On 10/18/2016 10:41 AM, SolÃ¨ne Rapenne wrote:
> Le 2016-10-18 10:35, Peter Janos a Ã©crit :
>> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
>> insecure option "yes" by default?
> from sshd_config(5)
> Specifies whether TCP forwarding is permitted. The available
> options are yes (the default) or all to allow TCP
> forwarding, no
> to prevent all TCP forwarding, local to allow local (from the
> perspective of ssh(1)) forwarding only or remote to allow
> forwarding only. Note that disabling TCP forwarding does not
> improve security unless users are also denied shell access, as
> they can always install their own forwarders.
Also the article states that "We checked our factory-defaulted device
and noticed that the âadmin:adminâ credential pair allows
us to connect to the web-based configuration interface."
Using such a weak password is more likely the problem, than the enabled
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]