diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 43 |
1 files changed, 35 insertions, 8 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 6d94220b0..67fa0845c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -50,10 +50,16 @@ | |||
50 | .Nm ssh | 50 | .Nm ssh |
51 | obtains configuration data from the following sources in | 51 | obtains configuration data from the following sources in |
52 | the following order: | 52 | the following order: |
53 | command line options, user's configuration file | 53 | .Bl -enum -offset indent -compact |
54 | .Pq Pa $HOME/.ssh/config , | 54 | .It |
55 | and system-wide configuration file | 55 | command-line options |
56 | .Pq Pa /etc/ssh/ssh_config . | 56 | .It |
57 | user's configuration file | ||
58 | .Pq Pa $HOME/.ssh/config | ||
59 | .It | ||
60 | system-wide configuration file | ||
61 | .Pq Pa /etc/ssh/ssh_config | ||
62 | .El | ||
57 | .Pp | 63 | .Pp |
58 | For each parameter, the first obtained value | 64 | For each parameter, the first obtained value |
59 | will be used. | 65 | will be used. |
@@ -259,6 +265,13 @@ or | |||
259 | .Dq no . | 265 | .Dq no . |
260 | The default is | 266 | The default is |
261 | .Dq no . | 267 | .Dq no . |
268 | .Pp | ||
269 | Agent forwarding should be enabled with caution. Users with the | ||
270 | ability to bypass file permissions on the remote host (for the agent's | ||
271 | Unix-domain socket) can access the local agent through the forwarded | ||
272 | connection. An attacker cannot obtain key material from the agent, | ||
273 | however they can perform operations on the keys that enable them to | ||
274 | authenticate using the identities loaded into the agent. | ||
262 | .It Cm ForwardX11 | 275 | .It Cm ForwardX11 |
263 | Specifies whether X11 connections will be automatically redirected | 276 | Specifies whether X11 connections will be automatically redirected |
264 | over the secure channel and | 277 | over the secure channel and |
@@ -270,6 +283,12 @@ or | |||
270 | .Dq no . | 283 | .Dq no . |
271 | The default is | 284 | The default is |
272 | .Dq no . | 285 | .Dq no . |
286 | .Pp | ||
287 | X11 forwarding should be enabled with caution. Users with the ability | ||
288 | to bypass file permissions on the remote host (for the user's X | ||
289 | authorization database) can access the local X11 display through the | ||
290 | forwarded connection. An attacker may then be able to perform | ||
291 | activities such as keystroke monitoring. | ||
273 | .It Cm GatewayPorts | 292 | .It Cm GatewayPorts |
274 | Specifies whether remote hosts are allowed to connect to local | 293 | Specifies whether remote hosts are allowed to connect to local |
275 | forwarded ports. | 294 | forwarded ports. |
@@ -342,7 +361,6 @@ identities will be tried in sequence. | |||
342 | Specifies whether the system should send TCP keepalive messages to the | 361 | Specifies whether the system should send TCP keepalive messages to the |
343 | other side. | 362 | other side. |
344 | If they are sent, death of the connection or crash of one | 363 | If they are sent, death of the connection or crash of one |
345 | of the machines will be properly noticed. | ||
346 | of the machines will be properly noticed. This option only uses TCP | 364 | of the machines will be properly noticed. This option only uses TCP |
347 | keepalives (as opposed to using ssh level keepalives), so takes a long | 365 | keepalives (as opposed to using ssh level keepalives), so takes a long |
348 | time to notice when the connection dies. As such, you probably want | 366 | time to notice when the connection dies. As such, you probably want |
@@ -512,7 +530,12 @@ or | |||
512 | .Dq no . | 530 | .Dq no . |
513 | The default is | 531 | The default is |
514 | .Dq no . | 532 | .Dq no . |
515 | This option applies to protocol version 1 only. | 533 | This option applies to protocol version 1 only and requires |
534 | .Nm ssh | ||
535 | to be setuid root and | ||
536 | .Cm UsePrivilegedPort | ||
537 | to be set to | ||
538 | .Dq yes . | ||
516 | .It Cm RhostsRSAAuthentication | 539 | .It Cm RhostsRSAAuthentication |
517 | Specifies whether to try rhosts based authentication with RSA host | 540 | Specifies whether to try rhosts based authentication with RSA host |
518 | authentication. | 541 | authentication. |
@@ -600,6 +623,10 @@ or | |||
600 | .Dq no . | 623 | .Dq no . |
601 | The default is | 624 | The default is |
602 | .Dq no . | 625 | .Dq no . |
626 | If set to | ||
627 | .Dq yes | ||
628 | .Nm ssh | ||
629 | must be setuid root. | ||
603 | Note that this option must be set to | 630 | Note that this option must be set to |
604 | .Dq yes | 631 | .Dq yes |
605 | if | 632 | if |
@@ -617,7 +644,7 @@ Specifies a file to use for the user | |||
617 | host key database instead of | 644 | host key database instead of |
618 | .Pa $HOME/.ssh/known_hosts . | 645 | .Pa $HOME/.ssh/known_hosts . |
619 | .It Cm XAuthLocation | 646 | .It Cm XAuthLocation |
620 | Specifies the location of the | 647 | Specifies the full pathname of the |
621 | .Xr xauth 1 | 648 | .Xr xauth 1 |
622 | program. | 649 | program. |
623 | The default is | 650 | The default is |