- djm@cvs.openbsd.org 2005/03/02 02:21:07
[ssh.1]
bz#987: mention ForwardX11Trusted in ssh.1,
reported by andrew.benham AT thus.net; ok deraadt@
diff --git a/ChangeLog b/ChangeLog
index 5ba0ac3..d7e4fba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,10 @@
- djm@cvs.openbsd.org 2005/03/02 01:27:41
[ssh-keygen.c]
ignore hostnames with metachars when hashing; ok deraadt@
+ - djm@cvs.openbsd.org 2005/03/02 02:21:07
+ [ssh.1]
+ bz#987: mention ForwardX11Trusted in ssh.1,
+ reported by andrew.benham AT thus.net; ok deraadt@
20050301
- (djm) OpenBSD CVS sync:
@@ -2261,4 +2265,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3686 2005/03/02 01:33:04 djm Exp $
+$Id: ChangeLog,v 1.3687 2005/03/02 02:22:30 djm Exp $
diff --git a/ssh.1 b/ssh.1
index a7ff8d7..d7cc83c 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.202 2005/03/01 14:47:58 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.203 2005/03/02 02:21:07 djm Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -831,10 +831,23 @@
(for the user's X authorization database)
can access the local X11 display through the forwarded connection.
An attacker may then be able to perform activities such as keystroke monitoring.
+.Pp
+For this reason, X11 forwarding is subjected X11 SECURITY extension
+restrictions by default.
+Please refer to the
+.Nm
+.Fl Y
+option and the
+.Cm ForwardX11Trusted
+directive in
+.Xr ssh_config 5
+for more information.
.It Fl x
Disables X11 forwarding.
.It Fl Y
Enables trusted X11 forwarding.
+Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+controls.
.El
.Sh CONFIGURATION FILES
.Nm