Le 2016-10-18 10:35, Peter Janos a écrit :
shouldn't the default be "no" for the AllowTcpForwarding? Why is an
insecure option "yes" by default?
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
Thanks.
from sshd_config(5)
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
available
options are yes (the default) or all to allow TCP
forwarding, no
to prevent all TCP forwarding, local to allow local (from
the
perspective of ssh(1)) forwarding only or remote to allow
remote
forwarding only. Note that disabling TCP forwarding does
not
improve security unless users are also denied shell access,
as
they can always install their own forwarders.