summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--servconf.c14
-rw-r--r--servconf.h3
-rw-r--r--session.c4
-rw-r--r--sshd_config4
-rw-r--r--sshd_config.511
6 files changed, 33 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index 54f7b0042..84283a3e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
4 [key.c key.h] 4 [key.c key.h]
5 fix potential stack exhaustion caused by nested certificates; 5 fix potential stack exhaustion caused by nested certificates;
6 report by Mateusz Kocielski; ok dtucker@ markus@ 6 report by Mateusz Kocielski; ok dtucker@ markus@
7 - djm@cvs.openbsd.org 2013/10/29 09:48:02
8 [servconf.c servconf.h session.c sshd_config sshd_config.5]
9 shd_config PermitTTY to disallow TTY allocation, mirroring the
10 longstanding no-pty authorized_keys option;
11 bz#2070, patch from Teran McKinney; ok markus@
7 12
820131026 1320131026
9 - (djm) OpenBSD CVS Sync 14 - (djm) OpenBSD CVS Sync
diff --git a/servconf.c b/servconf.c
index 82146723f..0f1bdd09a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options)
92 options->x11_forwarding = -1; 92 options->x11_forwarding = -1;
93 options->x11_display_offset = -1; 93 options->x11_display_offset = -1;
94 options->x11_use_localhost = -1; 94 options->x11_use_localhost = -1;
95 options->permit_tty = -1;
95 options->xauth_location = NULL; 96 options->xauth_location = NULL;
96 options->strict_modes = -1; 97 options->strict_modes = -1;
97 options->tcp_keep_alive = -1; 98 options->tcp_keep_alive = -1;
@@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
212 options->x11_use_localhost = 1; 213 options->x11_use_localhost = 1;
213 if (options->xauth_location == NULL) 214 if (options->xauth_location == NULL)
214 options->xauth_location = _PATH_XAUTH; 215 options->xauth_location = _PATH_XAUTH;
216 if (options->permit_tty == -1)
217 options->permit_tty = 1;
215 if (options->strict_modes == -1) 218 if (options->strict_modes == -1)
216 options->strict_modes = 1; 219 options->strict_modes = 1;
217 if (options->tcp_keep_alive == -1) 220 if (options->tcp_keep_alive == -1)
@@ -329,7 +332,7 @@ typedef enum {
329 sListenAddress, sAddressFamily, 332 sListenAddress, sAddressFamily,
330 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 333 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
331 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 334 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
332 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 335 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
333 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 336 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
334 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 337 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
335 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 338 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -462,6 +465,7 @@ static struct {
462 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 465 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
463 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 466 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
464 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 467 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
468 { "permittty", sPermitTTY, SSHCFG_ALL },
465 { "match", sMatch, SSHCFG_ALL }, 469 { "match", sMatch, SSHCFG_ALL },
466 { "permitopen", sPermitOpen, SSHCFG_ALL }, 470 { "permitopen", sPermitOpen, SSHCFG_ALL },
467 { "forcecommand", sForceCommand, SSHCFG_ALL }, 471 { "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -1132,6 +1136,10 @@ process_server_config_line(ServerOptions *options, char *line,
1132 charptr = &options->xauth_location; 1136 charptr = &options->xauth_location;
1133 goto parse_filename; 1137 goto parse_filename;
1134 1138
1139 case sPermitTTY:
1140 intptr = &options->permit_tty;
1141 goto parse_flag;
1142
1135 case sStrictModes: 1143 case sStrictModes:
1136 intptr = &options->strict_modes; 1144 intptr = &options->strict_modes;
1137 goto parse_flag; 1145 goto parse_flag;
@@ -1783,6 +1791,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1783 M_CP_INTOPT(x11_display_offset); 1791 M_CP_INTOPT(x11_display_offset);
1784 M_CP_INTOPT(x11_forwarding); 1792 M_CP_INTOPT(x11_forwarding);
1785 M_CP_INTOPT(x11_use_localhost); 1793 M_CP_INTOPT(x11_use_localhost);
1794 M_CP_INTOPT(permit_tty);
1786 M_CP_INTOPT(max_sessions); 1795 M_CP_INTOPT(max_sessions);
1787 M_CP_INTOPT(max_authtries); 1796 M_CP_INTOPT(max_authtries);
1788 M_CP_INTOPT(ip_qos_interactive); 1797 M_CP_INTOPT(ip_qos_interactive);
@@ -2013,6 +2022,7 @@ dump_config(ServerOptions *o)
2013 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2022 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2014 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2023 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2015 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2024 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2025 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2016 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2026 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2017 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2027 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2018 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2028 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff --git a/servconf.h b/servconf.h
index 98aad8ba2..2d4b6ecb4 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ 1/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -82,6 +82,7 @@ typedef struct {
82 * searching at */ 82 * searching at */
83 int x11_use_localhost; /* If true, use localhost for fake X11 server. */ 83 int x11_use_localhost; /* If true, use localhost for fake X11 server. */
84 char *xauth_location; /* Location of xauth program */ 84 char *xauth_location; /* Location of xauth program */
85 int permit_tty; /* If false, deny pty allocation */
85 int strict_modes; /* If true, require string home dir modes. */ 86 int strict_modes; /* If true, require string home dir modes. */
86 int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ 87 int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
87 int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ 88 int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
diff --git a/session.c b/session.c
index 6e48a2fae..a0a0c2d9c 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -2062,7 +2062,7 @@ session_pty_req(Session *s)
2062 u_int len; 2062 u_int len;
2063 int n_bytes; 2063 int n_bytes;
2064 2064
2065 if (no_pty_flag) { 2065 if (no_pty_flag || !options.permit_tty) {
2066 debug("Allocating a pty not permitted for this authentication."); 2066 debug("Allocating a pty not permitted for this authentication.");
2067 return 0; 2067 return 0;
2068 } 2068 }
diff --git a/sshd_config b/sshd_config
index dbda7491e..235459af0 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $ 1# $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -101,6 +101,7 @@ AuthorizedKeysFile .ssh/authorized_keys
101#X11Forwarding no 101#X11Forwarding no
102#X11DisplayOffset 10 102#X11DisplayOffset 10
103#X11UseLocalhost yes 103#X11UseLocalhost yes
104#PermitTTY yes
104#PrintMotd yes 105#PrintMotd yes
105#PrintLastLog yes 106#PrintLastLog yes
106#TCPKeepAlive yes 107#TCPKeepAlive yes
@@ -127,4 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server
127#Match User anoncvs 128#Match User anoncvs
128# X11Forwarding no 129# X11Forwarding no
129# AllowTcpForwarding no 130# AllowTcpForwarding no
131# PermitTTY no
130# ForceCommand cvs server 132# ForceCommand cvs server
diff --git a/sshd_config.5 b/sshd_config.5
index 0536cc3c6..c3e30e614 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $
37.Dd $Mdocdate: October 24 2013 $ 37.Dd $Mdocdate: October 29 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -813,6 +813,7 @@ Available keywords are
813.Cm PermitEmptyPasswords , 813.Cm PermitEmptyPasswords ,
814.Cm PermitOpen , 814.Cm PermitOpen ,
815.Cm PermitRootLogin , 815.Cm PermitRootLogin ,
816.Cm PermitTTY ,
816.Cm PermitTunnel , 817.Cm PermitTunnel ,
817.Cm PubkeyAuthentication , 818.Cm PubkeyAuthentication ,
818.Cm RekeyLimit , 819.Cm RekeyLimit ,
@@ -942,6 +943,12 @@ and
942.Dq ethernet . 943.Dq ethernet .
943The default is 944The default is
944.Dq no . 945.Dq no .
946.It Cm PermitTTY
947Specifies whether
948.Xr pty 7
949allocation is permitted.
950The default is
951.Dq yes .
945.It Cm PermitUserEnvironment 952.It Cm PermitUserEnvironment
946Specifies whether 953Specifies whether
947.Pa ~/.ssh/environment 954.Pa ~/.ssh/environment