https://bugzilla.mindrot.org/show_bug.cgi?id=1733
--- Comment #16 from Gary T. Giesen <[email protected]> --- You're confusing the settings for the daemon (sshd_config, which obviously only root should be able to change) with the settings for the client (ssh_config) when someone makes an outbound connection. The settings for the daemon can't be bypassed since obviously it requires root privileges to launch it to listen on port 22. The settings for the client should be freely settable by the user, just as it is with the -S option for telnet. I have no problems with having smart defaults in ssh_config, but they definitely should be able to be overridden. In the end, there's no sense having a setting which provides no security whatsoever (but looks like it does). If a user is malicious, they can compile their own ssh client with the settings they want and bypass your config anyways. Since the kernel doesn't enforce any privileges on the setting of the DSCP markings, you shouldn't either. Thus it only makes sense to provide a configurable default. Keep in mind it's up to the network to trust and enforce DSCP markings, so that's the proper place for these kind of access controls to appear. Otherwise you'll need to convince the various *nix vendors to require privileges on setting DSCP markings. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
