upstream commit

Add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. Example: restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... Idea from Jann Horn; ok markus@ Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
author: djm@openbsd.org <djm@openbsd.org> 2015-11-16 00:30:02 +0000
committer: Damien Miller <djm@mindrot.org> 2015-11-16 11:31:41 +1100
commit: 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 (patch)
tree: 5204277775a7cbd10a88c9645024958f4a120665 /sshd.8
parent: e41a071f7bda6af1fb3f081bed0151235fa61f15 (diff)
1 files changed, 34 insertions, 2 deletions
diff --git a/sshd.8 b/sshd.8
index 3b20d9f32..9bf3d5bb2 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $
-.Dd $Mdocdate: September 11 2015 $
+.Dd $Mdocdate: November 16 2015 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -522,6 +522,10 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
 .It Cm cert-authority
 Specifies that the listed key is a certification authority (CA) that is
 trusted to validate signed certificates for user authentication.
@@ -616,6 +620,9 @@ they must be literal domains or addresses.
 A port specification of
 .Cm *
 matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
 .It Cm principals="principals"
 On a
 .Cm cert-authority
@@ -627,12 +634,33 @@ This option is ignored for keys that are not marked as trusted certificate
 signers using the
 .Cm cert-authority
 option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
 .It Cm tunnel="n"
 Force a
 .Xr tun 4
 device on the server.
 Without this option, the next available device will be used if
 the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
 .El
 .Pp
 An example authorized_keys file:
@@ -647,6 +675,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
 AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
author	djm@openbsd.org <djm@openbsd.org>	2015-11-16 00:30:02 +0000
committer	Damien Miller <djm@mindrot.org>	2015-11-16 11:31:41 +1100
commit	383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 (patch)
tree	5204277775a7cbd10a88c9645024958f4a120665 /sshd.8
parent	e41a071f7bda6af1fb3f081bed0151235fa61f15 (diff)

diff --git a/sshd.8 b/sshd.8 index 3b20d9f32..9bf3d5bb2 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $
37	.Dd $Mdocdate: September 11 2015 $	37	.Dd $Mdocdate: November 16 2015 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -522,6 +522,10 @@ No spaces are permitted, except within double quotes.
522	The following option specifications are supported (note	522	The following option specifications are supported (note
523	that option keywords are case-insensitive):	523	that option keywords are case-insensitive):
524	.Bl -tag -width Ds	524	.Bl -tag -width Ds
		525	.It Cm agent-forwarding
		526	Enable authentication agent forwarding previously disabled by the
		527	.Cm restrict
		528	option.
525	.It Cm cert-authority	529	.It Cm cert-authority
526	Specifies that the listed key is a certification authority (CA) that is	530	Specifies that the listed key is a certification authority (CA) that is
527	trusted to validate signed certificates for user authentication.	531	trusted to validate signed certificates for user authentication.
@@ -616,6 +620,9 @@ they must be literal domains or addresses.
616	A port specification of	620	A port specification of
617	.Cm *	621	.Cm *
618	matches any port.	622	matches any port.
		623	.It Cm port-forwarding
		624	Enable port forwarding previously disabled by the
		625	.Cm restrict
619	.It Cm principals="principals"	626	.It Cm principals="principals"
620	On a	627	On a
621	.Cm cert-authority	628	.Cm cert-authority
@@ -627,12 +634,33 @@ This option is ignored for keys that are not marked as trusted certificate
627	signers using the	634	signers using the
628	.Cm cert-authority	635	.Cm cert-authority
629	option.	636	option.
		637	.It Cm pty
		638	Permits tty allocation previously disabled by the
		639	.Cm restrict
		640	option.
		641	.It Cm restrict
		642	Enable all restrictions, i.e. disable port, agent and X11 forwarding,
		643	as well as disabling PTY allocation
		644	and execution of
		645	.Pa ~/.ssh/rc .
		646	If any future restriction capabilities are added to authorized_keys files
		647	they will be included in this set.
630	.It Cm tunnel="n"	648	.It Cm tunnel="n"
631	Force a	649	Force a
632	.Xr tun 4	650	.Xr tun 4
633	device on the server.	651	device on the server.
634	Without this option, the next available device will be used if	652	Without this option, the next available device will be used if
635	the client requests a tunnel.	653	the client requests a tunnel.
		654	.It Cm user-rc
		655	Enables execution of
		656	.Pa ~/.ssh/rc
		657	previously disabled by the
		658	.Cm restrict
		659	option.
		660	.It Cm X11-forwarding
		661	Permits X11 forwarding previously disabled by the
		662	.Cm restrict
		663	option.
636	.El	664	.El
637	.Pp	665	.Pp
638	An example authorized_keys file:	666	An example authorized_keys file:
@@ -647,6 +675,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
647	AAAAB5...21S==	675	AAAAB5...21S==
648	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==	676	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
649	jane@example.net	677	jane@example.net
		678	restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
		679	user@example.net
		680	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
		681	user@example.net
650	.Ed	682	.Ed
651	.Sh SSH_KNOWN_HOSTS FILE FORMAT	683	.Sh SSH_KNOWN_HOSTS FILE FORMAT
652	The	684	The