upstream commit

Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7

1 files changed, 12 insertions, 2 deletions

diff --git a/servconf.c b/servconf.c
index e0bfbe67d..795ddbab7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
         options->fingerprint_hash = -1;
+        options->disable_forwarding = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
                 options->fwd_opts.streamlocal_bind_unlink = 0;
         if (options->fingerprint_hash == -1)
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+        if (options->disable_forwarding == -1)
+                options->disable_forwarding = 0;
 
         assemble_algorithms(options);
 
@@ -414,7 +417,7 @@ typedef enum {
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
         sStreamLocalBindMask, sStreamLocalBindUnlink,
-        sAllowStreamLocalForwarding, sFingerprintHash,
+        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
         sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
@@ -557,6 +560,7 @@ static struct {
         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+        { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
         { NULL, sBadOption, 0 }
 };
 
@@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->allow_agent_forwarding;
                 goto parse_flag;
 
+        case sDisableForwarding:
+                intptr = &options->disable_forwarding;
+                goto parse_flag;
+
         case sUsePrivilegeSeparation:
                 intptr = &use_privsep;
                 multistate_ptr = multistate_privsep;
@@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
         M_CP_INTOPT(allow_tcp_forwarding);
         M_CP_INTOPT(allow_streamlocal_forwarding);
         M_CP_INTOPT(allow_agent_forwarding);
+        M_CP_INTOPT(disable_forwarding);
         M_CP_INTOPT(permit_tun);
         M_CP_INTOPT(fwd_opts.gateway_ports);
         M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
@@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sUseDNS, o->use_dns);
         dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
         dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+        dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
         dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
         dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
         dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);