summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--sshd_config.531
2 files changed, 32 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index aaadccdbb..63bfc9f54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,9 @@
13 - stevesk@cvs.openbsd.org 2002/09/16 19:55:33 13 - stevesk@cvs.openbsd.org 2002/09/16 19:55:33
14 [session.c] 14 [session.c]
15 log when _PATH_NOLOGIN exists; ok markus@ 15 log when _PATH_NOLOGIN exists; ok markus@
16 - stevesk@cvs.openbsd.org 2002/09/16 20:12:11
17 [sshd_config.5]
18 more details on X11Forwarding security issues and threats; ok markus@
16 19
1720020912 2020020912
18 - (djm) Made GNOME askpass programs return non-zero if cancel button is 21 - (djm) Made GNOME askpass programs return non-zero if cancel button is
@@ -663,4 +666,4 @@
663 save auth method before monitor_reset_key_state(); bugzilla bug #284; 666 save auth method before monitor_reset_key_state(); bugzilla bug #284;
664 ok provos@ 667 ok provos@
665 668
666$Id: ChangeLog,v 1.2467 2002/09/19 01:50:48 djm Exp $ 669$Id: ChangeLog,v 1.2468 2002/09/19 01:51:21 djm Exp $
diff --git a/sshd_config.5 b/sshd_config.5
index 8d90785fc..0944ba076 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.12 2002/09/04 18:52:42 stevesk Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -630,10 +630,35 @@ from interfering with real X11 servers.
630The default is 10. 630The default is 10.
631.It Cm X11Forwarding 631.It Cm X11Forwarding
632Specifies whether X11 forwarding is permitted. 632Specifies whether X11 forwarding is permitted.
633The argument must be
634.Dq yes
635or
636.Dq no .
633The default is 637The default is
634.Dq no . 638.Dq no .
635Note that disabling X11 forwarding does not improve security in any 639.Pp
636way, as users can always install their own forwarders. 640When X11 forwarding is enabled, there may be additional exposure to
641the server and to client displays if the
642.Nm sshd
643proxy display is configured to listen on the wildcard address (see
644.Cm X11UseLocalhost
645below), however this is not the default.
646Additionally, the authentication spoofing and authentication data
647verification and substitution occur on the client side.
648The security risk of using X11 forwarding is that the client's X11
649display server may be exposed to attack when the ssh client requests
650forwarding (see the warnings for
651.Cm ForwardX11
652in
653.Xr ssh_config 5 ).
654A system administrator may have a stance in which they want to
655protect clients that may expose themselves to attack by unwittingly
656requesting X11 forwarding, which can warrant a
657.Dq no
658setting.
659.Pp
660Note that disabling X11 forwarding does not prevent users from
661forwarding X11 traffic, as users can always install their own forwarders.
637X11 forwarding is automatically disabled if 662X11 forwarding is automatically disabled if
638.Cm UseLogin 663.Cm UseLogin
639is enabled. 664is enabled.