diff options
author | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
commit | 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 (patch) | |
tree | 73c05a3429a9d63d32b373fd3bd92900d43883da | |
parent | bacb7fbd7e7716a4d3148769d43d8896cbfb2c54 (diff) |
- pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | servconf.c | 13 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | session.c | 7 | ||||
-rw-r--r-- | sshd_config.5 | 13 |
5 files changed, 38 insertions, 9 deletions
@@ -43,6 +43,15 @@ | |||
43 | [ssh-keyscan.1 ssh-keyscan.c] | 43 | [ssh-keyscan.1 ssh-keyscan.c] |
44 | default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by | 44 | default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by |
45 | larsnooden AT openoffice.org | 45 | larsnooden AT openoffice.org |
46 | - pyr@cvs.openbsd.org 2008/05/07 05:49:37 | ||
47 | [servconf.c servconf.h session.c sshd_config.5] | ||
48 | Enable the AllowAgentForwarding option in sshd_config (global and match | ||
49 | context), to specify if agents should be permitted on the server. | ||
50 | As the man page states: | ||
51 | ``Note that disabling Agent forwarding does not improve security | ||
52 | unless users are also denied shell access, as they can always install | ||
53 | their own forwarders.'' | ||
54 | ok djm@, ok and a mild frown markus@ | ||
46 | 55 | ||
47 | 20080403 | 56 | 20080403 |
48 | - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- | 57 | - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- |
@@ -3903,4 +3912,4 @@ | |||
3903 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 3912 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
3904 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 3913 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
3905 | 3914 | ||
3906 | $Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $ | 3915 | $Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $ |
diff --git a/servconf.c b/servconf.c index 9add96ca1..e6d49099b 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options) | |||
99 | options->use_login = -1; | 99 | options->use_login = -1; |
100 | options->compression = -1; | 100 | options->compression = -1; |
101 | options->allow_tcp_forwarding = -1; | 101 | options->allow_tcp_forwarding = -1; |
102 | options->allow_agent_forwarding = -1; | ||
102 | options->num_allow_users = 0; | 103 | options->num_allow_users = 0; |
103 | options->num_deny_users = 0; | 104 | options->num_deny_users = 0; |
104 | options->num_allow_groups = 0; | 105 | options->num_allow_groups = 0; |
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options) | |||
223 | options->compression = COMP_DELAYED; | 224 | options->compression = COMP_DELAYED; |
224 | if (options->allow_tcp_forwarding == -1) | 225 | if (options->allow_tcp_forwarding == -1) |
225 | options->allow_tcp_forwarding = 1; | 226 | options->allow_tcp_forwarding = 1; |
227 | if (options->allow_agent_forwarding == -1) | ||
228 | options->allow_agent_forwarding = 1; | ||
226 | if (options->gateway_ports == -1) | 229 | if (options->gateway_ports == -1) |
227 | options->gateway_ports = 0; | 230 | options->gateway_ports = 0; |
228 | if (options->max_startups == -1) | 231 | if (options->max_startups == -1) |
@@ -293,7 +296,7 @@ typedef enum { | |||
293 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 296 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
294 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 297 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
295 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 298 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
296 | sUsePrivilegeSeparation, | 299 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
297 | sDeprecated, sUnsupported | 300 | sDeprecated, sUnsupported |
298 | } ServerOpCodes; | 301 | } ServerOpCodes; |
299 | 302 | ||
@@ -379,6 +382,7 @@ static struct { | |||
379 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 382 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
380 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 383 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
381 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 384 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
385 | { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, | ||
382 | { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, | 386 | { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, |
383 | { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, | 387 | { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, |
384 | { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, | 388 | { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, |
@@ -1005,6 +1009,10 @@ parse_flag: | |||
1005 | intptr = &options->allow_tcp_forwarding; | 1009 | intptr = &options->allow_tcp_forwarding; |
1006 | goto parse_flag; | 1010 | goto parse_flag; |
1007 | 1011 | ||
1012 | case sAllowAgentForwarding: | ||
1013 | intptr = &options->allow_agent_forwarding; | ||
1014 | goto parse_flag; | ||
1015 | |||
1008 | case sUsePrivilegeSeparation: | 1016 | case sUsePrivilegeSeparation: |
1009 | intptr = &use_privsep; | 1017 | intptr = &use_privsep; |
1010 | goto parse_flag; | 1018 | goto parse_flag; |
@@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1368 | M_CP_INTOPT(permit_root_login); | 1376 | M_CP_INTOPT(permit_root_login); |
1369 | 1377 | ||
1370 | M_CP_INTOPT(allow_tcp_forwarding); | 1378 | M_CP_INTOPT(allow_tcp_forwarding); |
1379 | M_CP_INTOPT(allow_agent_forwarding); | ||
1371 | M_CP_INTOPT(gateway_ports); | 1380 | M_CP_INTOPT(gateway_ports); |
1372 | M_CP_INTOPT(x11_display_offset); | 1381 | M_CP_INTOPT(x11_display_offset); |
1373 | M_CP_INTOPT(x11_forwarding); | 1382 | M_CP_INTOPT(x11_forwarding); |
diff --git a/servconf.h b/servconf.h index 5b88067db..aaf87cd18 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -101,6 +101,7 @@ typedef struct { | |||
101 | int use_login; /* If true, login(1) is used */ | 101 | int use_login; /* If true, login(1) is used */ |
102 | int compression; /* If true, compression is allowed */ | 102 | int compression; /* If true, compression is allowed */ |
103 | int allow_tcp_forwarding; | 103 | int allow_tcp_forwarding; |
104 | int allow_agent_forwarding; | ||
104 | u_int num_allow_users; | 105 | u_int num_allow_users; |
105 | char *allow_users[MAX_ALLOW_USERS]; | 106 | char *allow_users[MAX_ALLOW_USERS]; |
106 | u_int num_deny_users; | 107 | u_int num_deny_users; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) | |||
335 | break; | 335 | break; |
336 | 336 | ||
337 | case SSH_CMSG_AGENT_REQUEST_FORWARDING: | 337 | case SSH_CMSG_AGENT_REQUEST_FORWARDING: |
338 | if (no_agent_forwarding_flag || compat13) { | 338 | if (!options.allow_agent_forwarding || |
339 | no_agent_forwarding_flag || compat13) { | ||
339 | debug("Authentication agent forwarding not permitted for this authentication."); | 340 | debug("Authentication agent forwarding not permitted for this authentication."); |
340 | break; | 341 | break; |
341 | } | 342 | } |
@@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) | |||
2081 | { | 2082 | { |
2082 | static int called = 0; | 2083 | static int called = 0; |
2083 | packet_check_eom(); | 2084 | packet_check_eom(); |
2084 | if (no_agent_forwarding_flag) { | 2085 | if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { |
2085 | debug("session_auth_agent_req: no_agent_forwarding_flag"); | 2086 | debug("session_auth_agent_req: no_agent_forwarding_flag"); |
2086 | return 0; | 2087 | return 0; |
2087 | } | 2088 | } |
diff --git a/sshd_config.5 b/sshd_config.5 index 6edaa9260..b93c801e3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ |
38 | .Dd $Mdocdate: April 5 2008 $ | 38 | .Dd $Mdocdate: May 7 2008 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -114,6 +114,15 @@ See | |||
114 | in | 114 | in |
115 | .Xr ssh_config 5 | 115 | .Xr ssh_config 5 |
116 | for more information on patterns. | 116 | for more information on patterns. |
117 | .It Cm AllowAgentForwarding | ||
118 | Specifies whether | ||
119 | .Xr ssh-agent 1 | ||
120 | forwarding is permitted. | ||
121 | The default is | ||
122 | .Dq yes . | ||
123 | Note that disabling Agent forwarding does not improve security | ||
124 | unless users are also denied shell access, as they can always install | ||
125 | their own forwarders. | ||
117 | .It Cm AllowTcpForwarding | 126 | .It Cm AllowTcpForwarding |
118 | Specifies whether TCP forwarding is permitted. | 127 | Specifies whether TCP forwarding is permitted. |
119 | The default is | 128 | The default is |