summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--debian/README.Debian9
-rw-r--r--debian/changelog4
-rw-r--r--readconf.c2
-rw-r--r--ssh_config1
-rw-r--r--ssh_config.53
5 files changed, 17 insertions, 2 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index cb1444a47..4f076f898 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -115,6 +115,15 @@ As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
115the security risks of X11 forwarding. Look up X11UseLocalhost in 115the security risks of X11 forwarding. Look up X11UseLocalhost in
116sshd_config(8) if this is a problem. 116sshd_config(8) if this is a problem.
117 117
118OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
119ssh client to create an untrusted X cookie so that attacks on the
120forwarded X11 connection can't become attacks on X clients on the remote
121machine. However, this has some problems in implementation - notably a
122very short timeout of the untrusted cookie - breaks large numbers of
123existing setups, and generally seems immature. The Debian package
124therefore sets the default for this option to "no" (in ssh itself,
125rather than in ssh_config).
126
118Fallback to RSH 127Fallback to RSH
119--------------- 128---------------
120 129
diff --git a/debian/changelog b/debian/changelog
index ef6d73a81..3d3ed1275 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
1openssh (1:3.8p1-2) UNRELEASED; urgency=low 1openssh (1:3.8p1-2) UNRELEASED; urgency=low
2 2
3 * Disable PasswordAuthentication for new installations (closes: #236810). 3 * Disable PasswordAuthentication for new installations (closes: #236810).
4 * Turn off the new ForwardX11Trusted by default, returning to the
5 semantics of 3.7 and earlier, since it seems immature and causes far too
6 many problems with existing setups. See README.Debian for details
7 (closes: #237021).
4 8
5 -- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000 9 -- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000
6 10
diff --git a/readconf.c b/readconf.c
index 3af3038bb..dfd83c1b9 100644
--- a/readconf.c
+++ b/readconf.c
@@ -899,7 +899,7 @@ fill_default_options(Options * options)
899 if (options->forward_x11 == -1) 899 if (options->forward_x11 == -1)
900 options->forward_x11 = 0; 900 options->forward_x11 = 0;
901 if (options->forward_x11_trusted == -1) 901 if (options->forward_x11_trusted == -1)
902 options->forward_x11_trusted = 0; 902 options->forward_x11_trusted = 1;
903 if (options->xauth_location == NULL) 903 if (options->xauth_location == NULL)
904 options->xauth_location = _PATH_XAUTH; 904 options->xauth_location = _PATH_XAUTH;
905 if (options->gateway_ports == -1) 905 if (options->gateway_ports == -1)
diff --git a/ssh_config b/ssh_config
index 2692e8913..f72394b4e 100644
--- a/ssh_config
+++ b/ssh_config
@@ -18,6 +18,7 @@
18# Host * 18# Host *
19# ForwardAgent no 19# ForwardAgent no
20# ForwardX11 no 20# ForwardX11 no
21# ForwardX11Trusted yes
21# RhostsRSAAuthentication no 22# RhostsRSAAuthentication no
22# RSAAuthentication yes 23# RSAAuthentication yes
23# PasswordAuthentication yes 24# PasswordAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 72ad6d512..e4a59a2ad 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -330,7 +330,8 @@ from stealing or tampering with data belonging to trusted X11
330clients. 330clients.
331.Pp 331.Pp
332The default is 332The default is
333.Dq no . 333.Dq yes
334(Debian-specific).
334.Pp 335.Pp
335See the X11 SECURITY extension specification for full details on 336See the X11 SECURITY extension specification for full details on
336the restrictions imposed on untrusted clients. 337the restrictions imposed on untrusted clients.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 05:15:23 +0000