- pyr@cvs.openbsd.org 2008/05/07 05:49:37

     [servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@

1 files changed, 4 insertions, 3 deletions

diff --git a/session.c b/session.c
index f2bcfd061..16e455588 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */
+/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt)
                         break;
 
                 case SSH_CMSG_AGENT_REQUEST_FORWARDING:
-                        if (no_agent_forwarding_flag || compat13) {
+                        if (!options.allow_agent_forwarding ||
+                            no_agent_forwarding_flag || compat13) {
                                 debug("Authentication agent forwarding not permitted for this authentication.");
                                 break;
                         }
@@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s)
 {
         static int called = 0;
         packet_check_eom();
-        if (no_agent_forwarding_flag) {
+        if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
                 debug("session_auth_agent_req: no_agent_forwarding_flag");
                 return 0;
         }