diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 857cc9640..82eda0a18 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.2 2002/08/17 23:55:01 stevesk Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.3 2002/08/27 17:18:40 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -258,6 +258,13 @@ or | |||
258 | .Dq no . | 258 | .Dq no . |
259 | The default is | 259 | The default is |
260 | .Dq no . | 260 | .Dq no . |
261 | .Pp | ||
262 | Agent forwarding should be enabled with caution. Users with the | ||
263 | ability to bypass file permissions on the remote host (for the agent's | ||
264 | Unix-domain socket) can access the local agent through the forwarded | ||
265 | connection. An attacker cannot obtain key material from the agent, | ||
266 | however they can perform operations on the keys that enable them to | ||
267 | authenticate using the identities loaded into the agent. | ||
261 | .It Cm ForwardX11 | 268 | .It Cm ForwardX11 |
262 | Specifies whether X11 connections will be automatically redirected | 269 | Specifies whether X11 connections will be automatically redirected |
263 | over the secure channel and | 270 | over the secure channel and |
@@ -269,6 +276,12 @@ or | |||
269 | .Dq no . | 276 | .Dq no . |
270 | The default is | 277 | The default is |
271 | .Dq no . | 278 | .Dq no . |
279 | .Pp | ||
280 | X11 forwarding should be enabled with caution. Users with the ability | ||
281 | to bypass file permissions on the remote host (for the user's X | ||
282 | authorization database) can access the local X11 display through the | ||
283 | forwarded connection. An attacker may then be able to perform | ||
284 | activities such as keystroke monitoring. | ||
272 | .It Cm GatewayPorts | 285 | .It Cm GatewayPorts |
273 | Specifies whether remote hosts are allowed to connect to local | 286 | Specifies whether remote hosts are allowed to connect to local |
274 | forwarded ports. | 287 | forwarded ports. |