diff options
-rw-r--r-- | servconf.c | 40 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | session.c | 19 | ||||
-rw-r--r-- | sshd_config.5 | 10 |
4 files changed, 62 insertions, 11 deletions
diff --git a/servconf.c b/servconf.c index cb5786583..a41fdc26a 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions *options) | |||
130 | options->challenge_response_authentication = -1; | 130 | options->challenge_response_authentication = -1; |
131 | options->permit_empty_passwd = -1; | 131 | options->permit_empty_passwd = -1; |
132 | options->permit_user_env = -1; | 132 | options->permit_user_env = -1; |
133 | options->permit_user_env_whitelist = NULL; | ||
133 | options->compression = -1; | 134 | options->compression = -1; |
134 | options->rekey_limit = -1; | 135 | options->rekey_limit = -1; |
135 | options->rekey_interval = -1; | 136 | options->rekey_interval = -1; |
@@ -329,8 +330,10 @@ fill_default_server_options(ServerOptions *options) | |||
329 | options->challenge_response_authentication = 1; | 330 | options->challenge_response_authentication = 1; |
330 | if (options->permit_empty_passwd == -1) | 331 | if (options->permit_empty_passwd == -1) |
331 | options->permit_empty_passwd = 0; | 332 | options->permit_empty_passwd = 0; |
332 | if (options->permit_user_env == -1) | 333 | if (options->permit_user_env == -1) { |
333 | options->permit_user_env = 0; | 334 | options->permit_user_env = 0; |
335 | options->permit_user_env_whitelist = NULL; | ||
336 | } | ||
334 | if (options->compression == -1) | 337 | if (options->compression == -1) |
335 | options->compression = COMP_DELAYED; | 338 | options->compression = COMP_DELAYED; |
336 | if (options->rekey_limit == -1) | 339 | if (options->rekey_limit == -1) |
@@ -1514,7 +1517,29 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1514 | 1517 | ||
1515 | case sPermitUserEnvironment: | 1518 | case sPermitUserEnvironment: |
1516 | intptr = &options->permit_user_env; | 1519 | intptr = &options->permit_user_env; |
1517 | goto parse_flag; | 1520 | charptr = &options->permit_user_env_whitelist; |
1521 | arg = strdelim(&cp); | ||
1522 | if (!arg || *arg == '\0') | ||
1523 | fatal("%s line %d: missing argument.", | ||
1524 | filename, linenum); | ||
1525 | value = 0; | ||
1526 | p = NULL; | ||
1527 | if (strcmp(arg, "yes") == 0) | ||
1528 | value = 1; | ||
1529 | else if (strcmp(arg, "no") == 0) | ||
1530 | value = 0; | ||
1531 | else { | ||
1532 | /* Pattern-list specified */ | ||
1533 | value = 1; | ||
1534 | p = xstrdup(arg); | ||
1535 | } | ||
1536 | if (*activep && *intptr == -1) { | ||
1537 | *intptr = value; | ||
1538 | *charptr = p; | ||
1539 | p = NULL; | ||
1540 | } | ||
1541 | free(p); | ||
1542 | break; | ||
1518 | 1543 | ||
1519 | case sCompression: | 1544 | case sCompression: |
1520 | intptr = &options->compression; | 1545 | intptr = &options->compression; |
@@ -2528,7 +2553,6 @@ dump_config(ServerOptions *o) | |||
2528 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 2553 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
2529 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2554 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
2530 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2555 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
2531 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | ||
2532 | dump_cfg_fmtint(sCompression, o->compression); | 2556 | dump_cfg_fmtint(sCompression, o->compression); |
2533 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); | 2557 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); |
2534 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2558 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
@@ -2628,4 +2652,12 @@ dump_config(ServerOptions *o) | |||
2628 | printf(" %s", o->permitted_listens[i]); | 2652 | printf(" %s", o->permitted_listens[i]); |
2629 | } | 2653 | } |
2630 | printf("\n"); | 2654 | printf("\n"); |
2655 | |||
2656 | if (o->permit_user_env_whitelist == NULL) { | ||
2657 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | ||
2658 | } else { | ||
2659 | printf("permituserenvironment %s\n", | ||
2660 | o->permit_user_env_whitelist); | ||
2661 | } | ||
2662 | |||
2631 | } | 2663 | } |
diff --git a/servconf.h b/servconf.h index db8362c60..73327135b 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.135 2018/07/03 10:59:35 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -133,6 +133,7 @@ typedef struct { | |||
133 | int permit_empty_passwd; /* If false, do not permit empty | 133 | int permit_empty_passwd; /* If false, do not permit empty |
134 | * passwords. */ | 134 | * passwords. */ |
135 | int permit_user_env; /* If true, read ~/.ssh/environment */ | 135 | int permit_user_env; /* If true, read ~/.ssh/environment */ |
136 | char *permit_user_env_whitelist; /* pattern-list whitelist */ | ||
136 | int compression; /* If true, compression is allowed */ | 137 | int compression; /* If true, compression is allowed */ |
137 | int allow_tcp_forwarding; /* One of FORWARD_* */ | 138 | int allow_tcp_forwarding; /* One of FORWARD_* */ |
138 | int allow_streamlocal_forwarding; /* One of FORWARD_* */ | 139 | int allow_streamlocal_forwarding; /* One of FORWARD_* */ |
@@ -242,6 +243,7 @@ struct connection_info { | |||
242 | M_CP_STROPT(hostbased_key_types); \ | 243 | M_CP_STROPT(hostbased_key_types); \ |
243 | M_CP_STROPT(pubkey_key_types); \ | 244 | M_CP_STROPT(pubkey_key_types); \ |
244 | M_CP_STROPT(routing_domain); \ | 245 | M_CP_STROPT(routing_domain); \ |
246 | M_CP_STROPT(permit_user_env_whitelist); \ | ||
245 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ | 247 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ |
246 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ | 248 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ |
247 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ | 249 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.301 2018/07/03 10:59:35 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -867,10 +867,12 @@ check_quietlogin(Session *s, const char *command) | |||
867 | * into the environment. If the file does not exist, this does nothing. | 867 | * into the environment. If the file does not exist, this does nothing. |
868 | * Otherwise, it must consist of empty lines, comments (line starts with '#') | 868 | * Otherwise, it must consist of empty lines, comments (line starts with '#') |
869 | * and assignments of the form name=value. No other forms are allowed. | 869 | * and assignments of the form name=value. No other forms are allowed. |
870 | * If whitelist is not NULL, then it is interpreted as a pattern list and | ||
871 | * only variable names that match it will be accepted. | ||
870 | */ | 872 | */ |
871 | static void | 873 | static void |
872 | read_environment_file(char ***env, u_int *envsize, | 874 | read_environment_file(char ***env, u_int *envsize, |
873 | const char *filename) | 875 | const char *filename, const char *whitelist) |
874 | { | 876 | { |
875 | FILE *f; | 877 | FILE *f; |
876 | char *line = NULL, *cp, *value; | 878 | char *line = NULL, *cp, *value; |
@@ -903,6 +905,9 @@ read_environment_file(char ***env, u_int *envsize, | |||
903 | */ | 905 | */ |
904 | *value = '\0'; | 906 | *value = '\0'; |
905 | value++; | 907 | value++; |
908 | if (whitelist != NULL && | ||
909 | match_pattern_list(cp, whitelist, 0) != 1) | ||
910 | continue; | ||
906 | child_set_env(env, envsize, cp, value); | 911 | child_set_env(env, envsize, cp, value); |
907 | } | 912 | } |
908 | free(line); | 913 | free(line); |
@@ -1121,7 +1126,12 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1121 | cp = strchr(ocp, '='); | 1126 | cp = strchr(ocp, '='); |
1122 | if (*cp == '=') { | 1127 | if (*cp == '=') { |
1123 | *cp = '\0'; | 1128 | *cp = '\0'; |
1124 | child_set_env(&env, &envsize, ocp, cp + 1); | 1129 | /* Apply PermitUserEnvironment whitelist */ |
1130 | if (options.permit_user_env_whitelist == NULL || | ||
1131 | match_pattern_list(ocp, | ||
1132 | options.permit_user_env_whitelist, 0) == 1) | ||
1133 | child_set_env(&env, &envsize, | ||
1134 | ocp, cp + 1); | ||
1125 | } | 1135 | } |
1126 | free(ocp); | 1136 | free(ocp); |
1127 | } | 1137 | } |
@@ -1131,7 +1141,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1131 | if (options.permit_user_env) { | 1141 | if (options.permit_user_env) { |
1132 | snprintf(buf, sizeof buf, "%.200s/.ssh/environment", | 1142 | snprintf(buf, sizeof buf, "%.200s/.ssh/environment", |
1133 | pw->pw_dir); | 1143 | pw->pw_dir); |
1134 | read_environment_file(&env, &envsize, buf); | 1144 | read_environment_file(&env, &envsize, buf, |
1145 | options.permit_user_env_whitelist); | ||
1135 | } | 1146 | } |
1136 | 1147 | ||
1137 | #ifdef USE_PAM | 1148 | #ifdef USE_PAM |
diff --git a/sshd_config.5 b/sshd_config.5 index 86d2d421b..60c5f4bd3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.277 2018/06/19 05:36:57 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.278 2018/07/03 10:59:35 djm Exp $ |
37 | .Dd $Mdocdate: June 19 2018 $ | 37 | .Dd $Mdocdate: July 3 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1332,6 +1332,12 @@ options in | |||
1332 | .Pa ~/.ssh/authorized_keys | 1332 | .Pa ~/.ssh/authorized_keys |
1333 | are processed by | 1333 | are processed by |
1334 | .Xr sshd 8 . | 1334 | .Xr sshd 8 . |
1335 | Valid options are | ||
1336 | .Cm yes , | ||
1337 | .Cm no | ||
1338 | or a pattern-list specifying which environment variable names to accept | ||
1339 | (for example | ||
1340 | .Qq LANG,LC_* ) . | ||
1335 | The default is | 1341 | The default is |
1336 | .Cm no . | 1342 | .Cm no . |
1337 | Enabling environment processing may enable users to bypass access | 1343 | Enabling environment processing may enable users to bypass access |