7.4: DisableForwaring and Compression in man-pages
Damien Miller
djm at mindrot.org
Thu Dec 22 15:22:51 AEDT 2016
On Wed, 21 Dec 2016, ilf wrote:
> Thanks for OpenSSH 7.4!
>
> Damien Miller:
> > * sshd(8): Add a sshd_config DisableForwaring option that disables X11,
> > agent, TCP, tunnel and Unix domain socket forwarding, as well as anything
> > else we might implement in the future. Like the 'restrict' authorized_keys
> > flag, this is intended to be a simple and future-proof way of restricting
> > an account.
>
> Nice. But I cannot find this mentioned in man sshd_config.5?
It's there:
[djm at haru openssh]$ grep -A5 DisableForwarding sshd_config.5
.It Cm DisableForwarding
Disables all forwarding features, including X11,
.Xr ssh-agent 1 ,
TCP and StreamLocal.
This option overrides all other forwarding-related options and may
simplify restricted configurations.
> While ssh_config.5 sais:
>
> > Specifies whether to use compression. The argument must be yes or no (the
> > default).
>
> 1. Why does ssh_config.5 not say that this is post-authentication-compression?
Because on the client supports both, preferring delayed compression if
possible.
> 2. Why is the default "yes" in sshd_config.5 and "no" in ssh_config.5?
In the SSH protocol, the client chooses connection options (cipher,
compression, etc) from the sets of options that the server offers, so
The option in sshd_config makes compression available for the client
to use, and the option in the client says to use it if available.
-d
More information about the openssh-unix-dev
mailing list