upstream commit

Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
author: djm@openbsd.org <djm@openbsd.org> 2016-11-30 03:00:05 +0000
committer: Damien Miller <djm@mindrot.org> 2016-11-30 19:44:01 +1100
commit: 7844f357cdd90530eec81340847783f1f1da010b (patch)
tree: a31f2189df130942f72eb0ea936fbbe9a70f0f65 /serverloop.c
parent: fd6dcef2030d23c43f986d26979f84619c10589d (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/serverloop.c b/serverloop.c
index 4a9a16d41..955f5cc91 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
+/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -447,7 +447,7 @@ server_request_direct_tcpip(void)
        /* XXX fine grained permissions */
        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
-            !no_port_forwarding_flag) {
+            !no_port_forwarding_flag && !options.disable_forwarding) {
                c = channel_connect_to_port(target, target_port,
                    "direct-tcpip", "direct-tcpip");
        } else {
@@ -479,7 +479,7 @@ server_request_direct_streamlocal(void)
        /* XXX fine grained permissions */
        if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-            !no_port_forwarding_flag) {
+            !no_port_forwarding_flag && !options.disable_forwarding) {
                c = channel_connect_to_path(target,
                    "direct-streamlocal@openssh.com", "direct-streamlocal");
        } else {
@@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                /* check permissions */
                if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
-                    no_port_forwarding_flag ||
+                    no_port_forwarding_flag || options.disable_forwarding ||
                    (!want_reply && fwd.listen_port == 0) ||
                    (fwd.listen_port != 0 &&
                     !bind_permitted(fwd.listen_port, pw->pw_uid))) {
@@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                /* check permissions */
                if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-                    || no_port_forwarding_flag) {
+                    || no_port_forwarding_flag || options.disable_forwarding) {
                        success = 0;
                        packet_send_debug("Server has disabled port forwarding.");
                } else {
author	djm@openbsd.org <djm@openbsd.org>	2016-11-30 03:00:05 +0000
committer	Damien Miller <djm@mindrot.org>	2016-11-30 19:44:01 +1100
commit	7844f357cdd90530eec81340847783f1f1da010b (patch)
tree	a31f2189df130942f72eb0ea936fbbe9a70f0f65 /serverloop.c
parent	fd6dcef2030d23c43f986d26979f84619c10589d (diff)

diff --git a/serverloop.c b/serverloop.c index 4a9a16d41..955f5cc91 100644 --- a/serverloop.c +++ b/serverloop.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */	1	/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -447,7 +447,7 @@ server_request_direct_tcpip(void)
447		447
448	/* XXX fine grained permissions */	448	/* XXX fine grained permissions */
449	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&	449	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
450	!no_port_forwarding_flag) {	450	!no_port_forwarding_flag && !options.disable_forwarding) {
451	c = channel_connect_to_port(target, target_port,	451	c = channel_connect_to_port(target, target_port,
452	"direct-tcpip", "direct-tcpip");	452	"direct-tcpip", "direct-tcpip");
453	} else {	453	} else {
@@ -479,7 +479,7 @@ server_request_direct_streamlocal(void)
479		479
480	/* XXX fine grained permissions */	480	/* XXX fine grained permissions */
481	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&	481	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
482	!no_port_forwarding_flag) {	482	!no_port_forwarding_flag && !options.disable_forwarding) {
483	c = channel_connect_to_path(target,	483	c = channel_connect_to_path(target,
484	"direct-streamlocal@openssh.com", "direct-streamlocal");	484	"direct-streamlocal@openssh.com", "direct-streamlocal");
485	} else {	485	} else {
@@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
722		722
723	/* check permissions */	723	/* check permissions */
724	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|	724	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|
725	no_port_forwarding_flag \|\|	725	no_port_forwarding_flag \|\| options.disable_forwarding \|\|
726	(!want_reply && fwd.listen_port == 0) \|\|	726	(!want_reply && fwd.listen_port == 0) \|\|
727	(fwd.listen_port != 0 &&	727	(fwd.listen_port != 0 &&
728	!bind_permitted(fwd.listen_port, pw->pw_uid))) {	728	!bind_permitted(fwd.listen_port, pw->pw_uid))) {
@@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
760		760
761	/* check permissions */	761	/* check permissions */
762	if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0	762	if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
763	\|\| no_port_forwarding_flag) {	763	\|\| no_port_forwarding_flag \|\| options.disable_forwarding) {
764	success = 0;	764	success = 0;
765	packet_send_debug("Server has disabled port forwarding.");	765	packet_send_debug("Server has disabled port forwarding.");
766	} else {	766	} else {