diff options
author | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
commit | 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 (patch) | |
tree | 73c05a3429a9d63d32b373fd3bd92900d43883da /session.c | |
parent | bacb7fbd7e7716a4d3148769d43d8896cbfb2c54 (diff) |
- pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) | |||
335 | break; | 335 | break; |
336 | 336 | ||
337 | case SSH_CMSG_AGENT_REQUEST_FORWARDING: | 337 | case SSH_CMSG_AGENT_REQUEST_FORWARDING: |
338 | if (no_agent_forwarding_flag || compat13) { | 338 | if (!options.allow_agent_forwarding || |
339 | no_agent_forwarding_flag || compat13) { | ||
339 | debug("Authentication agent forwarding not permitted for this authentication."); | 340 | debug("Authentication agent forwarding not permitted for this authentication."); |
340 | break; | 341 | break; |
341 | } | 342 | } |
@@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) | |||
2081 | { | 2082 | { |
2082 | static int called = 0; | 2083 | static int called = 0; |
2083 | packet_check_eom(); | 2084 | packet_check_eom(); |
2084 | if (no_agent_forwarding_flag) { | 2085 | if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { |
2085 | debug("session_auth_agent_req: no_agent_forwarding_flag"); | 2086 | debug("session_auth_agent_req: no_agent_forwarding_flag"); |
2086 | return 0; | 2087 | return 0; |
2087 | } | 2088 | } |