diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-11-30 03:00:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-11-30 19:44:01 +1100 |
commit | 7844f357cdd90530eec81340847783f1f1da010b (patch) | |
tree | a31f2189df130942f72eb0ea936fbbe9a70f0f65 /servconf.c | |
parent | fd6dcef2030d23c43f986d26979f84619c10589d (diff) |
upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c index e0bfbe67d..795ddbab7 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options) | |||
163 | options->ip_qos_bulk = -1; | 163 | options->ip_qos_bulk = -1; |
164 | options->version_addendum = NULL; | 164 | options->version_addendum = NULL; |
165 | options->fingerprint_hash = -1; | 165 | options->fingerprint_hash = -1; |
166 | options->disable_forwarding = -1; | ||
166 | } | 167 | } |
167 | 168 | ||
168 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 169 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options) | |||
330 | options->fwd_opts.streamlocal_bind_unlink = 0; | 331 | options->fwd_opts.streamlocal_bind_unlink = 0; |
331 | if (options->fingerprint_hash == -1) | 332 | if (options->fingerprint_hash == -1) |
332 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 333 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
334 | if (options->disable_forwarding == -1) | ||
335 | options->disable_forwarding = 0; | ||
333 | 336 | ||
334 | assemble_algorithms(options); | 337 | assemble_algorithms(options); |
335 | 338 | ||
@@ -414,7 +417,7 @@ typedef enum { | |||
414 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 417 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
415 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 418 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
416 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 419 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
417 | sAllowStreamLocalForwarding, sFingerprintHash, | 420 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
418 | sDeprecated, sIgnore, sUnsupported | 421 | sDeprecated, sIgnore, sUnsupported |
419 | } ServerOpCodes; | 422 | } ServerOpCodes; |
420 | 423 | ||
@@ -557,6 +560,7 @@ static struct { | |||
557 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | 560 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
558 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 561 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
559 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 562 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
563 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | ||
560 | { NULL, sBadOption, 0 } | 564 | { NULL, sBadOption, 0 } |
561 | }; | 565 | }; |
562 | 566 | ||
@@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1356 | intptr = &options->allow_agent_forwarding; | 1360 | intptr = &options->allow_agent_forwarding; |
1357 | goto parse_flag; | 1361 | goto parse_flag; |
1358 | 1362 | ||
1363 | case sDisableForwarding: | ||
1364 | intptr = &options->disable_forwarding; | ||
1365 | goto parse_flag; | ||
1366 | |||
1359 | case sUsePrivilegeSeparation: | 1367 | case sUsePrivilegeSeparation: |
1360 | intptr = &use_privsep; | 1368 | intptr = &use_privsep; |
1361 | multistate_ptr = multistate_privsep; | 1369 | multistate_ptr = multistate_privsep; |
@@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1965 | M_CP_INTOPT(allow_tcp_forwarding); | 1973 | M_CP_INTOPT(allow_tcp_forwarding); |
1966 | M_CP_INTOPT(allow_streamlocal_forwarding); | 1974 | M_CP_INTOPT(allow_streamlocal_forwarding); |
1967 | M_CP_INTOPT(allow_agent_forwarding); | 1975 | M_CP_INTOPT(allow_agent_forwarding); |
1976 | M_CP_INTOPT(disable_forwarding); | ||
1968 | M_CP_INTOPT(permit_tun); | 1977 | M_CP_INTOPT(permit_tun); |
1969 | M_CP_INTOPT(fwd_opts.gateway_ports); | 1978 | M_CP_INTOPT(fwd_opts.gateway_ports); |
1970 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); | 1979 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); |
@@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o) | |||
2263 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2272 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
2264 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); | 2273 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); |
2265 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); | 2274 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); |
2275 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); | ||
2266 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2276 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
2267 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | 2277 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
2268 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | 2278 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); |