Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / af65304a3c99a9a68d507ce0aefd2e7983eb396b^! / .
commitaf65304a3c99a9a68d507ce0aefd2e7983eb396b[log] [tgz]
authorDamien Miller <djm@mindrot.org>Wed Sep 04 16:40:37 2002 +1000
committerDamien Miller <djm@mindrot.org>Wed Sep 04 16:40:37 2002 +1000
tree07b8ea7b91851dba01e5d50a6f5472ae9b13c9d9
parentf7c2391d83ba859a4581c3ce52804e6f61fd6adb [diff]
   - stevesk@cvs.openbsd.org 2002/08/27 17:18:40
     [ssh_config.5]
     some warning text for ForwardAgent and ForwardX11; ok markus@

diff --git a/ChangeLog b/ChangeLog
index 9a6eb98..bb0016c 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -35,6 +35,9 @@
      [ssh-rsa.c]
      RSA_public_decrypt() returns -1 on error so len must be signed; 
      ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/27 17:18:40
+     [ssh_config.5]
+     some warning text for ForwardAgent and ForwardX11; ok markus@
 
 20020820
  - OpenBSD CVS Sync
@@ -1576,4 +1579,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2436 2002/09/04 06:39:48 djm Exp $
+$Id: ChangeLog,v 1.2437 2002/09/04 06:40:37 djm Exp $

diff --git a/ssh_config.5 b/ssh_config.5
index 857cc96..82eda0a 100644
--- a/ssh_config.5
+++ b/ssh_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.2 2002/08/17 23:55:01 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.3 2002/08/27 17:18:40 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -258,6 +258,13 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -269,6 +276,12 @@
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.