upstream commit

Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
author: djm@openbsd.org <djm@openbsd.org> 2016-11-30 03:00:05 +0000
committer: Damien Miller <djm@mindrot.org> 2016-11-30 19:44:01 +1100
commit: 7844f357cdd90530eec81340847783f1f1da010b (patch)
tree: a31f2189df130942f72eb0ea936fbbe9a70f0f65 /sshd_config.5
parent: fd6dcef2030d23c43f986d26979f84619c10589d (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 281de141f..32b29d240 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
-.Dd $Mdocdate: November 23 2016 $
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -564,6 +564,12 @@ and finally
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm DisableForwarding
+Disables all forwarding features, including X11,
+.Xr ssh-agent 1 ,
+TCP and StreamLocal.
+This option overrides all other forwarding-related options and may
+simplify restricted configurations.
 .It Cm FingerprintHash
 Specifies the hash algorithm used when logging key fingerprints.
 Valid options are:
author	djm@openbsd.org <djm@openbsd.org>	2016-11-30 03:00:05 +0000
committer	Damien Miller <djm@mindrot.org>	2016-11-30 19:44:01 +1100
commit	7844f357cdd90530eec81340847783f1f1da010b (patch)
tree	a31f2189df130942f72eb0ea936fbbe9a70f0f65 /sshd_config.5
parent	fd6dcef2030d23c43f986d26979f84619c10589d (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 281de141f..32b29d240 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
37	.Dd $Mdocdate: November 23 2016 $	37	.Dd $Mdocdate: November 30 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -564,6 +564,12 @@ and finally
564	See PATTERNS in	564	See PATTERNS in
565	.Xr ssh_config 5	565	.Xr ssh_config 5
566	for more information on patterns.	566	for more information on patterns.
		567	.It Cm DisableForwarding
		568	Disables all forwarding features, including X11,
		569	.Xr ssh-agent 1 ,
		570	TCP and StreamLocal.
		571	This option overrides all other forwarding-related options and may
		572	simplify restricted configurations.
567	.It Cm FingerprintHash	573	.It Cm FingerprintHash
568	Specifies the hash algorithm used when logging key fingerprints.	574	Specifies the hash algorithm used when logging key fingerprints.
569	Valid options are:	575	Valid options are: