2 files changed, 32 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index aaadccdbb..63bfc9f54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,9 @@
   - stevesk@cvs.openbsd.org 2002/09/16 19:55:33
     [session.c]
     log when _PATH_NOLOGIN exists; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/16 20:12:11
+     [sshd_config.5]
+     more details on X11Forwarding security issues and threats; ok markus@
 20020912
 - (djm) Made GNOME askpass programs return non-zero if cancel button is 
@@ -663,4 +666,4 @@
     save auth method before monitor_reset_key_state(); bugzilla bug #284;
     ok provos@
-$Id: ChangeLog,v 1.2467 2002/09/19 01:50:48 djm Exp $
+$Id: ChangeLog,v 1.2468 2002/09/19 01:51:21 djm Exp $
diff --git a/sshd_config.5 b/sshd_config.5
index 8d90785fc..0944ba076 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.12 2002/09/04 18:52:42 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -630,10 +630,35 @@ from interfering with real X11 servers.
 The default is 10.
 .It Cm X11Forwarding
 Specifies whether X11 forwarding is permitted.
+The argument must be
+.Dq yes
+or
+.Dq no .
 The default is
 .Dq no .
-Note that disabling X11 forwarding does not improve security in any
+.Pp
-way, as users can always install their own forwarders.
+When X11 forwarding is enabled, there may be additional exposure to
+the server and to client displays if the
+.Nm sshd
+proxy display is configured to listen on the wildcard address (see
+.Cm X11UseLocalhost
+below), however this is not the default.
+Additionally, the authentication spoofing and authentication data
+verification and substitution occur on the client side.
+The security risk of using X11 forwarding is that the client's X11
+display server may be exposed to attack when the ssh client requests
+forwarding (see the warnings for
+.Cm ForwardX11
+in
+.Xr ssh_config 5 ).
+A system administrator may have a stance in which they want to
+protect clients that may expose themselves to attack by unwittingly
+requesting X11 forwarding, which can warrant a
+.Dq no
+setting.
+.Pp
+Note that disabling X11 forwarding does not prevent users from
+forwarding X11 traffic, as users can always install their own forwarders.
 X11 forwarding is automatically disabled if
 .Cm UseLogin
 is enabled.

diff --git a/ChangeLog b/ChangeLog index aaadccdbb..63bfc9f54 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -13,6 +13,9 @@
13	- stevesk@cvs.openbsd.org 2002/09/16 19:55:33	13	- stevesk@cvs.openbsd.org 2002/09/16 19:55:33
14	[session.c]	14	[session.c]
15	log when _PATH_NOLOGIN exists; ok markus@	15	log when _PATH_NOLOGIN exists; ok markus@
		16	- stevesk@cvs.openbsd.org 2002/09/16 20:12:11
		17	[sshd_config.5]
		18	more details on X11Forwarding security issues and threats; ok markus@
16		19
17	20020912	20	20020912
18	- (djm) Made GNOME askpass programs return non-zero if cancel button is	21	- (djm) Made GNOME askpass programs return non-zero if cancel button is
@@ -663,4 +666,4 @@
663	save auth method before monitor_reset_key_state(); bugzilla bug #284;	666	save auth method before monitor_reset_key_state(); bugzilla bug #284;
664	ok provos@	667	ok provos@
665		668
666	$Id: ChangeLog,v 1.2467 2002/09/19 01:50:48 djm Exp $	669	$Id: ChangeLog,v 1.2468 2002/09/19 01:51:21 djm Exp $


diff --git a/sshd_config.5 b/sshd_config.5 index 8d90785fc..0944ba076 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.12 2002/09/04 18:52:42 stevesk Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
@@ -630,10 +630,35 @@ from interfering with real X11 servers.
630	The default is 10.	630	The default is 10.
631	.It Cm X11Forwarding	631	.It Cm X11Forwarding
632	Specifies whether X11 forwarding is permitted.	632	Specifies whether X11 forwarding is permitted.
		633	The argument must be
		634	.Dq yes
		635	or
		636	.Dq no .
633	The default is	637	The default is
634	.Dq no .	638	.Dq no .
635	Note that disabling X11 forwarding does not improve security in any	639	.Pp
636	way, as users can always install their own forwarders.	640	When X11 forwarding is enabled, there may be additional exposure to
		641	the server and to client displays if the
		642	.Nm sshd
		643	proxy display is configured to listen on the wildcard address (see
		644	.Cm X11UseLocalhost
		645	below), however this is not the default.
		646	Additionally, the authentication spoofing and authentication data
		647	verification and substitution occur on the client side.
		648	The security risk of using X11 forwarding is that the client's X11
		649	display server may be exposed to attack when the ssh client requests
		650	forwarding (see the warnings for
		651	.Cm ForwardX11
		652	in
		653	.Xr ssh_config 5 ).
		654	A system administrator may have a stance in which they want to
		655	protect clients that may expose themselves to attack by unwittingly
		656	requesting X11 forwarding, which can warrant a
		657	.Dq no
		658	setting.
		659	.Pp
		660	Note that disabling X11 forwarding does not prevent users from
		661	forwarding X11 traffic, as users can always install their own forwarders.
637	X11 forwarding is automatically disabled if	662	X11 forwarding is automatically disabled if
638	.Cm UseLogin	663	.Cm UseLogin
639	is enabled.	664	is enabled.