summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-11-30 03:00:05 +0000
committerDamien Miller <djm@mindrot.org>2016-11-30 19:44:01 +1100
commit7844f357cdd90530eec81340847783f1f1da010b (patch)
treea31f2189df130942f72eb0ea936fbbe9a70f0f65
parentfd6dcef2030d23c43f986d26979f84619c10589d (diff)
upstream commit
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
Diffstat
-rw-r--r--servconf.c14
-rw-r--r--servconf.h3
-rw-r--r--serverloop.c10
-rw-r--r--session.c4
-rw-r--r--sshd_config.510
5 files changed, 29 insertions, 12 deletions
diff --git a/servconf.c b/servconf.c
index e0bfbe67d..795ddbab7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */ 2/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
163 options->ip_qos_bulk = -1; 163 options->ip_qos_bulk = -1;
164 options->version_addendum = NULL; 164 options->version_addendum = NULL;
165 options->fingerprint_hash = -1; 165 options->fingerprint_hash = -1;
166 options->disable_forwarding = -1;
166} 167}
167 168
168/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 169/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
330 options->fwd_opts.streamlocal_bind_unlink = 0; 331 options->fwd_opts.streamlocal_bind_unlink = 0;
331 if (options->fingerprint_hash == -1) 332 if (options->fingerprint_hash == -1)
332 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 333 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
334 if (options->disable_forwarding == -1)
335 options->disable_forwarding = 0;
333 336
334 assemble_algorithms(options); 337 assemble_algorithms(options);
335 338
@@ -414,7 +417,7 @@ typedef enum {
414 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 417 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
415 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 418 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
416 sStreamLocalBindMask, sStreamLocalBindUnlink, 419 sStreamLocalBindMask, sStreamLocalBindUnlink,
417 sAllowStreamLocalForwarding, sFingerprintHash, 420 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
418 sDeprecated, sIgnore, sUnsupported 421 sDeprecated, sIgnore, sUnsupported
419} ServerOpCodes; 422} ServerOpCodes;
420 423
@@ -557,6 +560,7 @@ static struct {
557 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 560 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
558 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 561 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
559 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 562 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
563 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
560 { NULL, sBadOption, 0 } 564 { NULL, sBadOption, 0 }
561}; 565};
562 566
@@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
1356 intptr = &options->allow_agent_forwarding; 1360 intptr = &options->allow_agent_forwarding;
1357 goto parse_flag; 1361 goto parse_flag;
1358 1362
1363 case sDisableForwarding:
1364 intptr = &options->disable_forwarding;
1365 goto parse_flag;
1366
1359 case sUsePrivilegeSeparation: 1367 case sUsePrivilegeSeparation:
1360 intptr = &use_privsep; 1368 intptr = &use_privsep;
1361 multistate_ptr = multistate_privsep; 1369 multistate_ptr = multistate_privsep;
@@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1965 M_CP_INTOPT(allow_tcp_forwarding); 1973 M_CP_INTOPT(allow_tcp_forwarding);
1966 M_CP_INTOPT(allow_streamlocal_forwarding); 1974 M_CP_INTOPT(allow_streamlocal_forwarding);
1967 M_CP_INTOPT(allow_agent_forwarding); 1975 M_CP_INTOPT(allow_agent_forwarding);
1976 M_CP_INTOPT(disable_forwarding);
1968 M_CP_INTOPT(permit_tun); 1977 M_CP_INTOPT(permit_tun);
1969 M_CP_INTOPT(fwd_opts.gateway_ports); 1978 M_CP_INTOPT(fwd_opts.gateway_ports);
1970 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 1979 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
@@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o)
2263 dump_cfg_fmtint(sUseDNS, o->use_dns); 2272 dump_cfg_fmtint(sUseDNS, o->use_dns);
2264 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2273 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2265 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2274 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2275 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2266 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2276 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2267 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2277 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2268 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2278 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff --git a/servconf.h b/servconf.h
index 8af460f5a..5853a9747 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.123 2016/11/30 03:00:05 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -125,6 +125,7 @@ typedef struct {
125 int allow_tcp_forwarding; /* One of FORWARD_* */ 125 int allow_tcp_forwarding; /* One of FORWARD_* */
126 int allow_streamlocal_forwarding; /* One of FORWARD_* */ 126 int allow_streamlocal_forwarding; /* One of FORWARD_* */
127 int allow_agent_forwarding; 127 int allow_agent_forwarding;
128 int disable_forwarding;
128 u_int num_allow_users; 129 u_int num_allow_users;
129 char *allow_users[MAX_ALLOW_USERS]; 130 char *allow_users[MAX_ALLOW_USERS];
130 u_int num_deny_users; 131 u_int num_deny_users;
diff --git a/serverloop.c b/serverloop.c
index 4a9a16d41..955f5cc91 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ 1/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -447,7 +447,7 @@ server_request_direct_tcpip(void)
447 447
448 /* XXX fine grained permissions */ 448 /* XXX fine grained permissions */
449 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && 449 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
450 !no_port_forwarding_flag) { 450 !no_port_forwarding_flag && !options.disable_forwarding) {
451 c = channel_connect_to_port(target, target_port, 451 c = channel_connect_to_port(target, target_port,
452 "direct-tcpip", "direct-tcpip"); 452 "direct-tcpip", "direct-tcpip");
453 } else { 453 } else {
@@ -479,7 +479,7 @@ server_request_direct_streamlocal(void)
479 479
480 /* XXX fine grained permissions */ 480 /* XXX fine grained permissions */
481 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && 481 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
482 !no_port_forwarding_flag) { 482 !no_port_forwarding_flag && !options.disable_forwarding) {
483 c = channel_connect_to_path(target, 483 c = channel_connect_to_path(target,
484 "direct-streamlocal@openssh.com", "direct-streamlocal"); 484 "direct-streamlocal@openssh.com", "direct-streamlocal");
485 } else { 485 } else {
@@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
722 722
723 /* check permissions */ 723 /* check permissions */
724 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || 724 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
725 no_port_forwarding_flag || 725 no_port_forwarding_flag || options.disable_forwarding ||
726 (!want_reply && fwd.listen_port == 0) || 726 (!want_reply && fwd.listen_port == 0) ||
727 (fwd.listen_port != 0 && 727 (fwd.listen_port != 0 &&
728 !bind_permitted(fwd.listen_port, pw->pw_uid))) { 728 !bind_permitted(fwd.listen_port, pw->pw_uid))) {
@@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
760 760
761 /* check permissions */ 761 /* check permissions */
762 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 762 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
763 || no_port_forwarding_flag) { 763 || no_port_forwarding_flag || options.disable_forwarding) {
764 success = 0; 764 success = 0;
765 packet_send_debug("Server has disabled port forwarding."); 765 packet_send_debug("Server has disabled port forwarding.");
766 } else { 766 } else {
diff --git a/session.c b/session.c
index 85805f5a0..a08aa69d1 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.285 2016/08/23 16:21:45 otto Exp $ */ 1/* $OpenBSD: session.c,v 1.286 2016/11/30 03:00:05 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -257,7 +257,7 @@ do_authenticated(Authctxt *authctxt)
257 257
258 /* setup the channel layer */ 258 /* setup the channel layer */
259 /* XXX - streamlocal? */ 259 /* XXX - streamlocal? */
260 if (no_port_forwarding_flag || 260 if (no_port_forwarding_flag || options.disable_forwarding ||
261 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) 261 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
262 channel_disable_adm_local_opens(); 262 channel_disable_adm_local_opens();
263 else 263 else
diff --git a/sshd_config.5 b/sshd_config.5
index 281de141f..32b29d240 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
37.Dd $Mdocdate: November 23 2016 $ 37.Dd $Mdocdate: November 30 2016 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -564,6 +564,12 @@ and finally
564See PATTERNS in 564See PATTERNS in
565.Xr ssh_config 5 565.Xr ssh_config 5
566for more information on patterns. 566for more information on patterns.
567.It Cm DisableForwarding
568Disables all forwarding features, including X11,
569.Xr ssh-agent 1 ,
570TCP and StreamLocal.
571This option overrides all other forwarding-related options and may
572simplify restricted configurations.
567.It Cm FingerprintHash 573.It Cm FingerprintHash
568Specifies the hash algorithm used when logging key fingerprints. 574Specifies the hash algorithm used when logging key fingerprints.
569Valid options are: 575Valid options are:
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 07:18:02 +0000