On 10/18/2016 10:41 AM, Solène Rapenne wrote:
> Le 2016-10-18 10:35, Peter Janos a écrit :
>> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
>> insecure option "yes" by default?
>> Thanks.
> from sshd_config(5)
>      AllowTcpForwarding
>              Specifies whether TCP forwarding is permitted.  The available
>              options are yes (the default) or all to allow TCP
> forwarding, no
>              to prevent all TCP forwarding, local to allow local (from the
>              perspective of ssh(1)) forwarding only or remote to allow
> remote
>              forwarding only.  Note that disabling TCP forwarding does not
>              improve security unless users are also denied shell access, as
>              they can always install their own forwarders.

Also the article states that "We checked our factory-defaulted device
and noticed that the “admin:admin” credential pair allows
us to connect to the web-based configuration interface."

Using such a weak password is more likely the problem, than the enabled
TCP forward.

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Reply via email to