- stevesk@cvs.openbsd.org 2002/09/11 17:55:03

     [ssh.1]
     add agent and X11 forwarding warning text from ssh_config.5; ok markus@

2 files changed, 18 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 5ee66174f..d0ff109ae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,9 @@
      [ssh-agent.c]
      check the euid of the connecting process with getpeereid(2); 
      ok provos deraadt stevesk
+   - stevesk@cvs.openbsd.org 2002/09/11 17:55:03
+     [ssh.1]
+     add agent and X11 forwarding warning text from ssh_config.5; ok markus@
 
 20020911
  - (djm) Sync openbsd-compat with OpenBSD -current
@@ -1635,4 +1638,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2455 2002/09/11 23:51:10 djm Exp $
+$Id: ChangeLog,v 1.2456 2002/09/11 23:52:03 djm Exp $
diff --git a/ssh.1 b/ssh.1
index fa25d5641..ce0dd291d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.164 2002/08/29 16:02:54 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.165 2002/09/11 17:55:03 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -402,6 +402,13 @@ Disables forwarding of the authentication agent connection.
 .It Fl A
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
@@ -558,6 +565,12 @@ Disables X11 forwarding.
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).