- djm@cvs.openbsd.org 2005/02/28 00:54:10

[ssh_config.5]
     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
     orion AT cora.nwra.com; ok markus@

ChangeLog

@@ -15,6 +15,10 @@
      [sshd.8]
      add /etc/motd and $HOME/.hushlogin to FILES;
      from michael knudsen;
+   - djm@cvs.openbsd.org 2005/02/28 00:54:10
+     [ssh_config.5]
+     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
+     orion AT cora.nwra.com; ok markus@
 
 20050226
  - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
@@ -2191,4 +2195,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3670 2005/03/01 10:17:09 djm Exp $
+$Id: ChangeLog,v 1.3671 2005/03/01 10:17:31 djm Exp $

ssh_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.41 2005/01/28 18:14:09 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.42 2005/02/28 00:54:10 djm Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -359,11 +359,16 @@ option is also enabled.
 If this option is set to
 .Dq yes
 then remote X11 clients will have full access to the original X11 display.
+.Pp
 If this option is set to
 .Dq no
 then remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.
+Furthermore, the
+.Xr xauth 1
+token used for the session will be set to expire after 20 minutes.
+Remote clients will be refused access after this time.
 .Pp
 The default is
 .Dq no .