- djm@cvs.openbsd.org 2005/02/28 00:54:10

     [ssh_config.5]
     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
     orion AT cora.nwra.com; ok markus@

diff --git a/ChangeLog b/ChangeLog
index eb9c15a32cfaeeffbb545bc28e5aa259a014b277..a86dca22491897bca504980317e7eccccfba22fd 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,10 @@
      [sshd.8]
      add /etc/motd and $HOME/.hushlogin to FILES;
      from michael knudsen;
+   - djm@cvs.openbsd.org 2005/02/28 00:54:10
+     [ssh_config.5]
+     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
+     orion AT cora.nwra.com; ok markus@
 
 20050226
  - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]

diff --git a/ssh_config.5 b/ssh_config.5
index 67b6ca72ee8e43e54d772aecadd9b9a6bb849eb8..8f6d851b4daaa66ad559aa9b51eed8b789f68923 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.41 2005/01/28 18:14:09 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.42 2005/02/28 00:54:10 djm Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -359,11 +359,16 @@ option is also enabled.
 If this option is set to
 .Dq yes
 then remote X11 clients will have full access to the original X11 display.
+.Pp
 If this option is set to
 .Dq no
 then remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.
+Furthermore, the
+.Xr xauth 1
+token used for the session will be set to expire after 20 minutes.
+Remote clients will be refused access after this time.
 .Pp
 The default is
 .Dq no .