Debian release 3.5p1-1.

author: Colin Watson <cjwatson@debian.org> 2003-09-01 02:05:26 +0000
committer: Colin Watson <cjwatson@debian.org> 2003-09-01 02:05:26 +0000
commit: 6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch)
tree: 1bf23174bdb6fc71e2846dda0eca195a418484e7 /ssh.1
parent: 2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff)
parent: 58657d96514cd6f16d82add8d6f4adbb36765758 (diff)
1 files changed, 37 insertions, 20 deletions
diff --git a/ssh.1 b/ssh.1
index 1c407c5bd..d8999da48 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $
+.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -48,7 +48,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl afgknqstvxACNPTX1246
+.Op Fl afgknqstvxACNTX1246
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl e Ar escape_char
@@ -353,9 +353,17 @@ the connection is opened.
 The real authentication cookie is never
 sent to the server machine (and no cookies are sent in the plain).
 .Pp
-If the user is using an authentication agent, the connection to the agent
+If the
-is automatically forwarded to the remote side unless disabled on
+.Cm ForwardAgent
-the command line or in a configuration file.
+variable is set to
+.Dq yes
+(or, see the description of the
+.Fl A
+and
+.Fl a
+options described later) and 
+the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side.
 .Pp
 Forwarding of arbitrary TCP/IP connections over the secure channel can
 be specified either on the command line or in a configuration file.
@@ -394,6 +402,13 @@ Disables forwarding of the authentication agent connection.
 .It Fl A
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
@@ -515,15 +530,6 @@ command-line flag.
 Port to connect to on the remote host.
 This can be specified on a
 per-host basis in the configuration file.
-.It Fl P
-Use a non-privileged port for outgoing connections.
-This can be used if a firewall does
-not permit connections from privileged ports.
-Note that this option turns off
-.Cm RhostsAuthentication
-and
-.Cm RhostsRSAAuthentication
-for older servers.
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
@@ -563,6 +569,12 @@ Disables X11 forwarding.
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@@ -572,7 +584,7 @@ and the
 .Dq level
 can be controlled by the
 .Cm CompressionLevel
-option.
+option for protocol version 1.
 Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
@@ -718,11 +730,11 @@ to make this work.)
 .It Ev SSH_AUTH_SOCK
 Identifies the path of a unix-domain socket used to communicate with the
 agent.
-.It Ev SSH_CLIENT
+.It Ev SSH_CONNECTION
-Identifies the client end of the connection.
+Identifies the client and server ends of the connection.
 The variable contains
-three space-separated values: client ip-address, client port number,
+four space-separated values: client ip-address, client port number,
-and server port number.
+server ip-address and server port number.
 .It Ev SSH_ORIGINAL_COMMAND
 The variable contains the original command line if a forced command
 is executed.
@@ -746,7 +758,12 @@ reads
 .Pa $HOME/.ssh/environment ,
 and adds lines of the format
 .Dq VARNAME=value
-to the environment.
+to the environment if the file exists and if users are allowed to
+change their environment.
+See the
+.Cm PermitUserEnvironment
+option in
+.Xr sshd_config 5 .
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa $HOME/.ssh/known_hosts
author	Colin Watson <cjwatson@debian.org>	2003-09-01 02:05:26 +0000
committer	Colin Watson <cjwatson@debian.org>	2003-09-01 02:05:26 +0000
commit	6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch)
tree	1bf23174bdb6fc71e2846dda0eca195a418484e7 /ssh.1
parent	2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff)
parent	58657d96514cd6f16d82add8d6f4adbb36765758 (diff)

diff --git a/ssh.1 b/ssh.1 index 1c407c5bd..d8999da48 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $	37	.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -48,7 +48,7 @@
48	.Op Ar command	48	.Op Ar command
49	.Pp	49	.Pp
50	.Nm ssh	50	.Nm ssh
51	.Op Fl afgknqstvxACNPTX1246	51	.Op Fl afgknqstvxACNTX1246
52	.Op Fl b Ar bind_address	52	.Op Fl b Ar bind_address
53	.Op Fl c Ar cipher_spec	53	.Op Fl c Ar cipher_spec
54	.Op Fl e Ar escape_char	54	.Op Fl e Ar escape_char
@@ -353,9 +353,17 @@ the connection is opened.
353	The real authentication cookie is never	353	The real authentication cookie is never
354	sent to the server machine (and no cookies are sent in the plain).	354	sent to the server machine (and no cookies are sent in the plain).
355	.Pp	355	.Pp
356	If the user is using an authentication agent, the connection to the agent	356	If the
357	is automatically forwarded to the remote side unless disabled on	357	.Cm ForwardAgent
358	the command line or in a configuration file.	358	variable is set to
		359	.Dq yes
		360	(or, see the description of the
		361	.Fl A
		362	and
		363	.Fl a
		364	options described later) and
		365	the user is using an authentication agent, the connection to the agent
		366	is automatically forwarded to the remote side.
359	.Pp	367	.Pp
360	Forwarding of arbitrary TCP/IP connections over the secure channel can	368	Forwarding of arbitrary TCP/IP connections over the secure channel can
361	be specified either on the command line or in a configuration file.	369	be specified either on the command line or in a configuration file.
@@ -394,6 +402,13 @@ Disables forwarding of the authentication agent connection.
394	.It Fl A	402	.It Fl A
395	Enables forwarding of the authentication agent connection.	403	Enables forwarding of the authentication agent connection.
396	This can also be specified on a per-host basis in a configuration file.	404	This can also be specified on a per-host basis in a configuration file.
		405	.Pp
		406	Agent forwarding should be enabled with caution. Users with the
		407	ability to bypass file permissions on the remote host (for the agent's
		408	Unix-domain socket) can access the local agent through the forwarded
		409	connection. An attacker cannot obtain key material from the agent,
		410	however they can perform operations on the keys that enable them to
		411	authenticate using the identities loaded into the agent.
397	.It Fl b Ar bind_address	412	.It Fl b Ar bind_address
398	Specify the interface to transmit from on machines with multiple	413	Specify the interface to transmit from on machines with multiple
399	interfaces or aliased addresses.	414	interfaces or aliased addresses.
@@ -515,15 +530,6 @@ command-line flag.
515	Port to connect to on the remote host.	530	Port to connect to on the remote host.
516	This can be specified on a	531	This can be specified on a
517	per-host basis in the configuration file.	532	per-host basis in the configuration file.
518	.It Fl P
519	Use a non-privileged port for outgoing connections.
520	This can be used if a firewall does
521	not permit connections from privileged ports.
522	Note that this option turns off
523	.Cm RhostsAuthentication
524	and
525	.Cm RhostsRSAAuthentication
526	for older servers.
527	.It Fl q	533	.It Fl q
528	Quiet mode.	534	Quiet mode.
529	Causes all warning and diagnostic messages to be suppressed.	535	Causes all warning and diagnostic messages to be suppressed.
@@ -563,6 +569,12 @@ Disables X11 forwarding.
563	.It Fl X	569	.It Fl X
564	Enables X11 forwarding.	570	Enables X11 forwarding.
565	This can also be specified on a per-host basis in a configuration file.	571	This can also be specified on a per-host basis in a configuration file.
		572	.Pp
		573	X11 forwarding should be enabled with caution. Users with the ability
		574	to bypass file permissions on the remote host (for the user's X
		575	authorization database) can access the local X11 display through the
		576	forwarded connection. An attacker may then be able to perform
		577	activities such as keystroke monitoring.
566	.It Fl C	578	.It Fl C
567	Requests compression of all data (including stdin, stdout, stderr, and	579	Requests compression of all data (including stdin, stdout, stderr, and
568	data for forwarded X11 and TCP/IP connections).	580	data for forwarded X11 and TCP/IP connections).
@@ -572,7 +584,7 @@ and the
572	.Dq level	584	.Dq level
573	can be controlled by the	585	can be controlled by the
574	.Cm CompressionLevel	586	.Cm CompressionLevel
575	option.	587	option for protocol version 1.
576	Compression is desirable on modem lines and other	588	Compression is desirable on modem lines and other
577	slow connections, but will only slow down things on fast networks.	589	slow connections, but will only slow down things on fast networks.
578	The default value can be set on a host-by-host basis in the	590	The default value can be set on a host-by-host basis in the
@@ -718,11 +730,11 @@ to make this work.)
718	.It Ev SSH_AUTH_SOCK	730	.It Ev SSH_AUTH_SOCK
719	Identifies the path of a unix-domain socket used to communicate with the	731	Identifies the path of a unix-domain socket used to communicate with the
720	agent.	732	agent.
721	.It Ev SSH_CLIENT	733	.It Ev SSH_CONNECTION
722	Identifies the client end of the connection.	734	Identifies the client and server ends of the connection.
723	The variable contains	735	The variable contains
724	three space-separated values: client ip-address, client port number,	736	four space-separated values: client ip-address, client port number,
725	and server port number.	737	server ip-address and server port number.
726	.It Ev SSH_ORIGINAL_COMMAND	738	.It Ev SSH_ORIGINAL_COMMAND
727	The variable contains the original command line if a forced command	739	The variable contains the original command line if a forced command
728	is executed.	740	is executed.
@@ -746,7 +758,12 @@ reads
746	.Pa $HOME/.ssh/environment ,	758	.Pa $HOME/.ssh/environment ,
747	and adds lines of the format	759	and adds lines of the format
748	.Dq VARNAME=value	760	.Dq VARNAME=value
749	to the environment.	761	to the environment if the file exists and if users are allowed to
		762	change their environment.
		763	See the
		764	.Cm PermitUserEnvironment
		765	option in
		766	.Xr sshd_config 5 .
750	.Sh FILES	767	.Sh FILES
751	.Bl -tag -width Ds	768	.Bl -tag -width Ds
752	.It Pa $HOME/.ssh/known_hosts	769	.It Pa $HOME/.ssh/known_hosts