From bdf3e89f1a6d9697c627660cb5ae9828c89ce8f7 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Thu, 27 Jun 2002 16:59:50 +0000 Subject: 20020628 - (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented options should contain default value. from solar. --- sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sshd_config') diff --git a/sshd_config b/sshd_config index d57346bef..24c4e059e 100644 --- a/sshd_config +++ b/sshd_config @@ -71,7 +71,7 @@ # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt yes +#PAMAuthenticationViaKbdInt no #X11Forwarding no #X11DisplayOffset 10 -- cgit v1.2.3 From 5d860f02ca352cd8e51fe266cc2e1b5d58704964 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 1 Aug 2002 01:28:38 +0000 Subject: - markus@cvs.openbsd.org 2002/07/30 17:03:55 [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5] add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt --- ChangeLog | 6 +++++- auth-options.c | 5 +++-- servconf.c | 12 ++++++++++-- servconf.h | 3 ++- session.c | 4 ++-- sshd_config | 3 ++- sshd_config.5 | 17 ++++++++++++++++- 7 files changed, 40 insertions(+), 10 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index 9657aca12..74ce05354 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ - markus@cvs.openbsd.org 2002/07/29 18:57:30 [sshconnect.c] print file:line + - markus@cvs.openbsd.org 2002/07/30 17:03:55 + [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5] + add PermitUserEnvironment (off by default!); from dot@dotat.at; + ok provos, deraadt 20020730 - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de @@ -1486,4 +1490,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2412 2002/08/01 01:26:29 mouring Exp $ +$Id: ChangeLog,v 1.2413 2002/08/01 01:28:38 mouring Exp $ diff --git a/auth-options.c b/auth-options.c index 41a29f79c..8595fdc14 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.25 2002/07/21 18:32:20 stevesk Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $"); #include "xmalloc.h" #include "match.h" @@ -133,7 +133,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) goto next_option; } cp = "environment=\""; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { + if (options.permit_user_env && + strncasecmp(opts, cp, strlen(cp)) == 0) { char *s; struct envstring *new_envstring; diff --git a/servconf.c b/servconf.c index bdf39afb8..50fccdda8 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.113 2002/07/30 17:03:55 markus Exp $"); #if defined(KRB4) #include @@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options) options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; + options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; @@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options) options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; + if (options->permit_user_env == -1) + options->permit_user_env = 0; if (options->use_login == -1) options->use_login = 0; if (options->compression == -1) @@ -291,7 +294,7 @@ typedef enum { sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, - sUseLogin, sAllowTcpForwarding, sCompression, + sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, @@ -354,6 +357,7 @@ static struct { { "xauthlocation", sXAuthLocation }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, + { "permituserenvironment", sPermitUserEnvironment }, { "uselogin", sUseLogin }, { "compression", sCompression }, { "keepalive", sKeepAlives }, @@ -713,6 +717,10 @@ parse_flag: intptr = &options->permit_empty_passwd; goto parse_flag; + case sPermitUserEnvironment: + intptr = &options->permit_user_env; + goto parse_flag; + case sUseLogin: intptr = &options->use_login; goto parse_flag; diff --git a/servconf.h b/servconf.h index c94f541d0..024987dd6 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */ /* * Author: Tatu Ylonen @@ -97,6 +97,7 @@ typedef struct { int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; diff --git a/session.c b/session.c index e2e30340c..f2a1bf015 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.145 2002/07/22 11:03:06 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.146 2002/07/30 17:03:55 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *shell) auth_sock_name); /* read $HOME/.ssh/environment. */ - if (!options.use_login) { + if (options.permit_user_env && !options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); read_environment_file(&env, &envsize, buf); diff --git a/sshd_config b/sshd_config index 24c4e059e..f20d812ee 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ +# $OpenBSD: sshd_config,v 1.57 2002/07/30 17:03:55 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -81,6 +81,7 @@ #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes +#PermitUserEnvironment no #Compression yes #MaxStartups 10 diff --git a/sshd_config.5 b/sshd_config.5 index 6625865ef..f43b2bb9b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.5 2002/07/09 17:46:25 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.6 2002/07/30 17:03:55 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -465,6 +465,21 @@ for root. If this option is set to .Dq no root is not allowed to login. +.It Cm PermitUserEnvironment +Specifies whether +.Pa ~/.ssh/environment +is read by +.Nm sshd +and whether +.Cm environment= +options in +.Pa ~/.ssh/authorized_keys +files are permitted. +The default is +.Dq no . +This option is useful for locked-down installations where +.Ev LD_PRELOAD +and suchlike can cause security problems. .It Cm PidFile Specifies the file that contains the process ID of the .Nm sshd -- cgit v1.2.3 From f771ab75f0a275e315857dfcee2a5cf284684907 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 4 Sep 2002 16:25:52 +1000 Subject: - stevesk@cvs.openbsd.org 2002/08/21 19:38:06 [servconf.c sshd.8 sshd_config sshd_config.5] change LoginGraceTime default to 1 minute; ok mouring@ markus@ --- ChangeLog | 5 ++++- servconf.c | 4 ++-- sshd.8 | 4 ++-- sshd_config | 4 ++-- sshd_config.5 | 4 ++-- 5 files changed, 12 insertions(+), 9 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index 0936c83c9..290fd48fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ [sshd.8] `RSA' updated to refer to `public key', where it matters. okay markus@ + - stevesk@cvs.openbsd.org 2002/08/21 19:38:06 + [servconf.c sshd.8 sshd_config sshd_config.5] + change LoginGraceTime default to 1 minute; ok mouring@ markus@ 20020820 - OpenBSD CVS Sync @@ -1548,4 +1551,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2428 2002/09/04 06:24:55 djm Exp $ +$Id: ChangeLog,v 1.2429 2002/09/04 06:25:52 djm Exp $ diff --git a/servconf.c b/servconf.c index 50fccdda8..211ebf6b0 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.113 2002/07/30 17:03:55 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.114 2002/08/21 19:38:06 stevesk Exp $"); #if defined(KRB4) #include @@ -159,7 +159,7 @@ fill_default_server_options(ServerOptions *options) if (options->server_key_bits == -1) options->server_key_bits = 768; if (options->login_grace_time == -1) - options->login_grace_time = 600; + options->login_grace_time = 60; if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) diff --git a/sshd.8 b/sshd.8 index 2849a8b4c..c195c959e 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.189 2002/08/21 11:20:59 espie Exp $ +.\" $OpenBSD: sshd.8,v 1.190 2002/08/21 19:38:06 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -203,7 +203,7 @@ The default is refuses to start if there is no configuration file. .It Fl g Ar login_grace_time Gives the grace time for clients to authenticate themselves (default -600 seconds). +60 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. diff --git a/sshd_config b/sshd_config index f20d812ee..527a58981 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.57 2002/07/30 17:03:55 markus Exp $ +# $OpenBSD: sshd_config,v 1.58 2002/08/21 19:38:06 stevesk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -32,7 +32,7 @@ # Authentication: -#LoginGraceTime 600 +#LoginGraceTime 60 #PermitRootLogin yes #StrictModes yes diff --git a/sshd_config.5 b/sshd_config.5 index 0c799bfe8..1551126cf 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.9 2002/08/12 17:30:35 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.10 2002/08/21 19:38:06 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -379,7 +379,7 @@ options must precede this option for non port qualified addresses. The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. -The default is 600 (seconds). +The default is 60 seconds. .It Cm LogLevel Gives the verbosity level that is used when logging messages from .Nm sshd . -- cgit v1.2.3 From d681d2602c87f7652a84b43f3521c4b06731e844 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 27 Sep 2002 13:21:57 +1000 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/09/25 11:17:16 [sshd_config] sync LoginGraceTime with default --- ChangeLog | 8 +++++++- sshd_config | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index 24074d183..b5e3f2ed1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20020927 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2002/09/25 11:17:16 + [sshd_config] + sync LoginGraceTime with default + 20020925 - (bal) Fix issue where successfull login does not clear failure counts in AIX. Patch by dtucker@zip.com.au ok by djm @@ -721,4 +727,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2482 2002/09/26 00:38:46 tim Exp $ +$Id: ChangeLog,v 1.2483 2002/09/27 03:21:57 djm Exp $ diff --git a/sshd_config b/sshd_config index 527a58981..36429c9d0 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.58 2002/08/21 19:38:06 stevesk Exp $ +# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -32,7 +32,7 @@ # Authentication: -#LoginGraceTime 60 +#LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes -- cgit v1.2.3