upstream: improve the text for -A a little; input from naddy and

djm OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
author: jmc@openbsd.org <jmc@openbsd.org> 2019-11-28 12:24:31 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-29 11:17:39 +1100
commit: d39a865b7af93a7a9b5a64cf7cf0ef4396c80ba3 (patch)
tree: 2ad35f25f204e42191dde176dd3a6d3efa2af6ce /ssh.1
parent: 9a0e01bd0c61f553ead96b5af84abd73865847b8 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/ssh.1 b/ssh.1
index 1ce0864c7..b96298ebd 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.406 2019/11/18 23:16:49 naddy Exp $
+.\" $OpenBSD: ssh.1,v 1.407 2019/11/28 12:24:31 jmc Exp $
-.Dd $Mdocdate: November 18 2019 $
+.Dd $Mdocdate: November 28 2019 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -110,7 +110,8 @@ Forces
 to use IPv6 addresses only.
 .Pp
 .It Fl A
-Enables forwarding of the authentication agent connection.
+Enables forwarding of connections from an authentication agent such as
+.Xr ssh-agent 1 .
 This can also be specified on a per-host basis in a configuration file.
 .Pp
 Agent forwarding should be enabled with caution.
@@ -121,6 +122,9 @@ socket) can access the local agent through the forwarded connection.
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
+A safer alternative may be to use a jump host
+(see
+.Fl J ) .
 .Pp
 .It Fl a
 Disables forwarding of the authentication agent connection.
author	jmc@openbsd.org <jmc@openbsd.org>	2019-11-28 12:24:31 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-29 11:17:39 +1100
commit	d39a865b7af93a7a9b5a64cf7cf0ef4396c80ba3 (patch)
tree	2ad35f25f204e42191dde176dd3a6d3efa2af6ce /ssh.1
parent	9a0e01bd0c61f553ead96b5af84abd73865847b8 (diff)

diff --git a/ssh.1 b/ssh.1 index 1ce0864c7..b96298ebd 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.406 2019/11/18 23:16:49 naddy Exp $	36	.\" $OpenBSD: ssh.1,v 1.407 2019/11/28 12:24:31 jmc Exp $
37	.Dd $Mdocdate: November 18 2019 $	37	.Dd $Mdocdate: November 28 2019 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -110,7 +110,8 @@ Forces
110	to use IPv6 addresses only.	110	to use IPv6 addresses only.
111	.Pp	111	.Pp
112	.It Fl A	112	.It Fl A
113	Enables forwarding of the authentication agent connection.	113	Enables forwarding of connections from an authentication agent such as
		114	.Xr ssh-agent 1 .
114	This can also be specified on a per-host basis in a configuration file.	115	This can also be specified on a per-host basis in a configuration file.
115	.Pp	116	.Pp
116	Agent forwarding should be enabled with caution.	117	Agent forwarding should be enabled with caution.
@@ -121,6 +122,9 @@ socket) can access the local agent through the forwarded connection.
121	An attacker cannot obtain key material from the agent,	122	An attacker cannot obtain key material from the agent,
122	however they can perform operations on the keys that enable them to	123	however they can perform operations on the keys that enable them to
123	authenticate using the identities loaded into the agent.	124	authenticate using the identities loaded into the agent.
		125	A safer alternative may be to use a jump host
		126	(see
		127	.Fl J ) .
124	.Pp	128	.Pp
125	.It Fl a	129	.It Fl a
126	Disables forwarding of the authentication agent connection.	130	Disables forwarding of the authentication agent connection.