Thanks for OpenSSH 7.4! Damien Miller:
* sshd(8): Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
Nice. But I cannot find this mentioned in man sshd_config.5?
* sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client.
Reading up on Compression, sshd_config.5 sais:
Specifies whether compression is enabled after the user has authenticated successfully. The argument must be yes, delayed (a legacy synonym for yes) or no. The default is yes.
While ssh_config.5 sais:
Specifies whether to use compression. The argument must be yes or no (the default).
1. Why does ssh_config.5 not say that this is post-authentication-compression?
2. Why is the default "yes" in sshd_config.5 and "no" in ssh_config.5? Thanks, and keep up the good work! -- ilf Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! -- Eine Initiative des Bundesamtes für Tastaturbenutzung
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
