- djm@cvs.openbsd.org 2005/03/02 02:21:07

     [ssh.1]
     bz#987: mention ForwardX11Trusted in ssh.1,
     reported by andrew.benham AT thus.net; ok deraadt@

diff --git a/ChangeLog b/ChangeLog
index 1ef122d4b690fc0f3822bcbf0f180f213f736105..0c0a4b039f610a2feaad12fa608de5775b126b1f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,10 @@
    - djm@cvs.openbsd.org 2005/03/02 01:27:41
      [ssh-keygen.c]
      ignore hostnames with metachars when hashing; ok deraadt@
+   - djm@cvs.openbsd.org 2005/03/02 02:21:07
+     [ssh.1]
+     bz#987: mention ForwardX11Trusted in ssh.1,
+     reported by andrew.benham AT thus.net; ok deraadt@
 
 20050301
  - (djm) OpenBSD CVS sync:

diff --git a/ssh.1 b/ssh.1
index a7ff8d7316863dcfb93300b6672e1133e8519820..d7cc83c1bae347533360d41fbf6050f4ad2081fc 100644 (file)
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.202 2005/03/01 14:47:58 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.203 2005/03/02 02:21:07 djm Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -831,10 +831,23 @@ Users with the ability to bypass file permissions on the remote host
 (for the user's X authorization database)
 can access the local X11 display through the forwarded connection.
 An attacker may then be able to perform activities such as keystroke monitoring.
+.Pp
+For this reason, X11 forwarding is subjected X11 SECURITY extension
+restrictions by default.
+Please refer to the
+.Nm
+.Fl Y
+option and the
+.Cm ForwardX11Trusted
+directive in
+.Xr ssh_config 5
+for more information.
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
+Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+controls.
 .El
 .Sh CONFIGURATION FILES
 .Nm