=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.1.4.1 retrieving revision 1.1.4.2 diff -u -r1.1.4.1 -r1.1.4.2 --- src/usr.bin/ssh/ssh_config.5 2002/06/26 15:30:39 1.1.4.1 +++ src/usr.bin/ssh/ssh_config.5 2002/10/11 14:51:53 1.1.4.2 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.1.4.1 2002/06/26 15:30:39 jason Exp $ +.\" $OpenBSD: ssh_config.5,v 1.1.4.2 2002/10/11 14:51:53 miod Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -50,10 +50,16 @@ .Nm ssh obtains configuration data from the following sources in the following order: -command line options, user's configuration file -.Pq Pa $HOME/.ssh/config , -and system-wide configuration file -.Pq Pa /etc/ssh/ssh_config . +.Bl -enum -offset indent -compact +.It +command-line options +.It +user's configuration file +.Pq Pa $HOME/.ssh/config +.It +system-wide configuration file +.Pq Pa /etc/ssh/ssh_config +.El .Pp For each parameter, the first obtained value will be used. @@ -252,6 +258,13 @@ .Dq no . The default is .Dq no . +.Pp +Agent forwarding should be enabled with caution. Users with the +ability to bypass file permissions on the remote host (for the agent's +Unix-domain socket) can access the local agent through the forwarded +connection. An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and @@ -263,6 +276,12 @@ .Dq no . The default is .Dq no . +.Pp +X11 forwarding should be enabled with caution. Users with the ability +to bypass file permissions on the remote host (for the user's X +authorization database) can access the local X11 display through the +forwarded connection. An attacker may then be able to perform +activities such as keystroke monitoring. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. @@ -492,7 +511,12 @@ .Dq no . The default is .Dq no . -This option applies to protocol version 1 only. +This option applies to protocol version 1 only and requires +.Nm ssh +to be setuid root and +.Cm UsePrivilegedPort +to be set to +.Dq yes . .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. @@ -567,6 +591,10 @@ .Dq no . The default is .Dq no . +If set to +.Dq yes +.Nm ssh +must be setuid root. Note that this option must be set to .Dq yes if @@ -584,7 +612,7 @@ host key database instead of .Pa $HOME/.ssh/known_hosts . .It Cm XAuthLocation -Specifies the location of the +Specifies the full pathname of the .Xr xauth 1 program. The default is