summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorKevin Steves <stevesk@cvs.openbsd.org>2002-08-27 17:18:41 +0000
committerKevin Steves <stevesk@cvs.openbsd.org>2002-08-27 17:18:41 +0000
commita2f350e0037d71984733074311ab3f5411dfd849 (patch)
tree6e5222b6a97a378ffc32bc64a2818cb22f1632b6 /usr.bin/ssh
parent74bcbc8c4dfd1c6e78c9f6bbcd10fefe73f902ae (diff)
some warning text for ForwardAgent and ForwardX11; ok markus@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/ssh_config.515
1 files changed, 14 insertions, 1 deletions
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index 857cc9640b4..82eda0a1838 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.2 2002/08/17 23:55:01 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.3 2002/08/27 17:18:40 stevesk Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -258,6 +258,13 @@ or
.Dq no .
The default is
.Dq no .
+.Pp
+Agent forwarding should be enabled with caution. Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection. An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
.It Cm ForwardX11
Specifies whether X11 connections will be automatically redirected
over the secure channel and
@@ -269,6 +276,12 @@ or
.Dq no .
The default is
.Dq no .
+.Pp
+X11 forwarding should be enabled with caution. Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection. An attacker may then be able to perform
+activities such as keystroke monitoring.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports.