diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-11-30 03:00:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-11-30 19:44:01 +1100 |
commit | 7844f357cdd90530eec81340847783f1f1da010b (patch) | |
tree | a31f2189df130942f72eb0ea936fbbe9a70f0f65 /sshd_config.5 | |
parent | fd6dcef2030d23c43f986d26979f84619c10589d (diff) |
upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 281de141f..32b29d240 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $ |
37 | .Dd $Mdocdate: November 23 2016 $ | 37 | .Dd $Mdocdate: November 30 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -564,6 +564,12 @@ and finally | |||
564 | See PATTERNS in | 564 | See PATTERNS in |
565 | .Xr ssh_config 5 | 565 | .Xr ssh_config 5 |
566 | for more information on patterns. | 566 | for more information on patterns. |
567 | .It Cm DisableForwarding | ||
568 | Disables all forwarding features, including X11, | ||
569 | .Xr ssh-agent 1 , | ||
570 | TCP and StreamLocal. | ||
571 | This option overrides all other forwarding-related options and may | ||
572 | simplify restricted configurations. | ||
567 | .It Cm FingerprintHash | 573 | .It Cm FingerprintHash |
568 | Specifies the hash algorithm used when logging key fingerprints. | 574 | Specifies the hash algorithm used when logging key fingerprints. |
569 | Valid options are: | 575 | Valid options are: |