summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-11-30 03:00:05 +0000
committerDamien Miller <djm@mindrot.org>2016-11-30 19:44:01 +1100
commit7844f357cdd90530eec81340847783f1f1da010b (patch)
treea31f2189df130942f72eb0ea936fbbe9a70f0f65 /session.c
parentfd6dcef2030d23c43f986d26979f84619c10589d (diff)
upstream commit
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
Diffstat (limited to 'session.c')
-rw-r--r--session.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/session.c b/session.c
index 85805f5a0..a08aa69d1 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.285 2016/08/23 16:21:45 otto Exp $ */ 1/* $OpenBSD: session.c,v 1.286 2016/11/30 03:00:05 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -257,7 +257,7 @@ do_authenticated(Authctxt *authctxt)
257 257
258 /* setup the channel layer */ 258 /* setup the channel layer */
259 /* XXX - streamlocal? */ 259 /* XXX - streamlocal? */
260 if (no_port_forwarding_flag || 260 if (no_port_forwarding_flag || options.disable_forwarding ||
261 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) 261 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
262 channel_disable_adm_local_opens(); 262 channel_disable_adm_local_opens();
263 else 263 else