Date: Thu, 17 Apr 2008 21:39:36 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Peter Pentchev <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh Message-ID: <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au> In-Reply-To: <20080417084544.GA2461@straylight.m.ringlet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 17 Apr 2008, Peter Pentchev wrote: > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > IV. Workaround > > > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > > > It's not quite clear from this whether both workarounds are required, or > > just either one, until upgrading? > > Either one, depending on what you want - if your users *need* and use > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :) > > Basically: > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no" > - if you use X11 forwarding *and* you DO NOT use IPv6, use the > "AddressFamily inet" line > - if you use X11 forwarding *and* you use IPv6, then you must upgrade. Thanks for the confirmation Peter, also Jille and mouss. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080417212950.23910C-100000>