summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--auth-options.c11
-rw-r--r--auth-options.h3
-rw-r--r--session.c4
-rw-r--r--sshd.87
5 files changed, 23 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index c9b1ec67a..7da2b8b82 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -40,6 +40,9 @@
40 - djm@cvs.openbsd.org 2008/03/25 23:01:41 40 - djm@cvs.openbsd.org 2008/03/25 23:01:41
41 [session.c] 41 [session.c]
42 last patch had backwards test; spotted by termim AT gmail.com 42 last patch had backwards test; spotted by termim AT gmail.com
43 - djm@cvs.openbsd.org 2008/03/26 21:28:14
44 [auth-options.c auth-options.h session.c sshd.8]
45 add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
43 46
4420080315 4720080315
45 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are 48 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
@@ -3808,4 +3811,4 @@
3808 OpenServer 6 and add osr5bigcrypt support so when someone migrates 3811 OpenServer 6 and add osr5bigcrypt support so when someone migrates
3809 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 3812 passwords between UnixWare and OpenServer they will still work. OK dtucker@
3810 3813
3811$Id: ChangeLog,v 1.4888 2008/03/27 00:02:27 djm Exp $ 3814$Id: ChangeLog,v 1.4889 2008/03/27 00:03:05 djm Exp $
diff --git a/auth-options.c b/auth-options.c
index ca5e1c931..6e2256961 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,6 +42,7 @@ int no_port_forwarding_flag = 0;
42int no_agent_forwarding_flag = 0; 42int no_agent_forwarding_flag = 0;
43int no_x11_forwarding_flag = 0; 43int no_x11_forwarding_flag = 0;
44int no_pty_flag = 0; 44int no_pty_flag = 0;
45int no_user_rc = 0;
45 46
46/* "command=" option. */ 47/* "command=" option. */
47char *forced_command = NULL; 48char *forced_command = NULL;
@@ -61,6 +62,7 @@ auth_clear_options(void)
61 no_port_forwarding_flag = 0; 62 no_port_forwarding_flag = 0;
62 no_pty_flag = 0; 63 no_pty_flag = 0;
63 no_x11_forwarding_flag = 0; 64 no_x11_forwarding_flag = 0;
65 no_user_rc = 0;
64 while (custom_environment) { 66 while (custom_environment) {
65 struct envstring *ce = custom_environment; 67 struct envstring *ce = custom_environment;
66 custom_environment = ce->next; 68 custom_environment = ce->next;
@@ -121,6 +123,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
121 opts += strlen(cp); 123 opts += strlen(cp);
122 goto next_option; 124 goto next_option;
123 } 125 }
126 cp = "no-user-rc";
127 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
128 auth_debug_add("User rc file execution disabled.");
129 no_user_rc = 1;
130 opts += strlen(cp);
131 goto next_option;
132 }
124 cp = "command=\""; 133 cp = "command=\"";
125 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 134 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
126 opts += strlen(cp); 135 opts += strlen(cp);
diff --git a/auth-options.h b/auth-options.h
index 853f8b517..14488f72d 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -26,6 +26,7 @@ extern int no_port_forwarding_flag;
26extern int no_agent_forwarding_flag; 26extern int no_agent_forwarding_flag;
27extern int no_x11_forwarding_flag; 27extern int no_x11_forwarding_flag;
28extern int no_pty_flag; 28extern int no_pty_flag;
29extern int no_user_rc;
29extern char *forced_command; 30extern char *forced_command;
30extern struct envstring *custom_environment; 31extern struct envstring *custom_environment;
31extern int forced_tun_device; 32extern int forced_tun_device;
diff --git a/session.c b/session.c
index 6d9e36e46..a77dde38f 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -1204,7 +1204,7 @@ do_rc_files(Session *s, const char *shell)
1204 1204
1205 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ 1205 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1206 if (!s->is_subsystem && options.adm_forced_command == NULL && 1206 if (!s->is_subsystem && options.adm_forced_command == NULL &&
1207 (stat(_PATH_SSH_USER_RC, &st) >= 0)) { 1207 !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
1208 snprintf(cmd, sizeof cmd, "%s -c '%s %s'", 1208 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1209 shell, _PATH_BSHELL, _PATH_SSH_USER_RC); 1209 shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
1210 if (debug_flag) 1210 if (debug_flag)
diff --git a/sshd.8 b/sshd.8
index b91ca4fc7..cc44e5471 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ 37.\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $
38.Dd $Mdocdate: February 11 2008 $ 38.Dd $Mdocdate: March 26 2008 $
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -531,6 +531,9 @@ This might be used, e.g. in connection with the
531option. 531option.
532.It Cm no-pty 532.It Cm no-pty
533Prevents tty allocation (a request to allocate a pty will fail). 533Prevents tty allocation (a request to allocate a pty will fail).
534.It Cm no-user-rc
535Disables execution of
536.Pa ~/.ssh/rc .
534.It Cm no-X11-forwarding 537.It Cm no-X11-forwarding
535Forbids X11 forwarding when this key is used for authentication. 538Forbids X11 forwarding when this key is used for authentication.
536Any X11 forward requests by the client will return an error. 539Any X11 forward requests by the client will return an error.