diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | ssh.1 | 15 |
2 files changed, 18 insertions, 2 deletions
| @@ -15,6 +15,9 @@ | |||
| 15 | [ssh-agent.c] | 15 | [ssh-agent.c] |
| 16 | check the euid of the connecting process with getpeereid(2); | 16 | check the euid of the connecting process with getpeereid(2); |
| 17 | ok provos deraadt stevesk | 17 | ok provos deraadt stevesk |
| 18 | - stevesk@cvs.openbsd.org 2002/09/11 17:55:03 | ||
| 19 | [ssh.1] | ||
| 20 | add agent and X11 forwarding warning text from ssh_config.5; ok markus@ | ||
| 18 | 21 | ||
| 19 | 20020911 | 22 | 20020911 |
| 20 | - (djm) Sync openbsd-compat with OpenBSD -current | 23 | - (djm) Sync openbsd-compat with OpenBSD -current |
| @@ -1635,4 +1638,4 @@ | |||
| 1635 | - (stevesk) entropy.c: typo in debug message | 1638 | - (stevesk) entropy.c: typo in debug message |
| 1636 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 1639 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
| 1637 | 1640 | ||
| 1638 | $Id: ChangeLog,v 1.2455 2002/09/11 23:51:10 djm Exp $ | 1641 | $Id: ChangeLog,v 1.2456 2002/09/11 23:52:03 djm Exp $ |
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: ssh.1,v 1.164 2002/08/29 16:02:54 stevesk Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.165 2002/09/11 17:55:03 stevesk Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
| 40 | .Os | 40 | .Os |
| @@ -402,6 +402,13 @@ Disables forwarding of the authentication agent connection. | |||
| 402 | .It Fl A | 402 | .It Fl A |
| 403 | Enables forwarding of the authentication agent connection. | 403 | Enables forwarding of the authentication agent connection. |
| 404 | This can also be specified on a per-host basis in a configuration file. | 404 | This can also be specified on a per-host basis in a configuration file. |
| 405 | .Pp | ||
| 406 | Agent forwarding should be enabled with caution. Users with the | ||
| 407 | ability to bypass file permissions on the remote host (for the agent's | ||
| 408 | Unix-domain socket) can access the local agent through the forwarded | ||
| 409 | connection. An attacker cannot obtain key material from the agent, | ||
| 410 | however they can perform operations on the keys that enable them to | ||
| 411 | authenticate using the identities loaded into the agent. | ||
| 405 | .It Fl b Ar bind_address | 412 | .It Fl b Ar bind_address |
| 406 | Specify the interface to transmit from on machines with multiple | 413 | Specify the interface to transmit from on machines with multiple |
| 407 | interfaces or aliased addresses. | 414 | interfaces or aliased addresses. |
| @@ -558,6 +565,12 @@ Disables X11 forwarding. | |||
| 558 | .It Fl X | 565 | .It Fl X |
| 559 | Enables X11 forwarding. | 566 | Enables X11 forwarding. |
| 560 | This can also be specified on a per-host basis in a configuration file. | 567 | This can also be specified on a per-host basis in a configuration file. |
| 568 | .Pp | ||
| 569 | X11 forwarding should be enabled with caution. Users with the ability | ||
| 570 | to bypass file permissions on the remote host (for the user's X | ||
| 571 | authorization database) can access the local X11 display through the | ||
| 572 | forwarded connection. An attacker may then be able to perform | ||
| 573 | activities such as keystroke monitoring. | ||
| 561 | .It Fl C | 574 | .It Fl C |
| 562 | Requests compression of all data (including stdin, stdout, stderr, and | 575 | Requests compression of all data (including stdin, stdout, stderr, and |
| 563 | data for forwarded X11 and TCP/IP connections). | 576 | data for forwarded X11 and TCP/IP connections). |