5 files changed, 29 insertions, 12 deletions

diff --git a/servconf.c b/servconf.c
index e0bfbe67d..795ddbab7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
         options->fingerprint_hash = -1;
+        options->disable_forwarding = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
                 options->fwd_opts.streamlocal_bind_unlink = 0;
         if (options->fingerprint_hash == -1)
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+        if (options->disable_forwarding == -1)
+                options->disable_forwarding = 0;
 
         assemble_algorithms(options);
 
@@ -414,7 +417,7 @@ typedef enum {
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
         sStreamLocalBindMask, sStreamLocalBindUnlink,
-        sAllowStreamLocalForwarding, sFingerprintHash,
+        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
         sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
@@ -557,6 +560,7 @@ static struct {
         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+        { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
         { NULL, sBadOption, 0 }
 };
 
@@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->allow_agent_forwarding;
                 goto parse_flag;
 
+        case sDisableForwarding:
+                intptr = &options->disable_forwarding;
+                goto parse_flag;
+
         case sUsePrivilegeSeparation:
                 intptr = &use_privsep;
                 multistate_ptr = multistate_privsep;
@@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
         M_CP_INTOPT(allow_tcp_forwarding);
         M_CP_INTOPT(allow_streamlocal_forwarding);
         M_CP_INTOPT(allow_agent_forwarding);
+        M_CP_INTOPT(disable_forwarding);
         M_CP_INTOPT(permit_tun);
         M_CP_INTOPT(fwd_opts.gateway_ports);
         M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
@@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sUseDNS, o->use_dns);
         dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
         dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+        dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
         dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
         dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
         dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff --git a/servconf.h b/servconf.h
index 8af460f5a..5853a9747 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.123 2016/11/30 03:00:05 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -125,6 +125,7 @@ typedef struct {
         int     allow_tcp_forwarding; /* One of FORWARD_* */
         int     allow_streamlocal_forwarding; /* One of FORWARD_* */
         int     allow_agent_forwarding;
+        int     disable_forwarding;
         u_int num_allow_users;
         char   *allow_users[MAX_ALLOW_USERS];
         u_int num_deny_users;
diff --git a/serverloop.c b/serverloop.c
index 4a9a16d41..955f5cc91 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
+/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -447,7 +447,7 @@ server_request_direct_tcpip(void)
 
         /* XXX fine grained permissions */
         if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
-            !no_port_forwarding_flag) {
+            !no_port_forwarding_flag && !options.disable_forwarding) {
                 c = channel_connect_to_port(target, target_port,
                     "direct-tcpip", "direct-tcpip");
         } else {
@@ -479,7 +479,7 @@ server_request_direct_streamlocal(void)
 
         /* XXX fine grained permissions */
         if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-            !no_port_forwarding_flag) {
+            !no_port_forwarding_flag && !options.disable_forwarding) {
                 c = channel_connect_to_path(target,
                     "direct-streamlocal@openssh.com", "direct-streamlocal");
         } else {
@@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
 
                 /* check permissions */
                 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
-                    no_port_forwarding_flag ||
+                    no_port_forwarding_flag || options.disable_forwarding ||
                     (!want_reply && fwd.listen_port == 0) ||
                     (fwd.listen_port != 0 &&
                      !bind_permitted(fwd.listen_port, pw->pw_uid))) {
@@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
 
                 /* check permissions */
                 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-                    || no_port_forwarding_flag) {
+                    || no_port_forwarding_flag || options.disable_forwarding) {
                         success = 0;
                         packet_send_debug("Server has disabled port forwarding.");
                 } else {
diff --git a/session.c b/session.c
index 85805f5a0..a08aa69d1 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.285 2016/08/23 16:21:45 otto Exp $ */
+/* $OpenBSD: session.c,v 1.286 2016/11/30 03:00:05 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -257,7 +257,7 @@ do_authenticated(Authctxt *authctxt)
 
         /* setup the channel layer */
         /* XXX - streamlocal? */
-        if (no_port_forwarding_flag ||
+        if (no_port_forwarding_flag || options.disable_forwarding ||
             (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
                 channel_disable_adm_local_opens();
         else
diff --git a/sshd_config.5 b/sshd_config.5
index 281de141f..32b29d240 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $
-.Dd $Mdocdate: November 23 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -564,6 +564,12 @@ and finally
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm DisableForwarding
+Disables all forwarding features, including X11,
+.Xr ssh-agent 1 ,
+TCP and StreamLocal.
+This option overrides all other forwarding-related options and may
+simplify restricted configurations.
 .It Cm FingerprintHash
 Specifies the hash algorithm used when logging key fingerprints.
 Valid options are: