From 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 16 Nov 2015 00:30:02 +0000 Subject: upstream commit Add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. Example: restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... Idea from Jann Horn; ok markus@ Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0 --- sshd.8 | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 3b20d9f32..9bf3d5bb2 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $ -.Dd $Mdocdate: September 11 2015 $ +.\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $ +.Dd $Mdocdate: November 16 2015 $ .Dt SSHD 8 .Os .Sh NAME @@ -522,6 +522,10 @@ No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive): .Bl -tag -width Ds +.It Cm agent-forwarding +Enable authentication agent forwarding previously disabled by the +.Cm restrict +option. .It Cm cert-authority Specifies that the listed key is a certification authority (CA) that is trusted to validate signed certificates for user authentication. @@ -616,6 +620,9 @@ they must be literal domains or addresses. A port specification of .Cm * matches any port. +.It Cm port-forwarding +Enable port forwarding previously disabled by the +.Cm restrict .It Cm principals="principals" On a .Cm cert-authority @@ -627,12 +634,33 @@ This option is ignored for keys that are not marked as trusted certificate signers using the .Cm cert-authority option. +.It Cm pty +Permits tty allocation previously disabled by the +.Cm restrict +option. +.It Cm restrict +Enable all restrictions, i.e. disable port, agent and X11 forwarding, +as well as disabling PTY allocation +and execution of +.Pa ~/.ssh/rc . +If any future restriction capabilities are added to authorized_keys files +they will be included in this set. .It Cm tunnel="n" Force a .Xr tun 4 device on the server. Without this option, the next available device will be used if the client requests a tunnel. +.It Cm user-rc +Enables execution of +.Pa ~/.ssh/rc +previously disabled by the +.Cm restrict +option. +.It Cm X11-forwarding +Permits X11 forwarding previously disabled by the +.Cm restrict +option. .El .Pp An example authorized_keys file: @@ -647,6 +675,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net +restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== +user@example.net +restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== +user@example.net .Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The -- cgit v1.2.3