summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ssh/ssh.115
1 files changed, 14 insertions, 1 deletions
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index fa25d5641b5..ce0dd291dd4 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.164 2002/08/29 16:02:54 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.165 2002/09/11 17:55:03 stevesk Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -402,6 +402,13 @@ Disables forwarding of the authentication agent connection.
.It Fl A
Enables forwarding of the authentication agent connection.
This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution. Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection. An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
.It Fl b Ar bind_address
Specify the interface to transmit from on machines with multiple
interfaces or aliased addresses.
@@ -558,6 +565,12 @@ Disables X11 forwarding.
.It Fl X
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution. Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection. An attacker may then be able to perform
+activities such as keystroke monitoring.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).