diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 42 |
1 files changed, 35 insertions, 7 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 53cb0fe97..ac05a0cea 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -50,10 +50,16 @@ | |||
50 | .Nm ssh | 50 | .Nm ssh |
51 | obtains configuration data from the following sources in | 51 | obtains configuration data from the following sources in |
52 | the following order: | 52 | the following order: |
53 | command line options, user's configuration file | 53 | .Bl -enum -offset indent -compact |
54 | .Pq Pa $HOME/.ssh/config , | 54 | .It |
55 | and system-wide configuration file | 55 | command-line options |
56 | .Pq Pa /etc/ssh/ssh_config . | 56 | .It |
57 | user's configuration file | ||
58 | .Pq Pa $HOME/.ssh/config | ||
59 | .It | ||
60 | system-wide configuration file | ||
61 | .Pq Pa /etc/ssh/ssh_config | ||
62 | .El | ||
57 | .Pp | 63 | .Pp |
58 | For each parameter, the first obtained value | 64 | For each parameter, the first obtained value |
59 | will be used. | 65 | will be used. |
@@ -252,6 +258,13 @@ or | |||
252 | .Dq no . | 258 | .Dq no . |
253 | The default is | 259 | The default is |
254 | .Dq no . | 260 | .Dq no . |
261 | .Pp | ||
262 | Agent forwarding should be enabled with caution. Users with the | ||
263 | ability to bypass file permissions on the remote host (for the agent's | ||
264 | Unix-domain socket) can access the local agent through the forwarded | ||
265 | connection. An attacker cannot obtain key material from the agent, | ||
266 | however they can perform operations on the keys that enable them to | ||
267 | authenticate using the identities loaded into the agent. | ||
255 | .It Cm ForwardX11 | 268 | .It Cm ForwardX11 |
256 | Specifies whether X11 connections will be automatically redirected | 269 | Specifies whether X11 connections will be automatically redirected |
257 | over the secure channel and | 270 | over the secure channel and |
@@ -263,6 +276,12 @@ or | |||
263 | .Dq no . | 276 | .Dq no . |
264 | The default is | 277 | The default is |
265 | .Dq no . | 278 | .Dq no . |
279 | .Pp | ||
280 | X11 forwarding should be enabled with caution. Users with the ability | ||
281 | to bypass file permissions on the remote host (for the user's X | ||
282 | authorization database) can access the local X11 display through the | ||
283 | forwarded connection. An attacker may then be able to perform | ||
284 | activities such as keystroke monitoring. | ||
266 | .It Cm GatewayPorts | 285 | .It Cm GatewayPorts |
267 | Specifies whether remote hosts are allowed to connect to local | 286 | Specifies whether remote hosts are allowed to connect to local |
268 | forwarded ports. | 287 | forwarded ports. |
@@ -492,7 +511,12 @@ or | |||
492 | .Dq no . | 511 | .Dq no . |
493 | The default is | 512 | The default is |
494 | .Dq no . | 513 | .Dq no . |
495 | This option applies to protocol version 1 only. | 514 | This option applies to protocol version 1 only and requires |
515 | .Nm ssh | ||
516 | to be setuid root and | ||
517 | .Cm UsePrivilegedPort | ||
518 | to be set to | ||
519 | .Dq yes . | ||
496 | .It Cm RhostsRSAAuthentication | 520 | .It Cm RhostsRSAAuthentication |
497 | Specifies whether to try rhosts based authentication with RSA host | 521 | Specifies whether to try rhosts based authentication with RSA host |
498 | authentication. | 522 | authentication. |
@@ -567,6 +591,10 @@ or | |||
567 | .Dq no . | 591 | .Dq no . |
568 | The default is | 592 | The default is |
569 | .Dq no . | 593 | .Dq no . |
594 | If set to | ||
595 | .Dq yes | ||
596 | .Nm ssh | ||
597 | must be setuid root. | ||
570 | Note that this option must be set to | 598 | Note that this option must be set to |
571 | .Dq yes | 599 | .Dq yes |
572 | if | 600 | if |
@@ -584,7 +612,7 @@ Specifies a file to use for the user | |||
584 | host key database instead of | 612 | host key database instead of |
585 | .Pa $HOME/.ssh/known_hosts . | 613 | .Pa $HOME/.ssh/known_hosts . |
586 | .It Cm XAuthLocation | 614 | .It Cm XAuthLocation |
587 | Specifies the location of the | 615 | Specifies the full pathname of the |
588 | .Xr xauth 1 | 616 | .Xr xauth 1 |
589 | program. | 617 | program. |
590 | The default is | 618 | The default is |