From af65304a3c99a9a68d507ce0aefd2e7983eb396b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 4 Sep 2002 16:40:37 +1000 Subject: - stevesk@cvs.openbsd.org 2002/08/27 17:18:40 [ssh_config.5] some warning text for ForwardAgent and ForwardX11; ok markus@ --- ChangeLog | 5 ++++- ssh_config.5 | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9a6eb9877..bb0016c14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ [ssh-rsa.c] RSA_public_decrypt() returns -1 on error so len must be signed; ok markus@ + - stevesk@cvs.openbsd.org 2002/08/27 17:18:40 + [ssh_config.5] + some warning text for ForwardAgent and ForwardX11; ok markus@ 20020820 - OpenBSD CVS Sync @@ -1576,4 +1579,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2436 2002/09/04 06:39:48 djm Exp $ +$Id: ChangeLog,v 1.2437 2002/09/04 06:40:37 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 857cc9640..82eda0a18 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.2 2002/08/17 23:55:01 stevesk Exp $ +.\" $OpenBSD: ssh_config.5,v 1.3 2002/08/27 17:18:40 stevesk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -258,6 +258,13 @@ or .Dq no . The default is .Dq no . +.Pp +Agent forwarding should be enabled with caution. Users with the +ability to bypass file permissions on the remote host (for the agent's +Unix-domain socket) can access the local agent through the forwarded +connection. An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and @@ -269,6 +276,12 @@ or .Dq no . The default is .Dq no . +.Pp +X11 forwarding should be enabled with caution. Users with the ability +to bypass file permissions on the remote host (for the user's X +authorization database) can access the local X11 display through the +forwarded connection. An attacker may then be able to perform +activities such as keystroke monitoring. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. -- cgit v1.2.3