- djm@cvs.openbsd.org 2005/03/02 02:21:07

[ssh.1] bz#987: mention ForwardX11Trusted in ssh.1, reported by andrew.benham AT thus.net; ok deraadt@
author: Damien Miller <djm@mindrot.org> 2005-03-02 13:22:30 +1100
committer: Damien Miller <djm@mindrot.org> 2005-03-02 13:22:30 +1100
commit: 947219e6e6d8be46d42c70239a907e4227e62d4a (patch)
tree: 0e1fe7d686fbcd488055e5bbb1383a3b8e363d7c /ssh.1
parent: 89eac8010a80589bcd3abda8f253cd0cd3d2088c (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/ssh.1 b/ssh.1
index a7ff8d731..d7cc83c1b 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.202 2005/03/01 14:47:58 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.203 2005/03/02 02:21:07 djm Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -831,10 +831,23 @@ Users with the ability to bypass file permissions on the remote host
 (for the user's X authorization database)
 can access the local X11 display through the forwarded connection.
 An attacker may then be able to perform activities such as keystroke monitoring.
+.Pp
+For this reason, X11 forwarding is subjected X11 SECURITY extension
+restrictions by default.
+Please refer to the
+.Nm
+.Fl Y
+option and the
+.Cm ForwardX11Trusted
+directive in
+.Xr ssh_config 5
+for more information.
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
+Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+controls.
 .El
 .Sh CONFIGURATION FILES
 .Nm
author	Damien Miller <djm@mindrot.org>	2005-03-02 13:22:30 +1100
committer	Damien Miller <djm@mindrot.org>	2005-03-02 13:22:30 +1100
commit	947219e6e6d8be46d42c70239a907e4227e62d4a (patch)
tree	0e1fe7d686fbcd488055e5bbb1383a3b8e363d7c /ssh.1
parent	89eac8010a80589bcd3abda8f253cd0cd3d2088c (diff)

diff --git a/ssh.1 b/ssh.1 index a7ff8d731..d7cc83c1b 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.202 2005/03/01 14:47:58 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.203 2005/03/02 02:21:07 djm Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -831,10 +831,23 @@ Users with the ability to bypass file permissions on the remote host
831	(for the user's X authorization database)	831	(for the user's X authorization database)
832	can access the local X11 display through the forwarded connection.	832	can access the local X11 display through the forwarded connection.
833	An attacker may then be able to perform activities such as keystroke monitoring.	833	An attacker may then be able to perform activities such as keystroke monitoring.
		834	.Pp
		835	For this reason, X11 forwarding is subjected X11 SECURITY extension
		836	restrictions by default.
		837	Please refer to the
		838	.Nm
		839	.Fl Y
		840	option and the
		841	.Cm ForwardX11Trusted
		842	directive in
		843	.Xr ssh_config 5
		844	for more information.
834	.It Fl x	845	.It Fl x
835	Disables X11 forwarding.	846	Disables X11 forwarding.
836	.It Fl Y	847	.It Fl Y
837	Enables trusted X11 forwarding.	848	Enables trusted X11 forwarding.
		849	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
		850	controls.
838	.El	851	.El
839	.Sh CONFIGURATION FILES	852	.Sh CONFIGURATION FILES
840	.Nm	853	.Nm