On Fri, Mar 11, 2016 at 9:15 AM, Dag-Erling Smørgrav <des@xxxxxx> wrote: > Nico Kadel-Garcia <nkadel@xxxxxxxxx> writes: >> Dag-Erling Smørgrav <des@xxxxxx> writes: >> > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have >> > X11Forwarding enabled by default. >> I'm not sure I see your point. > > With X11Forwarding off by default, one would assume that it is only > enabled on a case-by-case basis for users or groups who already have the > necessary privileges to run arbitrary code on the server and therefore > have nothing to gain from exploiting this bug. With X11Forwarding on by > default, it might remain enabled for e.g. gitolite users. > > DES OK, right. gitolite and similar tools that use ForcCommand, such as "svn+ssh" based setups or "rsnapshot" based backup setups should be ideally, be publishing keys with Forcecommand and no-port-forwarding,no-X11-forwarding,no-pty" options. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev