Received: from lavabit.com (lavabit.com [38.107.241.66])	by
 nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E408F781A15	for
 <alpine-devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 08:27:12 +0000 (UTC)
Received: from darla.localdomain
 (abts-north-dynamic-089.106.177.122.airtelbroadband.in [122.177.106.89])	by
 lavabit.com with ESMTP id XRE5RFZR4PC6	for
 <alpine-devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 03:27:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lavabit.com;
 s=bazinga;	t=1563870431; bh=zLkjj1keRotywKlMgk0bsr6uOszJYAJ6TqlZKShHPyY=;
	h=Subject:To:References:From:Openpgp:Message-ID:Date:User-Agent:	
 MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:	
 Content-Language;
	b=QZ1mUMsXf0KqIwDSuaSg8dkxVNkiGa1xHgIlImfJqjMUjdOi/v9wArcSh6JSvxb8N	
 Y00pC02tTknrfZrS2+aepakSVkJt83UrNEansTFLFgEvJYMXyS66HjMyRm1cTo7Dvu	
 P/5JiFA8VycpbhGnQyM1/Qbs54/a/X6aKDCTgL6zH3xT7Bap/CSlbwFFt/Tfh31E1J	
 rnFV3C1boUzUGK9wegZigRwCkugFVNbofdKucHLTeIRF5P5TW4U3CmGGricv9y/3vb	
 6eC6oYTgK2OAN5WSNYXWKd3oQmOMv9C30vSzp4cNhRuwnAtqnN4OFWGb4d3JD2QV/g	
 G0fUsTIHT9PGA==
Subject: AllowTcpForwarding no (by default)
To: alpine-devel@lists.alpinelinux.org
References: =?utf-8?q?=3CeoZaVoQE-Nwu7bWHQvp1nFFgC7gHv9cSlhLcb8fyi-Z8DdeDgAL?=
 =?utf-8?q?MWZV6NZ-ZTNy0Cc7-JA4qrf9rklRzvXuuhpnXkD=5FowVF14vDRWW4uM48=3D?=
 =?utf-8?q?=40duniel=2Eno=3E?=
 <CA+cSEmMxh4VBfsCeiyNv3nHKv=A8SnG=ze73Yq-_LuW=v1vijQ@mail.gmail.com>
From: Ladar Levison <ladar@lavabit.com>
Openpgp: preference=signencrypt
Message-ID: <04299073-f21e-45ec-3c95-548b2a16c53d@lavabit.com>
Date: Tue, 23 Jul 2019 13:57:08 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: 
 <CA+cSEmMxh4VBfsCeiyNv3nHKv=A8SnG=ze73Yq-_LuW=v1vijQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

Just wondering what the motivation behind commit
8d2a4e449d4e15ddcf41ab1aade94a83f6ed4308 ... which updates the default
OpenSSH daemon config with 'AllowTcpForwarding no'. Was there a reason
or specific attack vector the change is meant to mitigate? All I could
find is a vague reference to bad passwords? It seems to me the two
things are unrelated, as the port is still exposed if the machine has a
public IP address. All this does is make it more difficult for an admin
to setup an explicit port forwarding rule. All I could fine was this:

https://git.alpinelinux.org/aports/commit/?id=3D495bbd7fb1f07c23a1f2d47a0=
71aa5519e08744c

I've been asked to restore the old value, aka 'AllowTcpForwarding yes',
in my virtual machine base boxes, and I don't see an obvious reason to
deny the request, as the new default causes port forwarding to break.
And forwarding an SSH port from a virtual guest, to accessible IP
address seems like a common enough=C2=A0 use case for virtual machines, t=
hat
I'm thinking it should.

But before I accept the pull request, and let loose the change across
the internet, I wanted to solicit other opinions?

The pull request in question:

https://github.com/lavabit/robox/pull/66

L~