Re: What's the deal on the -X vs -Y thing?
From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 01/25/05
- Next message: Darren Tucker: "Re: openssh upgrade breaks login"
- Previous message: Wang Huisi: "Start problem of sshd in Cygwin"
- In reply to: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Next in thread: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Reply: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Jan 2005 10:10:20 GMT
In article <ct4re0$oc7$1@hedeland.org>, Per Hedeland <per@hedeland.org> wrote:
>In article
><41f5abc9$0$10565$5a62ac22@per-qv1-newsreader-01.iinet.net.au>
>dtucker@dodgy.net.au (Darren Tucker) writes:
>Well Darren, I generally greatly appreciate your posts, but here I have
>to ask: Did you *read* what Dan wrote (already in the original post,
>further spelled out above)? If it still isn't clear, maybe this helps:
>
>$ cat .ssh/config
>Host *
> ForwardX11Trusted yes
>$ ssh -v somehost
>OpenSSH_3.6.1p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
>debug1: Reading configuration data /home/per/.ssh/config
>debug1: Applying options for *
>/home/per/.ssh/config: line 2: Bad configuration option: ForwardX11Trusted
>/home/per/.ssh/config: terminating, 1 bad configuration options
Now try it with those lines moved to the upgraded systems' global
ssh_config (ie /usr/local/etc/ssh_config or wherever you've configured
--sysconfdir to be). This is actually what I (and the FAQ) suggested.
>Unfortunately, all the world's installations of OpenSSH do not get
>upgraded the instant a new version is released. So for years to come, we
>will not have a simple answer to the user who wants to enable fully-
>functional X11 forwarding. And needless to say, for users in the
>situation that hosts with pre- and post-3.8 versions of OpenSSH
>NFS-mount the same home directory, ssh_config is not an answer at all.
So put it in the per-host config on the post-3.8 systems not in the
per-user configs that are shared by all. This means that you're reverting
to the previous, insecure behaviour for all outbound connection (but that
appears to be what you're arguing for below anyway).
>I fully understand the security implications and the reasoning behind
>this change, but I still think it was a very bad decision compatibility-
>wise. And I can't help having the feeling that if it wouldn't have been
>made if it weren't for developers thinking of OpenSSH as "an OpenBSD
>thing" rather than the ubiquitous piece of SW it has become.
*I* certainly don't think of it as "an OpenBSD-only thing". Last year
I did several times more work on Portable than OpenBSD (certainly in
terms of LOC, probably in time too).
Unfortunately, it seems that any non-trivial change will attract criticism
from somewhere. Sometimes it's justified and sometimes it's not.
In this case I think it's not justified.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Next message: Darren Tucker: "Re: openssh upgrade breaks login"
- Previous message: Wang Huisi: "Start problem of sshd in Cygwin"
- In reply to: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Next in thread: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Reply: Per Hedeland: "Re: What's the deal on the -X vs -Y thing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
