diff options
author | Darren Tucker <dtucker@zip.com.au> | 2003-10-15 15:54:32 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2003-10-15 15:54:32 +1000 |
commit | 0a118da00eff14f018a055b3c187f27aa7d78ecd (patch) | |
tree | 6904bb2738a1a8a00c545fac7d4fec7b74bee870 | |
parent | a044f47679c27ca77b3ec19a6e0e148deb50a427 (diff) |
- markus@cvs.openbsd.org 2003/10/11 08:24:08
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
remote x11 clients are now untrusted by default, uses xauth(8) to generate
untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
ok deraadt; feedback and ok djm/fries
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | readconf.c | 12 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | ssh.1 | 7 | ||||
-rw-r--r-- | ssh.c | 92 | ||||
-rw-r--r-- | ssh_config.5 | 24 |
6 files changed, 112 insertions, 33 deletions
@@ -11,6 +11,11 @@ | |||
11 | - markus@cvs.openbsd.org 2003/10/08 15:21:24 | 11 | - markus@cvs.openbsd.org 2003/10/08 15:21:24 |
12 | [readconf.c ssh_config.5] | 12 | [readconf.c ssh_config.5] |
13 | default GSS API to no in client, too; ok jakob, deraadt@ | 13 | default GSS API to no in client, too; ok jakob, deraadt@ |
14 | - markus@cvs.openbsd.org 2003/10/11 08:24:08 | ||
15 | [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] | ||
16 | remote x11 clients are now untrusted by default, uses xauth(8) to generate | ||
17 | untrusted cookies; ForwardX11Trusted=yes restores old behaviour. | ||
18 | ok deraadt; feedback and ok djm/fries | ||
14 | 19 | ||
15 | 20031009 | 20 | 20031009 |
16 | - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ | 21 | - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ |
@@ -1328,4 +1333,4 @@ | |||
1328 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1333 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
1329 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1334 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
1330 | 1335 | ||
1331 | $Id: ChangeLog,v 1.3071 2003/10/15 05:52:03 dtucker Exp $ | 1336 | $Id: ChangeLog,v 1.3072 2003/10/15 05:54:32 dtucker Exp $ |
diff --git a/readconf.c b/readconf.c index 5a7084fe8..e5f2620a7 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); | 15 | RCSID("$OpenBSD: readconf.c,v 1.123 2003/10/11 08:24:07 markus Exp $"); |
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include "ssh.h" |
18 | #include "xmalloc.h" | 18 | #include "xmalloc.h" |
@@ -89,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); | |||
89 | 89 | ||
90 | typedef enum { | 90 | typedef enum { |
91 | oBadOption, | 91 | oBadOption, |
92 | oForwardAgent, oForwardX11, oGatewayPorts, | 92 | oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, |
93 | oPasswordAuthentication, oRSAAuthentication, | 93 | oPasswordAuthentication, oRSAAuthentication, |
94 | oChallengeResponseAuthentication, oXAuthLocation, | 94 | oChallengeResponseAuthentication, oXAuthLocation, |
95 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, | 95 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, |
@@ -116,6 +116,7 @@ static struct { | |||
116 | } keywords[] = { | 116 | } keywords[] = { |
117 | { "forwardagent", oForwardAgent }, | 117 | { "forwardagent", oForwardAgent }, |
118 | { "forwardx11", oForwardX11 }, | 118 | { "forwardx11", oForwardX11 }, |
119 | { "forwardx11trusted", oForwardX11Trusted }, | ||
119 | { "xauthlocation", oXAuthLocation }, | 120 | { "xauthlocation", oXAuthLocation }, |
120 | { "gatewayports", oGatewayPorts }, | 121 | { "gatewayports", oGatewayPorts }, |
121 | { "useprivilegedport", oUsePrivilegedPort }, | 122 | { "useprivilegedport", oUsePrivilegedPort }, |
@@ -342,6 +343,10 @@ parse_flag: | |||
342 | intptr = &options->forward_x11; | 343 | intptr = &options->forward_x11; |
343 | goto parse_flag; | 344 | goto parse_flag; |
344 | 345 | ||
346 | case oForwardX11Trusted: | ||
347 | intptr = &options->forward_x11_trusted; | ||
348 | goto parse_flag; | ||
349 | |||
345 | case oGatewayPorts: | 350 | case oGatewayPorts: |
346 | intptr = &options->gateway_ports; | 351 | intptr = &options->gateway_ports; |
347 | goto parse_flag; | 352 | goto parse_flag; |
@@ -806,6 +811,7 @@ initialize_options(Options * options) | |||
806 | memset(options, 'X', sizeof(*options)); | 811 | memset(options, 'X', sizeof(*options)); |
807 | options->forward_agent = -1; | 812 | options->forward_agent = -1; |
808 | options->forward_x11 = -1; | 813 | options->forward_x11 = -1; |
814 | options->forward_x11_trusted = -1; | ||
809 | options->xauth_location = NULL; | 815 | options->xauth_location = NULL; |
810 | options->gateway_ports = -1; | 816 | options->gateway_ports = -1; |
811 | options->use_privileged_port = -1; | 817 | options->use_privileged_port = -1; |
@@ -872,6 +878,8 @@ fill_default_options(Options * options) | |||
872 | options->forward_agent = 0; | 878 | options->forward_agent = 0; |
873 | if (options->forward_x11 == -1) | 879 | if (options->forward_x11 == -1) |
874 | options->forward_x11 = 0; | 880 | options->forward_x11 = 0; |
881 | if (options->forward_x11_trusted == -1) | ||
882 | options->forward_x11_trusted = 0; | ||
875 | if (options->xauth_location == NULL) | 883 | if (options->xauth_location == NULL) |
876 | options->xauth_location = _PATH_XAUTH; | 884 | options->xauth_location = _PATH_XAUTH; |
877 | if (options->gateway_ports == -1) | 885 | if (options->gateway_ports == -1) |
diff --git a/readconf.h b/readconf.h index 60287f710..8aab2e606 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $ */ | 1 | /* $OpenBSD: readconf.h,v 1.56 2003/10/11 08:24:08 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -30,6 +30,7 @@ typedef struct { | |||
30 | typedef struct { | 30 | typedef struct { |
31 | int forward_agent; /* Forward authentication agent. */ | 31 | int forward_agent; /* Forward authentication agent. */ |
32 | int forward_x11; /* Forward X11 display. */ | 32 | int forward_x11; /* Forward X11 display. */ |
33 | int forward_x11_trusted; /* Trust Forward X11 display. */ | ||
33 | char *xauth_location; /* Location for xauth program */ | 34 | char *xauth_location; /* Location for xauth program */ |
34 | int gateway_ports; /* Allow remote connects to forwarded ports. */ | 35 | int gateway_ports; /* Allow remote connects to forwarded ports. */ |
35 | int use_privileged_port; /* Don't use privileged port if false. */ | 36 | int use_privileged_port; /* Don't use privileged port if false. */ |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.177 2003/10/08 08:27:36 jmc Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.178 2003/10/11 08:24:08 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -43,7 +43,7 @@ | |||
43 | .Nd OpenSSH SSH client (remote login program) | 43 | .Nd OpenSSH SSH client (remote login program) |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm ssh | 45 | .Nm ssh |
46 | .Op Fl 1246AaCfgkNnqsTtVvXx | 46 | .Op Fl 1246AaCfgkNnqsTtVvXxY |
47 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
48 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
49 | .Op Fl D Ar port | 49 | .Op Fl D Ar port |
@@ -624,6 +624,7 @@ For full details of the options listed below, and their possible values, see | |||
624 | .It EscapeChar | 624 | .It EscapeChar |
625 | .It ForwardAgent | 625 | .It ForwardAgent |
626 | .It ForwardX11 | 626 | .It ForwardX11 |
627 | .It ForwardX11Trusted | ||
627 | .It GatewayPorts | 628 | .It GatewayPorts |
628 | .It GlobalKnownHostsFile | 629 | .It GlobalKnownHostsFile |
629 | .It GSSAPIAuthentication | 630 | .It GSSAPIAuthentication |
@@ -732,6 +733,8 @@ can access the local X11 display through the forwarded connection. | |||
732 | An attacker may then be able to perform activities such as keystroke monitoring. | 733 | An attacker may then be able to perform activities such as keystroke monitoring. |
733 | .It Fl x | 734 | .It Fl x |
734 | Disables X11 forwarding. | 735 | Disables X11 forwarding. |
736 | .It Fl Y | ||
737 | Enables trusted X11 forwarding. | ||
735 | .El | 738 | .El |
736 | .Sh CONFIGURATION FILES | 739 | .Sh CONFIGURATION FILES |
737 | .Nm | 740 | .Nm |
@@ -13,7 +13,7 @@ | |||
13 | * called by a name other than "ssh" or "Secure Shell". | 13 | * called by a name other than "ssh" or "Secure Shell". |
14 | * | 14 | * |
15 | * Copyright (c) 1999 Niels Provos. All rights reserved. | 15 | * Copyright (c) 1999 Niels Provos. All rights reserved. |
16 | * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. | 16 | * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved. |
17 | * | 17 | * |
18 | * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> | 18 | * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> |
19 | * in Canada (German citizen). | 19 | * in Canada (German citizen). |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $"); | 43 | RCSID("$OpenBSD: ssh.c,v 1.202 2003/10/11 08:24:08 markus Exp $"); |
44 | 44 | ||
45 | #include <openssl/evp.h> | 45 | #include <openssl/evp.h> |
46 | #include <openssl/err.h> | 46 | #include <openssl/err.h> |
@@ -155,6 +155,7 @@ usage(void) | |||
155 | fprintf(stderr, " -A Enable authentication agent forwarding.\n"); | 155 | fprintf(stderr, " -A Enable authentication agent forwarding.\n"); |
156 | fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); | 156 | fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); |
157 | fprintf(stderr, " -X Enable X11 connection forwarding.\n"); | 157 | fprintf(stderr, " -X Enable X11 connection forwarding.\n"); |
158 | fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); | ||
158 | fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); | 159 | fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); |
159 | fprintf(stderr, " -i file Identity for public key authentication " | 160 | fprintf(stderr, " -i file Identity for public key authentication " |
160 | "(default: ~/.ssh/identity)\n"); | 161 | "(default: ~/.ssh/identity)\n"); |
@@ -264,7 +265,7 @@ main(int ac, char **av) | |||
264 | 265 | ||
265 | again: | 266 | again: |
266 | while ((opt = getopt(ac, av, | 267 | while ((opt = getopt(ac, av, |
267 | "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { | 268 | "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) { |
268 | switch (opt) { | 269 | switch (opt) { |
269 | case '1': | 270 | case '1': |
270 | options.protocol = SSH_PROTO_1; | 271 | options.protocol = SSH_PROTO_1; |
@@ -291,6 +292,10 @@ again: | |||
291 | case 'X': | 292 | case 'X': |
292 | options.forward_x11 = 1; | 293 | options.forward_x11 = 1; |
293 | break; | 294 | break; |
295 | case 'Y': | ||
296 | options.forward_x11 = 1; | ||
297 | options.forward_x11_trusted = 1; | ||
298 | break; | ||
294 | case 'g': | 299 | case 'g': |
295 | options.gateway_ports = 1; | 300 | options.gateway_ports = 1; |
296 | break; | 301 | break; |
@@ -721,19 +726,25 @@ again: | |||
721 | return exit_status; | 726 | return exit_status; |
722 | } | 727 | } |
723 | 728 | ||
729 | #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" | ||
730 | |||
724 | static void | 731 | static void |
725 | x11_get_proto(char **_proto, char **_data) | 732 | x11_get_proto(char **_proto, char **_data) |
726 | { | 733 | { |
734 | char cmd[1024]; | ||
727 | char line[512]; | 735 | char line[512]; |
736 | char xdisplay[512]; | ||
728 | static char proto[512], data[512]; | 737 | static char proto[512], data[512]; |
729 | FILE *f; | 738 | FILE *f; |
730 | int got_data = 0, i; | 739 | int got_data = 0, generated = 0, do_unlink = 0, i; |
731 | char *display; | 740 | char *display, *xauthdir, *xauthfile; |
732 | struct stat st; | 741 | struct stat st; |
733 | 742 | ||
743 | xauthdir = xauthfile = NULL; | ||
734 | *_proto = proto; | 744 | *_proto = proto; |
735 | *_data = data; | 745 | *_data = data; |
736 | proto[0] = data[0] = '\0'; | 746 | proto[0] = data[0] = '\0'; |
747 | |||
737 | if (!options.xauth_location || | 748 | if (!options.xauth_location || |
738 | (stat(options.xauth_location, &st) == -1)) { | 749 | (stat(options.xauth_location, &st) == -1)) { |
739 | debug("No xauth program."); | 750 | debug("No xauth program."); |
@@ -742,28 +753,59 @@ x11_get_proto(char **_proto, char **_data) | |||
742 | debug("x11_get_proto: DISPLAY not set"); | 753 | debug("x11_get_proto: DISPLAY not set"); |
743 | return; | 754 | return; |
744 | } | 755 | } |
745 | /* Try to get Xauthority information for the display. */ | 756 | /* |
746 | if (strncmp(display, "localhost:", 10) == 0) | 757 | * Handle FamilyLocal case where $DISPLAY does |
747 | /* | 758 | * not match an authorization entry. For this we |
748 | * Handle FamilyLocal case where $DISPLAY does | 759 | * just try "xauth list unix:displaynum.screennum". |
749 | * not match an authorization entry. For this we | 760 | * XXX: "localhost" match to determine FamilyLocal |
750 | * just try "xauth list unix:displaynum.screennum". | 761 | * is not perfect. |
751 | * XXX: "localhost" match to determine FamilyLocal | 762 | */ |
752 | * is not perfect. | 763 | if (strncmp(display, "localhost:", 10) == 0) { |
753 | */ | 764 | snprintf(xdisplay, sizeof(xdisplay), "unix:%s", |
754 | snprintf(line, sizeof line, "%s list unix:%s 2>" | 765 | display + 10); |
755 | _PATH_DEVNULL, options.xauth_location, display+10); | 766 | display = xdisplay; |
756 | else | 767 | } |
757 | snprintf(line, sizeof line, "%s list %.200s 2>" | 768 | if (options.forward_x11_trusted == 0) { |
758 | _PATH_DEVNULL, options.xauth_location, display); | 769 | xauthdir = xmalloc(MAXPATHLEN); |
759 | debug2("x11_get_proto: %s", line); | 770 | xauthfile = xmalloc(MAXPATHLEN); |
760 | f = popen(line, "r"); | 771 | strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); |
772 | if (mkdtemp(xauthdir) != NULL) { | ||
773 | do_unlink = 1; | ||
774 | snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", | ||
775 | xauthdir); | ||
776 | snprintf(cmd, sizeof(cmd), | ||
777 | "%s -f %s generate %s " SSH_X11_PROTO | ||
778 | " untrusted timeout 120 2>" _PATH_DEVNULL, | ||
779 | options.xauth_location, xauthfile, display); | ||
780 | debug2("x11_get_proto: %s", cmd); | ||
781 | if (system(cmd) == 0) | ||
782 | generated = 1; | ||
783 | } | ||
784 | } | ||
785 | snprintf(cmd, sizeof(cmd), | ||
786 | "%s %s%s list %s . 2>" _PATH_DEVNULL, | ||
787 | options.xauth_location, | ||
788 | generated ? "-f " : "" , | ||
789 | generated ? xauthfile : "", | ||
790 | display); | ||
791 | debug2("x11_get_proto: %s", cmd); | ||
792 | f = popen(cmd, "r"); | ||
761 | if (f && fgets(line, sizeof(line), f) && | 793 | if (f && fgets(line, sizeof(line), f) && |
762 | sscanf(line, "%*s %511s %511s", proto, data) == 2) | 794 | sscanf(line, "%*s %511s %511s", proto, data) == 2) |
763 | got_data = 1; | 795 | got_data = 1; |
764 | if (f) | 796 | if (f) |
765 | pclose(f); | 797 | pclose(f); |
766 | } | 798 | } |
799 | |||
800 | if (do_unlink) { | ||
801 | unlink(xauthfile); | ||
802 | rmdir(xauthdir); | ||
803 | } | ||
804 | if (xauthdir) | ||
805 | xfree(xauthdir); | ||
806 | if (xauthfile) | ||
807 | xfree(xauthfile); | ||
808 | |||
767 | /* | 809 | /* |
768 | * If we didn't get authentication data, just make up some | 810 | * If we didn't get authentication data, just make up some |
769 | * data. The forwarding code will check the validity of the | 811 | * data. The forwarding code will check the validity of the |
@@ -775,12 +817,14 @@ x11_get_proto(char **_proto, char **_data) | |||
775 | if (!got_data) { | 817 | if (!got_data) { |
776 | u_int32_t rand = 0; | 818 | u_int32_t rand = 0; |
777 | 819 | ||
778 | logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); | 820 | logit("Warning: No xauth data; " |
779 | strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); | 821 | "using fake authentication data for X11 forwarding."); |
822 | strlcpy(proto, SSH_X11_PROTO, sizeof proto); | ||
780 | for (i = 0; i < 16; i++) { | 823 | for (i = 0; i < 16; i++) { |
781 | if (i % 4 == 0) | 824 | if (i % 4 == 0) |
782 | rand = arc4random(); | 825 | rand = arc4random(); |
783 | snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); | 826 | snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", |
827 | rand & 0xff); | ||
784 | rand >>= 8; | 828 | rand >>= 8; |
785 | } | 829 | } |
786 | } | 830 | } |
diff --git a/ssh_config.5 b/ssh_config.5 index da162499b..7f3c7064a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -306,9 +306,27 @@ The default is | |||
306 | .Pp | 306 | .Pp |
307 | X11 forwarding should be enabled with caution. | 307 | X11 forwarding should be enabled with caution. |
308 | Users with the ability to bypass file permissions on the remote host | 308 | Users with the ability to bypass file permissions on the remote host |
309 | (for the user's X authorization database) | 309 | (for the user's X11 authorization database) |
310 | can access the local X11 display through the forwarded connection. | 310 | can access the local X11 display through the forwarded connection. |
311 | An attacker may then be able to perform activities such as keystroke monitoring. | 311 | An attacker may then be able to perform activities such as keystroke monitoring |
312 | if the | ||
313 | .Cm ForwardX11Trusted | ||
314 | option is also enabled. | ||
315 | .It Cm ForwardX11Trusted | ||
316 | If the this option is set to | ||
317 | .Dq yes | ||
318 | then remote X11 clients will have full access to the original X11 display. | ||
319 | If this option is set to | ||
320 | .Dq no | ||
321 | then remote X11 clients will be considered untrusted and prevented | ||
322 | from stealing or tampering with data belonging to trusted X11 | ||
323 | clients. | ||
324 | .Pp | ||
325 | The default is | ||
326 | .Dq no . | ||
327 | .Pp | ||
328 | See the X11 SECURITY extension specification for full details on | ||
329 | the restrictions imposed on untrusted clients. | ||
312 | .It Cm GatewayPorts | 330 | .It Cm GatewayPorts |
313 | Specifies whether remote hosts are allowed to connect to local | 331 | Specifies whether remote hosts are allowed to connect to local |
314 | forwarded ports. | 332 | forwarded ports. |