From 7844f357cdd90530eec81340847783f1f1da010b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 30 Nov 2016 03:00:05 +0000 Subject: upstream commit Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7 --- sshd_config.5 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 281de141f..32b29d240 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $ -.Dd $Mdocdate: November 23 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $ +.Dd $Mdocdate: November 30 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -564,6 +564,12 @@ and finally See PATTERNS in .Xr ssh_config 5 for more information on patterns. +.It Cm DisableForwarding +Disables all forwarding features, including X11, +.Xr ssh-agent 1 , +TCP and StreamLocal. +This option overrides all other forwarding-related options and may +simplify restricted configurations. .It Cm FingerprintHash Specifies the hash algorithm used when logging key fingerprints. Valid options are: -- cgit v1.2.3