openssh unix dev - Mar 2009 - global no-agent-forwarding

Hi,

I can disable agent-forwarding for any given key by prefixing it with
"no-agent-forwarding", but it seems there's no global sshd_config
setting for this (ie no "AgentForwarding [yes|no]").  Is this on
purpose?  If so, what's the rationale?

-Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/bd823264/attachment.bin

On 03/24/2009 12:33 PM, Jan Schaumann wrote:
> Hi,
> 
> I can disable agent-forwarding for any given key by prefixing it with
> "no-agent-forwarding", but it seems there's no global
sshd_config
> setting for this (ie no "AgentForwarding [yes|no]").  Is this on
> purpose?  If so, what's the rationale?
sshd_config(5) shows:

     AllowAgentForwarding
       Specifies whether ssh-agent(1) forwarding is permitted.  The
       default is ?yes?.  Note that disabling agent forwarding does not
       improve security unless users are also denied shell access, as
       they can always install their own forwarders.


hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/38826200/attachment.bin

Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
 
> sshd_config(5) shows:
> 
>      AllowAgentForwarding
Ah, only available since 5.1.  Nevermind, then.

Thanks,
-Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/1e0ae5d2/attachment.bin