diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | auth-options.c | 11 | ||||
| -rw-r--r-- | auth-options.h | 3 | ||||
| -rw-r--r-- | session.c | 4 | ||||
| -rw-r--r-- | sshd.8 | 7 |
5 files changed, 23 insertions, 7 deletions
| @@ -40,6 +40,9 @@ | |||
| 40 | - djm@cvs.openbsd.org 2008/03/25 23:01:41 | 40 | - djm@cvs.openbsd.org 2008/03/25 23:01:41 |
| 41 | [session.c] | 41 | [session.c] |
| 42 | last patch had backwards test; spotted by termim AT gmail.com | 42 | last patch had backwards test; spotted by termim AT gmail.com |
| 43 | - djm@cvs.openbsd.org 2008/03/26 21:28:14 | ||
| 44 | [auth-options.c auth-options.h session.c sshd.8] | ||
| 45 | add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc | ||
| 43 | 46 | ||
| 44 | 20080315 | 47 | 20080315 |
| 45 | - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are | 48 | - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are |
| @@ -3808,4 +3811,4 @@ | |||
| 3808 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 3811 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
| 3809 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 3812 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
| 3810 | 3813 | ||
| 3811 | $Id: ChangeLog,v 1.4888 2008/03/27 00:02:27 djm Exp $ | 3814 | $Id: ChangeLog,v 1.4889 2008/03/27 00:03:05 djm Exp $ |
diff --git a/auth-options.c b/auth-options.c index ca5e1c931..6e2256961 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -42,6 +42,7 @@ int no_port_forwarding_flag = 0; | |||
| 42 | int no_agent_forwarding_flag = 0; | 42 | int no_agent_forwarding_flag = 0; |
| 43 | int no_x11_forwarding_flag = 0; | 43 | int no_x11_forwarding_flag = 0; |
| 44 | int no_pty_flag = 0; | 44 | int no_pty_flag = 0; |
| 45 | int no_user_rc = 0; | ||
| 45 | 46 | ||
| 46 | /* "command=" option. */ | 47 | /* "command=" option. */ |
| 47 | char *forced_command = NULL; | 48 | char *forced_command = NULL; |
| @@ -61,6 +62,7 @@ auth_clear_options(void) | |||
| 61 | no_port_forwarding_flag = 0; | 62 | no_port_forwarding_flag = 0; |
| 62 | no_pty_flag = 0; | 63 | no_pty_flag = 0; |
| 63 | no_x11_forwarding_flag = 0; | 64 | no_x11_forwarding_flag = 0; |
| 65 | no_user_rc = 0; | ||
| 64 | while (custom_environment) { | 66 | while (custom_environment) { |
| 65 | struct envstring *ce = custom_environment; | 67 | struct envstring *ce = custom_environment; |
| 66 | custom_environment = ce->next; | 68 | custom_environment = ce->next; |
| @@ -121,6 +123,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 121 | opts += strlen(cp); | 123 | opts += strlen(cp); |
| 122 | goto next_option; | 124 | goto next_option; |
| 123 | } | 125 | } |
| 126 | cp = "no-user-rc"; | ||
| 127 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
| 128 | auth_debug_add("User rc file execution disabled."); | ||
| 129 | no_user_rc = 1; | ||
| 130 | opts += strlen(cp); | ||
| 131 | goto next_option; | ||
| 132 | } | ||
| 124 | cp = "command=\""; | 133 | cp = "command=\""; |
| 125 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 134 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 126 | opts += strlen(cp); | 135 | opts += strlen(cp); |
diff --git a/auth-options.h b/auth-options.h index 853f8b517..14488f72d 100644 --- a/auth-options.h +++ b/auth-options.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -26,6 +26,7 @@ extern int no_port_forwarding_flag; | |||
| 26 | extern int no_agent_forwarding_flag; | 26 | extern int no_agent_forwarding_flag; |
| 27 | extern int no_x11_forwarding_flag; | 27 | extern int no_x11_forwarding_flag; |
| 28 | extern int no_pty_flag; | 28 | extern int no_pty_flag; |
| 29 | extern int no_user_rc; | ||
| 29 | extern char *forced_command; | 30 | extern char *forced_command; |
| 30 | extern struct envstring *custom_environment; | 31 | extern struct envstring *custom_environment; |
| 31 | extern int forced_tun_device; | 32 | extern int forced_tun_device; |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -1204,7 +1204,7 @@ do_rc_files(Session *s, const char *shell) | |||
| 1204 | 1204 | ||
| 1205 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ | 1205 | /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ |
| 1206 | if (!s->is_subsystem && options.adm_forced_command == NULL && | 1206 | if (!s->is_subsystem && options.adm_forced_command == NULL && |
| 1207 | (stat(_PATH_SSH_USER_RC, &st) >= 0)) { | 1207 | !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { |
| 1208 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", | 1208 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", |
| 1209 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); | 1209 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); |
| 1210 | if (debug_flag) | 1210 | if (debug_flag) |
| @@ -34,8 +34,8 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $ |
| 38 | .Dd $Mdocdate: February 11 2008 $ | 38 | .Dd $Mdocdate: March 26 2008 $ |
| 39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -531,6 +531,9 @@ This might be used, e.g. in connection with the | |||
| 531 | option. | 531 | option. |
| 532 | .It Cm no-pty | 532 | .It Cm no-pty |
| 533 | Prevents tty allocation (a request to allocate a pty will fail). | 533 | Prevents tty allocation (a request to allocate a pty will fail). |
| 534 | .It Cm no-user-rc | ||
| 535 | Disables execution of | ||
| 536 | .Pa ~/.ssh/rc . | ||
| 534 | .It Cm no-X11-forwarding | 537 | .It Cm no-X11-forwarding |
| 535 | Forbids X11 forwarding when this key is used for authentication. | 538 | Forbids X11 forwarding when this key is used for authentication. |
| 536 | Any X11 forward requests by the client will return an error. | 539 | Any X11 forward requests by the client will return an error. |