diff options
Diffstat (limited to 'dbclient.1')
-rw-r--r-- | dbclient.1 | 20 |
1 files changed, 19 insertions, 1 deletions
@@ -94,7 +94,18 @@ is performed at all, this is usually undesirable. .B \-A Forward agent connections to the remote host. dbclient will use any OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for -public key authentication. Forwarding is only enabled if -A is specified. +public key authentication. Forwarding is only enabled if \fI-A\fR is specified. + +Beware that a forwarded agent connection will allow the remote server to have +the same authentication credentials as you have used locally. A compromised +remote server could use that to log in to other servers. + +In many situations Dropbear's multi-hop mode is a better and more secure alternative +to agent forwarding, avoiding having to trust the intermediate server. + +If the SSH agent program is set to prompt when a key is used, the +\fI-o DisableTrivialAuth\fR option can prevent UI confusion. + .TP .B \-W \fIwindowsize Specify the per-channel receive window buffer size. Increasing this @@ -159,6 +170,13 @@ Send dbclient log messages to syslog in addition to stderr. .TP .B Port Specify a listening port, like the \fI-p\fR argument. +.TP +.B DisableTrivialAuth +Disallow a server immediately +giving successful authentication (without presenting any password/pubkey prompt). +This avoids a UI confusion issue where it may appear that the user is accepting +a SSH agent prompt from their local machine, but are actually accepting a prompt +sent immediately by the remote server. .RE .TP .B \-s |