diff options
-rw-r--r-- | debian/README.Debian | 9 | ||||
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | ssh_config | 1 | ||||
-rw-r--r-- | ssh_config.5 | 3 |
5 files changed, 17 insertions, 2 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index cb1444a47..4f076f898 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
@@ -115,6 +115,15 @@ As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce | |||
115 | the security risks of X11 forwarding. Look up X11UseLocalhost in | 115 | the security risks of X11 forwarding. Look up X11UseLocalhost in |
116 | sshd_config(8) if this is a problem. | 116 | sshd_config(8) if this is a problem. |
117 | 117 | ||
118 | OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the | ||
119 | ssh client to create an untrusted X cookie so that attacks on the | ||
120 | forwarded X11 connection can't become attacks on X clients on the remote | ||
121 | machine. However, this has some problems in implementation - notably a | ||
122 | very short timeout of the untrusted cookie - breaks large numbers of | ||
123 | existing setups, and generally seems immature. The Debian package | ||
124 | therefore sets the default for this option to "no" (in ssh itself, | ||
125 | rather than in ssh_config). | ||
126 | |||
118 | Fallback to RSH | 127 | Fallback to RSH |
119 | --------------- | 128 | --------------- |
120 | 129 | ||
diff --git a/debian/changelog b/debian/changelog index ef6d73a81..3d3ed1275 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,10 @@ | |||
1 | openssh (1:3.8p1-2) UNRELEASED; urgency=low | 1 | openssh (1:3.8p1-2) UNRELEASED; urgency=low |
2 | 2 | ||
3 | * Disable PasswordAuthentication for new installations (closes: #236810). | 3 | * Disable PasswordAuthentication for new installations (closes: #236810). |
4 | * Turn off the new ForwardX11Trusted by default, returning to the | ||
5 | semantics of 3.7 and earlier, since it seems immature and causes far too | ||
6 | many problems with existing setups. See README.Debian for details | ||
7 | (closes: #237021). | ||
4 | 8 | ||
5 | -- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000 | 9 | -- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000 |
6 | 10 | ||
diff --git a/readconf.c b/readconf.c index 3af3038bb..dfd83c1b9 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -899,7 +899,7 @@ fill_default_options(Options * options) | |||
899 | if (options->forward_x11 == -1) | 899 | if (options->forward_x11 == -1) |
900 | options->forward_x11 = 0; | 900 | options->forward_x11 = 0; |
901 | if (options->forward_x11_trusted == -1) | 901 | if (options->forward_x11_trusted == -1) |
902 | options->forward_x11_trusted = 0; | 902 | options->forward_x11_trusted = 1; |
903 | if (options->xauth_location == NULL) | 903 | if (options->xauth_location == NULL) |
904 | options->xauth_location = _PATH_XAUTH; | 904 | options->xauth_location = _PATH_XAUTH; |
905 | if (options->gateway_ports == -1) | 905 | if (options->gateway_ports == -1) |
diff --git a/ssh_config b/ssh_config index 2692e8913..f72394b4e 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -18,6 +18,7 @@ | |||
18 | # Host * | 18 | # Host * |
19 | # ForwardAgent no | 19 | # ForwardAgent no |
20 | # ForwardX11 no | 20 | # ForwardX11 no |
21 | # ForwardX11Trusted yes | ||
21 | # RhostsRSAAuthentication no | 22 | # RhostsRSAAuthentication no |
22 | # RSAAuthentication yes | 23 | # RSAAuthentication yes |
23 | # PasswordAuthentication yes | 24 | # PasswordAuthentication yes |
diff --git a/ssh_config.5 b/ssh_config.5 index 72ad6d512..e4a59a2ad 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -330,7 +330,8 @@ from stealing or tampering with data belonging to trusted X11 | |||
330 | clients. | 330 | clients. |
331 | .Pp | 331 | .Pp |
332 | The default is | 332 | The default is |
333 | .Dq no . | 333 | .Dq yes |
334 | (Debian-specific). | ||
334 | .Pp | 335 | .Pp |
335 | See the X11 SECURITY extension specification for full details on | 336 | See the X11 SECURITY extension specification for full details on |
336 | the restrictions imposed on untrusted clients. | 337 | the restrictions imposed on untrusted clients. |