summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2008-05-19 14:57:41 +1000
committerDamien Miller <djm@mindrot.org>2008-05-19 14:57:41 +1000
commit4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 (patch)
tree73c05a3429a9d63d32b373fd3bd92900d43883da
parentbacb7fbd7e7716a4d3148769d43d8896cbfb2c54 (diff)
- pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
-rw-r--r--ChangeLog11
-rw-r--r--servconf.c13
-rw-r--r--servconf.h3
-rw-r--r--session.c7
-rw-r--r--sshd_config.513
5 files changed, 38 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index b7e6098e5..8ee0b0e55 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,15 @@
43 [ssh-keyscan.1 ssh-keyscan.c] 43 [ssh-keyscan.1 ssh-keyscan.c]
44 default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by 44 default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
45 larsnooden AT openoffice.org 45 larsnooden AT openoffice.org
46 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
47 [servconf.c servconf.h session.c sshd_config.5]
48 Enable the AllowAgentForwarding option in sshd_config (global and match
49 context), to specify if agents should be permitted on the server.
50 As the man page states:
51 ``Note that disabling Agent forwarding does not improve security
52 unless users are also denied shell access, as they can always install
53 their own forwarders.''
54 ok djm@, ok and a mild frown markus@
46 55
4720080403 5620080403
48 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- 57 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@@ -3903,4 +3912,4 @@
3903 OpenServer 6 and add osr5bigcrypt support so when someone migrates 3912 OpenServer 6 and add osr5bigcrypt support so when someone migrates
3904 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 3913 passwords between UnixWare and OpenServer they will still work. OK dtucker@
3905 3914
3906$Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $ 3915$Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $
diff --git a/servconf.c b/servconf.c
index 9add96ca1..e6d49099b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ 1/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options)
99 options->use_login = -1; 99 options->use_login = -1;
100 options->compression = -1; 100 options->compression = -1;
101 options->allow_tcp_forwarding = -1; 101 options->allow_tcp_forwarding = -1;
102 options->allow_agent_forwarding = -1;
102 options->num_allow_users = 0; 103 options->num_allow_users = 0;
103 options->num_deny_users = 0; 104 options->num_deny_users = 0;
104 options->num_allow_groups = 0; 105 options->num_allow_groups = 0;
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
223 options->compression = COMP_DELAYED; 224 options->compression = COMP_DELAYED;
224 if (options->allow_tcp_forwarding == -1) 225 if (options->allow_tcp_forwarding == -1)
225 options->allow_tcp_forwarding = 1; 226 options->allow_tcp_forwarding = 1;
227 if (options->allow_agent_forwarding == -1)
228 options->allow_agent_forwarding = 1;
226 if (options->gateway_ports == -1) 229 if (options->gateway_ports == -1)
227 options->gateway_ports = 0; 230 options->gateway_ports = 0;
228 if (options->max_startups == -1) 231 if (options->max_startups == -1)
@@ -293,7 +296,7 @@ typedef enum {
293 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 296 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
294 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 297 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
295 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 298 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
296 sUsePrivilegeSeparation, 299 sUsePrivilegeSeparation, sAllowAgentForwarding,
297 sDeprecated, sUnsupported 300 sDeprecated, sUnsupported
298} ServerOpCodes; 301} ServerOpCodes;
299 302
@@ -379,6 +382,7 @@ static struct {
379 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 382 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
380 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 383 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
381 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 384 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
385 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
382 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 386 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
383 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 387 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
384 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 388 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
@@ -1005,6 +1009,10 @@ parse_flag:
1005 intptr = &options->allow_tcp_forwarding; 1009 intptr = &options->allow_tcp_forwarding;
1006 goto parse_flag; 1010 goto parse_flag;
1007 1011
1012 case sAllowAgentForwarding:
1013 intptr = &options->allow_agent_forwarding;
1014 goto parse_flag;
1015
1008 case sUsePrivilegeSeparation: 1016 case sUsePrivilegeSeparation:
1009 intptr = &use_privsep; 1017 intptr = &use_privsep;
1010 goto parse_flag; 1018 goto parse_flag;
@@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1368 M_CP_INTOPT(permit_root_login); 1376 M_CP_INTOPT(permit_root_login);
1369 1377
1370 M_CP_INTOPT(allow_tcp_forwarding); 1378 M_CP_INTOPT(allow_tcp_forwarding);
1379 M_CP_INTOPT(allow_agent_forwarding);
1371 M_CP_INTOPT(gateway_ports); 1380 M_CP_INTOPT(gateway_ports);
1372 M_CP_INTOPT(x11_display_offset); 1381 M_CP_INTOPT(x11_display_offset);
1373 M_CP_INTOPT(x11_forwarding); 1382 M_CP_INTOPT(x11_forwarding);
diff --git a/servconf.h b/servconf.h
index 5b88067db..aaf87cd18 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -101,6 +101,7 @@ typedef struct {
101 int use_login; /* If true, login(1) is used */ 101 int use_login; /* If true, login(1) is used */
102 int compression; /* If true, compression is allowed */ 102 int compression; /* If true, compression is allowed */
103 int allow_tcp_forwarding; 103 int allow_tcp_forwarding;
104 int allow_agent_forwarding;
104 u_int num_allow_users; 105 u_int num_allow_users;
105 char *allow_users[MAX_ALLOW_USERS]; 106 char *allow_users[MAX_ALLOW_USERS];
106 u_int num_deny_users; 107 u_int num_deny_users;
diff --git a/session.c b/session.c
index f2bcfd061..16e455588 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt)
335 break; 335 break;
336 336
337 case SSH_CMSG_AGENT_REQUEST_FORWARDING: 337 case SSH_CMSG_AGENT_REQUEST_FORWARDING:
338 if (no_agent_forwarding_flag || compat13) { 338 if (!options.allow_agent_forwarding ||
339 no_agent_forwarding_flag || compat13) {
339 debug("Authentication agent forwarding not permitted for this authentication."); 340 debug("Authentication agent forwarding not permitted for this authentication.");
340 break; 341 break;
341 } 342 }
@@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s)
2081{ 2082{
2082 static int called = 0; 2083 static int called = 0;
2083 packet_check_eom(); 2084 packet_check_eom();
2084 if (no_agent_forwarding_flag) { 2085 if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
2085 debug("session_auth_agent_req: no_agent_forwarding_flag"); 2086 debug("session_auth_agent_req: no_agent_forwarding_flag");
2086 return 0; 2087 return 0;
2087 } 2088 }
diff --git a/sshd_config.5 b/sshd_config.5
index 6edaa9260..b93c801e3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $
38.Dd $Mdocdate: April 5 2008 $ 38.Dd $Mdocdate: May 7 2008 $
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -114,6 +114,15 @@ See
114in 114in
115.Xr ssh_config 5 115.Xr ssh_config 5
116for more information on patterns. 116for more information on patterns.
117.It Cm AllowAgentForwarding
118Specifies whether
119.Xr ssh-agent 1
120forwarding is permitted.
121The default is
122.Dq yes .
123Note that disabling Agent forwarding does not improve security
124unless users are also denied shell access, as they can always install
125their own forwarders.
117.It Cm AllowTcpForwarding 126.It Cm AllowTcpForwarding
118Specifies whether TCP forwarding is permitted. 127Specifies whether TCP forwarding is permitted.
119The default is 128The default is