1 files changed, 35 insertions, 7 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 53cb0fe97..ac05a0cea 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -50,10 +50,16 @@
 .Nm ssh
 obtains configuration data from the following sources in
 the following order:
-command line options, user's configuration file
+.Bl -enum -offset indent -compact
-.Pq Pa $HOME/.ssh/config ,
+.It
-and system-wide configuration file
+command-line options
-.Pq Pa /etc/ssh/ssh_config .
+.It
+user's configuration file
+.Pq Pa $HOME/.ssh/config
+.It
+system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config
+.El
 .Pp
 For each parameter, the first obtained value
 will be used.
@@ -252,6 +258,13 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -263,6 +276,12 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
@@ -492,7 +511,12 @@ or
 .Dq no .
 The default is
 .Dq no .
-This option applies to protocol version 1 only.
+This option applies to protocol version 1 only and requires
+.Nm ssh
+to be setuid root and
+.Cm UsePrivilegedPort
+to be set to
+.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -567,6 +591,10 @@ or
 .Dq no .
 The default is
 .Dq no .
+If set to
+.Dq yes
+.Nm ssh
+must be setuid root.
 Note that this option must be set to
 .Dq yes
 if
@@ -584,7 +612,7 @@ Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
 .It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
 .Xr xauth 1
 program.
 The default is

diff --git a/ssh_config.5 b/ssh_config.5 index 53cb0fe97..ac05a0cea 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -50,10 +50,16 @@
50	.Nm ssh	50	.Nm ssh
51	obtains configuration data from the following sources in	51	obtains configuration data from the following sources in
52	the following order:	52	the following order:
53	command line options, user's configuration file	53	.Bl -enum -offset indent -compact
54	.Pq Pa $HOME/.ssh/config ,	54	.It
55	and system-wide configuration file	55	command-line options
56	.Pq Pa /etc/ssh/ssh_config .	56	.It
		57	user's configuration file
		58	.Pq Pa $HOME/.ssh/config
		59	.It
		60	system-wide configuration file
		61	.Pq Pa /etc/ssh/ssh_config
		62	.El
57	.Pp	63	.Pp
58	For each parameter, the first obtained value	64	For each parameter, the first obtained value
59	will be used.	65	will be used.
@@ -252,6 +258,13 @@ or
252	.Dq no .	258	.Dq no .
253	The default is	259	The default is
254	.Dq no .	260	.Dq no .
		261	.Pp
		262	Agent forwarding should be enabled with caution. Users with the
		263	ability to bypass file permissions on the remote host (for the agent's
		264	Unix-domain socket) can access the local agent through the forwarded
		265	connection. An attacker cannot obtain key material from the agent,
		266	however they can perform operations on the keys that enable them to
		267	authenticate using the identities loaded into the agent.
255	.It Cm ForwardX11	268	.It Cm ForwardX11
256	Specifies whether X11 connections will be automatically redirected	269	Specifies whether X11 connections will be automatically redirected
257	over the secure channel and	270	over the secure channel and
@@ -263,6 +276,12 @@ or
263	.Dq no .	276	.Dq no .
264	The default is	277	The default is
265	.Dq no .	278	.Dq no .
		279	.Pp
		280	X11 forwarding should be enabled with caution. Users with the ability
		281	to bypass file permissions on the remote host (for the user's X
		282	authorization database) can access the local X11 display through the
		283	forwarded connection. An attacker may then be able to perform
		284	activities such as keystroke monitoring.
266	.It Cm GatewayPorts	285	.It Cm GatewayPorts
267	Specifies whether remote hosts are allowed to connect to local	286	Specifies whether remote hosts are allowed to connect to local
268	forwarded ports.	287	forwarded ports.
@@ -492,7 +511,12 @@ or
492	.Dq no .	511	.Dq no .
493	The default is	512	The default is
494	.Dq no .	513	.Dq no .
495	This option applies to protocol version 1 only.	514	This option applies to protocol version 1 only and requires
		515	.Nm ssh
		516	to be setuid root and
		517	.Cm UsePrivilegedPort
		518	to be set to
		519	.Dq yes .
496	.It Cm RhostsRSAAuthentication	520	.It Cm RhostsRSAAuthentication
497	Specifies whether to try rhosts based authentication with RSA host	521	Specifies whether to try rhosts based authentication with RSA host
498	authentication.	522	authentication.
@@ -567,6 +591,10 @@ or
567	.Dq no .	591	.Dq no .
568	The default is	592	The default is
569	.Dq no .	593	.Dq no .
		594	If set to
		595	.Dq yes
		596	.Nm ssh
		597	must be setuid root.
570	Note that this option must be set to	598	Note that this option must be set to
571	.Dq yes	599	.Dq yes
572	if	600	if
@@ -584,7 +612,7 @@ Specifies a file to use for the user
584	host key database instead of	612	host key database instead of
585	.Pa $HOME/.ssh/known_hosts .	613	.Pa $HOME/.ssh/known_hosts .
586	.It Cm XAuthLocation	614	.It Cm XAuthLocation
587	Specifies the location of the	615	Specifies the full pathname of the
588	.Xr xauth 1	616	.Xr xauth 1
589	program.	617	program.
590	The default is	618	The default is