd_config DisableForwaring option that disables
> X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
> as anything else we might implement in the future. Like the
> 'restrict' authorized_keys flag, this is intended to be a simple
> and future-proof way of restricting an account.
Nice. But I cannot find this mentioned in man sshd_config.5?
> * sshd(8): Remove support for pre-authentication compression.
> Doing compression early in the protocol probably seemed reasonable
> in the 1990s, but today it's clearly a bad idea in terms of both
> cryptography (cf. multiple compression oracle attacks in TLS) and
> attack surface. Pre-auth compression support has been disabled by
> default for >10 years. Support remains in the client.
Reading up on Compression, sshd_config.5 sais:
> Specifies whether compression is enabled after the user has
> authenticated successfully. The argument must be yes, delayed (a
> legacy synonym for yes) or no. The default is yes.
While ssh_config.5 sais:
> Specifies whether to use compression. The argument must be yes or no
> (the default).
1. Why does ssh_config.5 not say that this is
post-authentication-compression?
2. Why is the default "yes" in sshd_config.5 and "no" in ssh_config.5?
Thanks, and keep up the good work!
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161221/06c029a9/attachment.bin>
More information about the openssh-unix-dev
mailing list