From 856085bd7448d9f4da1e5f81b4204a33f3b8635d Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 22 May 2020 14:36:26 +0300 Subject: [PATCH] ssh_config: document ForwardAgent and ForwardX11... ...Previously they were no without explanation, but it never hurts to explicitly have comments on not doing that, I didn't quickly find anything nice for ForwardAgent, but I remember the Matrix.org people somehow avoiding hearing it and ForwardX11 first result was that StackExchange. --- etc/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config index 6f7667d2..2f32b37d 100644 --- a/etc/ssh/ssh_config +++ b/etc/ssh/ssh_config @@ -15,7 +15,10 @@ Host * # closed. ControlPersist yes + # SSH Agent forwarding is behind a lot of security breaches, never do it + # Most recently https://github.com/matrix-org/matrix.org/issues/371 ForwardAgent no + # Never do that either https://security.stackexchange.com/a/14817/234532 ForwardX11 no # Debian sets this as yes, upstream no. TODO: What is it?