Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25])	by
 nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 400E2781A51	for
 <alpine-devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 09:10:18 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 2C5479E0371;
	Tue, 23 Jul 2019 09:10:17 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no
 [37.200.63.67])	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
 bits)	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)	(No client certificate requested)	(Authenticated
 sender: alpine@tanael.org)	by mx1.tetrasec.net (Postfix) with ESMTPSA id
 5EAA99E0070;	Tue, 23 Jul 2019 09:10:15 +0000 (UTC)
Date: Tue, 23 Jul 2019 11:10:10 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Ladar Levison <ladar@lavabit.com>
Cc: alpine-devel@lists.alpinelinux.org
Subject: Re: AllowTcpForwarding no (by default)
Message-ID: <20190723111010.105ed4b9@ncopa-desktop.copa.dup.pw>
In-Reply-To: <04299073-f21e-45ec-3c95-548b2a16c53d@lavabit.com>
References: 
 <CA+cSEmMxh4VBfsCeiyNv3nHKv=A8SnG=ze73Yq-_LuW=v1vijQ@mail.gmail.com>
	<04299073-f21e-45ec-3c95-548b2a16c53d@lavabit.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Tue, 23 Jul 2019 13:57:08 +0530
Ladar Levison <ladar@lavabit.com> wrote:

> Just wondering what the motivation behind commit
> 8d2a4e449d4e15ddcf41ab1aade94a83f6ed4308 ... which updates the default
> OpenSSH daemon config with 'AllowTcpForwarding no'. Was there a reason
> or specific attack vector the change is meant to mitigate? All I could
> find is a vague reference to bad passwords? It seems to me the two
> things are unrelated, as the port is still exposed if the machine has a
> public IP address. All this does is make it more difficult for an admin
> to setup an explicit port forwarding rule. All I could fine was this:
>=20
> https://git.alpinelinux.org/aports/commit/?id=3D495bbd7fb1f07c23a1f2d47a0=
71aa5519e08744c

I don't remember exactly what made me do that change. Someone probably
hinted me about it.

The general thinking here is to try have secure default, features
disabled by default, and let people enable when they need it.

The TCP forwarding is a common way to bypass firewalls. We don't want
make it easy for an attacker who managed to break in - by default.

https://security.stackexchange.com/questions/22782/security-concerns-with-t=
cp-forwarding

=20
> I've been asked to restore the old value, aka 'AllowTcpForwarding yes',
> in my virtual machine base boxes, and I don't see an obvious reason to
> deny the request, as the new default causes port forwarding to break.
> And forwarding an SSH port from a virtual guest, to accessible IP
> address seems like a common enough=A0 use case for virtual machines, that
> I'm thinking it should.
>=20
> But before I accept the pull request, and let loose the change across
> the internet, I wanted to solicit other opinions?

If you need the feature, then I think you should enable it. We disabled
it for those who don't use it.

> The pull request in question:
>=20
> https://github.com/lavabit/robox/pull/66
>=20
> L~
>=20
>=20