diff options
Diffstat (limited to 'crypto/openssh/ssh_config.5')
-rw-r--r-- | crypto/openssh/ssh_config.5 | 42 |
1 files changed, 35 insertions, 7 deletions
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 85acc6ad761e..52dab57a0120 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $ +.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $ .\" $FreeBSD$ .Dd September 25, 1999 .Dt SSH_CONFIG 5 @@ -51,10 +51,16 @@ .Nm ssh obtains configuration data from the following sources in the following order: -command line options, user's configuration file -.Pq Pa $HOME/.ssh/config , -and system-wide configuration file -.Pq Pa /etc/ssh/ssh_config . +.Bl -enum -offset indent -compact +.It +command-line options +.It +user's configuration file +.Pq Pa $HOME/.ssh/config +.It +system-wide configuration file +.Pq Pa /etc/ssh/ssh_config +.El .Pp For each parameter, the first obtained value will be used. @@ -253,6 +259,13 @@ or .Dq no . The default is .Dq no . +.Pp +Agent forwarding should be enabled with caution. Users with the +ability to bypass file permissions on the remote host (for the agent's +Unix-domain socket) can access the local agent through the forwarded +connection. An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and @@ -264,6 +277,12 @@ or .Dq no . The default is .Dq no . +.Pp +X11 forwarding should be enabled with caution. Users with the ability +to bypass file permissions on the remote host (for the user's X +authorization database) can access the local X11 display through the +forwarded connection. An attacker may then be able to perform +activities such as keystroke monitoring. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. @@ -493,7 +512,12 @@ or .Dq no . The default is .Dq no . -This option applies to protocol version 1 only. +This option applies to protocol version 1 only and requires +.Nm ssh +to be setuid root and +.Cm UsePrivilegedPort +to be set to +.Dq yes . .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. @@ -568,6 +592,10 @@ or .Dq no . The default is .Dq no . +If set to +.Dq yes +.Nm ssh +must be setuid root. Note that this option must be set to .Dq yes if @@ -588,7 +616,7 @@ host key database instead of Specifies a string to append to the regular version string to identify OS- or site-specific modifications. .It Cm XAuthLocation -Specifies the location of the +Specifies the full pathname of the .Xr xauth 1 program. The default is |