- pyr@cvs.openbsd.org 2008/05/07 05:49:37

     [servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@

1 files changed, 11 insertions, 2 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index 6edaa926..b93c801e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $
-.Dd $Mdocdate: April 5 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $
+.Dd $Mdocdate: May 7 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -114,6 +114,15 @@ See
 in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling Agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
 The default is