upstream commit

Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
author: djm@openbsd.org <djm@openbsd.org> 2016-11-30 03:00:05 +0000
committer: Damien Miller <djm@mindrot.org> 2016-11-30 19:44:01 +1100
commit: 7844f357cdd90530eec81340847783f1f1da010b (patch)
tree: a31f2189df130942f72eb0ea936fbbe9a70f0f65 /servconf.h
parent: fd6dcef2030d23c43f986d26979f84619c10589d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/servconf.h b/servconf.h
index 8af460f5a..5853a9747 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.123 2016/11/30 03:00:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -125,6 +125,7 @@ typedef struct {
        int     allow_tcp_forwarding; /* One of FORWARD_* */
        int     allow_streamlocal_forwarding; /* One of FORWARD_* */
        int     allow_agent_forwarding;
+        int     disable_forwarding;
        u_int num_allow_users;
        char   *allow_users[MAX_ALLOW_USERS];
        u_int num_deny_users;
author	djm@openbsd.org <djm@openbsd.org>	2016-11-30 03:00:05 +0000
committer	Damien Miller <djm@mindrot.org>	2016-11-30 19:44:01 +1100
commit	7844f357cdd90530eec81340847783f1f1da010b (patch)
tree	a31f2189df130942f72eb0ea936fbbe9a70f0f65 /servconf.h
parent	fd6dcef2030d23c43f986d26979f84619c10589d (diff)