1 files changed, 14 insertions, 1 deletions
diff --git a/ssh.1 b/ssh.1
index fa25d5641..ce0dd291d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.164 2002/08/29 16:02:54 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.165 2002/09/11 17:55:03 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -402,6 +402,13 @@ Disables forwarding of the authentication agent connection.
 .It Fl A
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
@@ -558,6 +565,12 @@ Disables X11 forwarding.
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).

diff --git a/ssh.1 b/ssh.1 index fa25d5641..ce0dd291d 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.164 2002/08/29 16:02:54 stevesk Exp $	37	.\" $OpenBSD: ssh.1,v 1.165 2002/09/11 17:55:03 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -402,6 +402,13 @@ Disables forwarding of the authentication agent connection.
402	.It Fl A	402	.It Fl A
403	Enables forwarding of the authentication agent connection.	403	Enables forwarding of the authentication agent connection.
404	This can also be specified on a per-host basis in a configuration file.	404	This can also be specified on a per-host basis in a configuration file.
		405	.Pp
		406	Agent forwarding should be enabled with caution. Users with the
		407	ability to bypass file permissions on the remote host (for the agent's
		408	Unix-domain socket) can access the local agent through the forwarded
		409	connection. An attacker cannot obtain key material from the agent,
		410	however they can perform operations on the keys that enable them to
		411	authenticate using the identities loaded into the agent.
405	.It Fl b Ar bind_address	412	.It Fl b Ar bind_address
406	Specify the interface to transmit from on machines with multiple	413	Specify the interface to transmit from on machines with multiple
407	interfaces or aliased addresses.	414	interfaces or aliased addresses.
@@ -558,6 +565,12 @@ Disables X11 forwarding.
558	.It Fl X	565	.It Fl X
559	Enables X11 forwarding.	566	Enables X11 forwarding.
560	This can also be specified on a per-host basis in a configuration file.	567	This can also be specified on a per-host basis in a configuration file.
		568	.Pp
		569	X11 forwarding should be enabled with caution. Users with the ability
		570	to bypass file permissions on the remote host (for the user's X
		571	authorization database) can access the local X11 display through the
		572	forwarded connection. An attacker may then be able to perform
		573	activities such as keystroke monitoring.
561	.It Fl C	574	.It Fl C
562	Requests compression of all data (including stdin, stdout, stderr, and	575	Requests compression of all data (including stdin, stdout, stderr, and
563	data for forwarded X11 and TCP/IP connections).	576	data for forwarded X11 and TCP/IP connections).