upstream commit

add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
author: djm@openbsd.org <djm@openbsd.org> 2017-10-25 00:17:08 +0000
committer: Damien Miller <djm@mindrot.org> 2017-10-25 12:26:13 +1100
commit: 35eb33fb957979e3fcbe6ea0eaee8bf4a217421a (patch)
tree: 6ff628a3a477e2e2c7c4757a74b06ab29d3430a2 /sshd_config.5
parent: acf559e1cffbd1d6167cc1742729fc381069f06b (diff)
1 files changed, 16 insertions, 1 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b63a022b7..c216fb75b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.256 2017/10/25 00:15:35 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.257 2017/10/25 00:17:08 djm Exp $
 .Dd $Mdocdate: October 25 2017 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -1118,6 +1118,7 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
+.Cm RDomain ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1378,6 +1379,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+.It Cm RDomain
+Specifies an explicit routing domain that is applied after authentication
+has completed.
+The user session, as well and any forwarded or listening IP sockets will
+be bound to this
+.Xr rdomain 4 .
+If the routing domain is set to
+.Cm \&%D ,
+then the domain in which the incoming connection was recieved will be applied.
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
@@ -1643,6 +1653,8 @@ which are expanded at runtime:
 .It %%
 A literal
 .Sq % .
+.It \&%D
+The routing domain in which the incoming connection was received.
 .It %F
 The fingerprint of the CA key.
 .It %f
@@ -1679,6 +1691,9 @@ accepts the tokens %%, %h, and %u.
 .Pp
 .Cm ChrootDirectory
 accepts the tokens %%, %h, and %u.
+.Pp
+.Cm RoutingDomain
+accepts the token %D.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config
author	djm@openbsd.org <djm@openbsd.org>	2017-10-25 00:17:08 +0000
committer	Damien Miller <djm@mindrot.org>	2017-10-25 12:26:13 +1100
commit	35eb33fb957979e3fcbe6ea0eaee8bf4a217421a (patch)
tree	6ff628a3a477e2e2c7c4757a74b06ab29d3430a2 /sshd_config.5
parent	acf559e1cffbd1d6167cc1742729fc381069f06b (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index b63a022b7..c216fb75b 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.256 2017/10/25 00:15:35 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.257 2017/10/25 00:17:08 djm Exp $
37	.Dd $Mdocdate: October 25 2017 $	37	.Dd $Mdocdate: October 25 2017 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
@@ -1118,6 +1118,7 @@ Available keywords are
1118	.Cm PubkeyAuthentication ,	1118	.Cm PubkeyAuthentication ,
1119	.Cm RekeyLimit ,	1119	.Cm RekeyLimit ,
1120	.Cm RevokedKeys ,	1120	.Cm RevokedKeys ,
		1121	.Cm RDomain ,
1121	.Cm StreamLocalBindMask ,	1122	.Cm StreamLocalBindMask ,
1122	.Cm StreamLocalBindUnlink ,	1123	.Cm StreamLocalBindUnlink ,
1123	.Cm TrustedUserCAKeys ,	1124	.Cm TrustedUserCAKeys ,
@@ -1378,6 +1379,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
1378	.Xr ssh-keygen 1 .	1379	.Xr ssh-keygen 1 .
1379	For more information on KRLs, see the KEY REVOCATION LISTS section in	1380	For more information on KRLs, see the KEY REVOCATION LISTS section in
1380	.Xr ssh-keygen 1 .	1381	.Xr ssh-keygen 1 .
		1382	.It Cm RDomain
		1383	Specifies an explicit routing domain that is applied after authentication
		1384	has completed.
		1385	The user session, as well and any forwarded or listening IP sockets will
		1386	be bound to this
		1387	.Xr rdomain 4 .
		1388	If the routing domain is set to
		1389	.Cm \&%D ,
		1390	then the domain in which the incoming connection was recieved will be applied.
1381	.It Cm StreamLocalBindMask	1391	.It Cm StreamLocalBindMask
1382	Sets the octal file creation mode mask	1392	Sets the octal file creation mode mask
1383	.Pq umask	1393	.Pq umask
@@ -1643,6 +1653,8 @@ which are expanded at runtime:
1643	.It %%	1653	.It %%
1644	A literal	1654	A literal
1645	.Sq % .	1655	.Sq % .
		1656	.It \&%D
		1657	The routing domain in which the incoming connection was received.
1646	.It %F	1658	.It %F
1647	The fingerprint of the CA key.	1659	The fingerprint of the CA key.
1648	.It %f	1660	.It %f
@@ -1679,6 +1691,9 @@ accepts the tokens %%, %h, and %u.
1679	.Pp	1691	.Pp
1680	.Cm ChrootDirectory	1692	.Cm ChrootDirectory
1681	accepts the tokens %%, %h, and %u.	1693	accepts the tokens %%, %h, and %u.
		1694	.Pp
		1695	.Cm RoutingDomain
		1696	accepts the token %D.
1682	.Sh FILES	1697	.Sh FILES
1683	.Bl -tag -width Ds	1698	.Bl -tag -width Ds
1684	.It Pa /etc/ssh/sshd_config	1699	.It Pa /etc/ssh/sshd_config