diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-11-30 03:00:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-11-30 19:44:01 +1100 |
commit | 7844f357cdd90530eec81340847783f1f1da010b (patch) | |
tree | a31f2189df130942f72eb0ea936fbbe9a70f0f65 /serverloop.c | |
parent | fd6dcef2030d23c43f986d26979f84619c10589d (diff) |
upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
Diffstat (limited to 'serverloop.c')
-rw-r--r-- | serverloop.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/serverloop.c b/serverloop.c index 4a9a16d41..955f5cc91 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -447,7 +447,7 @@ server_request_direct_tcpip(void) | |||
447 | 447 | ||
448 | /* XXX fine grained permissions */ | 448 | /* XXX fine grained permissions */ |
449 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && | 449 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
450 | !no_port_forwarding_flag) { | 450 | !no_port_forwarding_flag && !options.disable_forwarding) { |
451 | c = channel_connect_to_port(target, target_port, | 451 | c = channel_connect_to_port(target, target_port, |
452 | "direct-tcpip", "direct-tcpip"); | 452 | "direct-tcpip", "direct-tcpip"); |
453 | } else { | 453 | } else { |
@@ -479,7 +479,7 @@ server_request_direct_streamlocal(void) | |||
479 | 479 | ||
480 | /* XXX fine grained permissions */ | 480 | /* XXX fine grained permissions */ |
481 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | 481 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && |
482 | !no_port_forwarding_flag) { | 482 | !no_port_forwarding_flag && !options.disable_forwarding) { |
483 | c = channel_connect_to_path(target, | 483 | c = channel_connect_to_path(target, |
484 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | 484 | "direct-streamlocal@openssh.com", "direct-streamlocal"); |
485 | } else { | 485 | } else { |
@@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
722 | 722 | ||
723 | /* check permissions */ | 723 | /* check permissions */ |
724 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || | 724 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
725 | no_port_forwarding_flag || | 725 | no_port_forwarding_flag || options.disable_forwarding || |
726 | (!want_reply && fwd.listen_port == 0) || | 726 | (!want_reply && fwd.listen_port == 0) || |
727 | (fwd.listen_port != 0 && | 727 | (fwd.listen_port != 0 && |
728 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { | 728 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { |
@@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
760 | 760 | ||
761 | /* check permissions */ | 761 | /* check permissions */ |
762 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | 762 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 |
763 | || no_port_forwarding_flag) { | 763 | || no_port_forwarding_flag || options.disable_forwarding) { |
764 | success = 0; | 764 | success = 0; |
765 | packet_send_debug("Server has disabled port forwarding."); | 765 | packet_send_debug("Server has disabled port forwarding."); |
766 | } else { | 766 | } else { |