7.4: DisableForwaring and Compression in man-pages

Damien Miller djm at mindrot.org
Thu Dec 22 15:22:51 AEDT 2016

On Wed, 21 Dec 2016, ilf wrote:

> Thanks for OpenSSH 7.4!
> Damien Miller:
> > * sshd(8): Add a sshd_config DisableForwaring option that disables   X11,
> > agent, TCP, tunnel and Unix domain socket forwarding, as well   as anything
> > else we might implement in the future. Like the   'restrict' authorized_keys
> > flag, this is intended to be a simple   and future-proof way of restricting
> > an account.
> Nice. But I cannot find this mentioned in man sshd_config.5?

It's there:

[djm at haru openssh]$ grep -A5 DisableForwarding sshd_config.5 
.It Cm DisableForwarding
Disables all forwarding features, including X11,
.Xr ssh-agent 1 ,
TCP and StreamLocal.
This option overrides all other forwarding-related options and may
simplify restricted configurations.

> While ssh_config.5 sais:
> > Specifies whether to use compression. The argument must be yes or no (the
> > default).
> 1. Why does ssh_config.5 not say that this is post-authentication-compression?

Because on the client supports both, preferring delayed compression if

> 2. Why is the default "yes" in sshd_config.5 and "no" in ssh_config.5?

In the SSH protocol, the client chooses connection options (cipher,
compression, etc) from the sets of options that the server offers, so
The option in sshd_config makes compression available for the client
to use, and the option in the client says to use it if available.


More information about the openssh-unix-dev mailing list