Debian release 3.5p1-1.

author: Colin Watson <cjwatson@debian.org> 2003-09-01 02:05:26 +0000
committer: Colin Watson <cjwatson@debian.org> 2003-09-01 02:05:26 +0000
commit: 6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch)
tree: 1bf23174bdb6fc71e2846dda0eca195a418484e7 /ssh_config.5
parent: 2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff)
parent: 58657d96514cd6f16d82add8d6f4adbb36765758 (diff)
1 files changed, 35 insertions, 8 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 6d94220b0..67fa0845c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -50,10 +50,16 @@
 .Nm ssh
 obtains configuration data from the following sources in
 the following order:
-command line options, user's configuration file
+.Bl -enum -offset indent -compact
-.Pq Pa $HOME/.ssh/config ,
+.It
-and system-wide configuration file
+command-line options
-.Pq Pa /etc/ssh/ssh_config .
+.It
+user's configuration file
+.Pq Pa $HOME/.ssh/config
+.It
+system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config
+.El
 .Pp
 For each parameter, the first obtained value
 will be used.
@@ -259,6 +265,13 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -270,6 +283,12 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
@@ -342,7 +361,6 @@ identities will be tried in sequence.
 Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
 of the machines will be properly noticed.  This option only uses TCP
 keepalives (as opposed to using ssh level keepalives), so takes a long
 time to notice when the connection dies.  As such, you probably want
@@ -512,7 +530,12 @@ or
 .Dq no .
 The default is
 .Dq no .
-This option applies to protocol version 1 only.
+This option applies to protocol version 1 only and requires
+.Nm ssh
+to be setuid root and
+.Cm UsePrivilegedPort
+to be set to
+.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -600,6 +623,10 @@ or
 .Dq no .
 The default is
 .Dq no .
+If set to
+.Dq yes
+.Nm ssh
+must be setuid root.
 Note that this option must be set to
 .Dq yes
 if
@@ -617,7 +644,7 @@ Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
 .It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
 .Xr xauth 1
 program.
 The default is
author	Colin Watson <cjwatson@debian.org>	2003-09-01 02:05:26 +0000
committer	Colin Watson <cjwatson@debian.org>	2003-09-01 02:05:26 +0000
commit	6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch)
tree	1bf23174bdb6fc71e2846dda0eca195a418484e7 /ssh_config.5
parent	2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff)
parent	58657d96514cd6f16d82add8d6f4adbb36765758 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 6d94220b0..67fa0845c 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -50,10 +50,16 @@
50	.Nm ssh	50	.Nm ssh
51	obtains configuration data from the following sources in	51	obtains configuration data from the following sources in
52	the following order:	52	the following order:
53	command line options, user's configuration file	53	.Bl -enum -offset indent -compact
54	.Pq Pa $HOME/.ssh/config ,	54	.It
55	and system-wide configuration file	55	command-line options
56	.Pq Pa /etc/ssh/ssh_config .	56	.It
		57	user's configuration file
		58	.Pq Pa $HOME/.ssh/config
		59	.It
		60	system-wide configuration file
		61	.Pq Pa /etc/ssh/ssh_config
		62	.El
57	.Pp	63	.Pp
58	For each parameter, the first obtained value	64	For each parameter, the first obtained value
59	will be used.	65	will be used.
@@ -259,6 +265,13 @@ or
259	.Dq no .	265	.Dq no .
260	The default is	266	The default is
261	.Dq no .	267	.Dq no .
		268	.Pp
		269	Agent forwarding should be enabled with caution. Users with the
		270	ability to bypass file permissions on the remote host (for the agent's
		271	Unix-domain socket) can access the local agent through the forwarded
		272	connection. An attacker cannot obtain key material from the agent,
		273	however they can perform operations on the keys that enable them to
		274	authenticate using the identities loaded into the agent.
262	.It Cm ForwardX11	275	.It Cm ForwardX11
263	Specifies whether X11 connections will be automatically redirected	276	Specifies whether X11 connections will be automatically redirected
264	over the secure channel and	277	over the secure channel and
@@ -270,6 +283,12 @@ or
270	.Dq no .	283	.Dq no .
271	The default is	284	The default is
272	.Dq no .	285	.Dq no .
		286	.Pp
		287	X11 forwarding should be enabled with caution. Users with the ability
		288	to bypass file permissions on the remote host (for the user's X
		289	authorization database) can access the local X11 display through the
		290	forwarded connection. An attacker may then be able to perform
		291	activities such as keystroke monitoring.
273	.It Cm GatewayPorts	292	.It Cm GatewayPorts
274	Specifies whether remote hosts are allowed to connect to local	293	Specifies whether remote hosts are allowed to connect to local
275	forwarded ports.	294	forwarded ports.
@@ -342,7 +361,6 @@ identities will be tried in sequence.
342	Specifies whether the system should send TCP keepalive messages to the	361	Specifies whether the system should send TCP keepalive messages to the
343	other side.	362	other side.
344	If they are sent, death of the connection or crash of one	363	If they are sent, death of the connection or crash of one
345	of the machines will be properly noticed.
346	of the machines will be properly noticed. This option only uses TCP	364	of the machines will be properly noticed. This option only uses TCP
347	keepalives (as opposed to using ssh level keepalives), so takes a long	365	keepalives (as opposed to using ssh level keepalives), so takes a long
348	time to notice when the connection dies. As such, you probably want	366	time to notice when the connection dies. As such, you probably want
@@ -512,7 +530,12 @@ or
512	.Dq no .	530	.Dq no .
513	The default is	531	The default is
514	.Dq no .	532	.Dq no .
515	This option applies to protocol version 1 only.	533	This option applies to protocol version 1 only and requires
		534	.Nm ssh
		535	to be setuid root and
		536	.Cm UsePrivilegedPort
		537	to be set to
		538	.Dq yes .
516	.It Cm RhostsRSAAuthentication	539	.It Cm RhostsRSAAuthentication
517	Specifies whether to try rhosts based authentication with RSA host	540	Specifies whether to try rhosts based authentication with RSA host
518	authentication.	541	authentication.
@@ -600,6 +623,10 @@ or
600	.Dq no .	623	.Dq no .
601	The default is	624	The default is
602	.Dq no .	625	.Dq no .
		626	If set to
		627	.Dq yes
		628	.Nm ssh
		629	must be setuid root.
603	Note that this option must be set to	630	Note that this option must be set to
604	.Dq yes	631	.Dq yes
605	if	632	if
@@ -617,7 +644,7 @@ Specifies a file to use for the user
617	host key database instead of	644	host key database instead of
618	.Pa $HOME/.ssh/known_hosts .	645	.Pa $HOME/.ssh/known_hosts .
619	.It Cm XAuthLocation	646	.It Cm XAuthLocation
620	Specifies the location of the	647	Specifies the full pathname of the
621	.Xr xauth 1	648	.Xr xauth 1
622	program.	649	program.
623	The default is	650	The default is