mirror of git://anongit.mindrot.org/openssh.git
- djm@cvs.openbsd.org 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
This commit is contained in:
Damien Miller
parent
4a3a9d4bbf
commit
5ff30c6b68
|
|
@ -4,6 +4,11 @@
|
|||
[key.c key.h]
|
||||
fix potential stack exhaustion caused by nested certificates;
|
||||
report by Mateusz Kocielski; ok dtucker@ markus@
|
||||
- djm@cvs.openbsd.org 2013/10/29 09:48:02
|
||||
[servconf.c servconf.h session.c sshd_config sshd_config.5]
|
||||
shd_config PermitTTY to disallow TTY allocation, mirroring the
|
||||
longstanding no-pty authorized_keys option;
|
||||
bz#2070, patch from Teran McKinney; ok markus@
|
||||
|
||||
20131026
|
||||
- (djm) OpenBSD CVS Sync
|
||||
|
|
|
|||
14
servconf.c
14
servconf.c
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
|
@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->x11_forwarding = -1;
|
||||
options->x11_display_offset = -1;
|
||||
options->x11_use_localhost = -1;
|
||||
options->permit_tty = -1;
|
||||
options->xauth_location = NULL;
|
||||
options->strict_modes = -1;
|
||||
options->tcp_keep_alive = -1;
|
||||
|
|
@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->x11_use_localhost = 1;
|
||||
if (options->xauth_location == NULL)
|
||||
options->xauth_location = _PATH_XAUTH;
|
||||
if (options->permit_tty == -1)
|
||||
options->permit_tty = 1;
|
||||
if (options->strict_modes == -1)
|
||||
options->strict_modes = 1;
|
||||
if (options->tcp_keep_alive == -1)
|
||||
|
|
@ -329,7 +332,7 @@ typedef enum {
|
|||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
|
|
@ -462,6 +465,7 @@ static struct {
|
|||
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
|
||||
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
|
||||
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
|
||||
{ "permittty", sPermitTTY, SSHCFG_ALL },
|
||||
{ "match", sMatch, SSHCFG_ALL },
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
|
|
@ -1132,6 +1136,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
charptr = &options->xauth_location;
|
||||
goto parse_filename;
|
||||
|
||||
case sPermitTTY:
|
||||
intptr = &options->permit_tty;
|
||||
goto parse_flag;
|
||||
|
||||
case sStrictModes:
|
||||
intptr = &options->strict_modes;
|
||||
goto parse_flag;
|
||||
|
|
@ -1783,6 +1791,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
|||
M_CP_INTOPT(x11_display_offset);
|
||||
M_CP_INTOPT(x11_forwarding);
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(permit_tty);
|
||||
M_CP_INTOPT(max_sessions);
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
|
|
@ -2013,6 +2022,7 @@ dump_config(ServerOptions *o)
|
|||
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
|
||||
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
|
||||
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
|
||||
dump_cfg_fmtint(sPermitTTY, o->permit_tty);
|
||||
dump_cfg_fmtint(sStrictModes, o->strict_modes);
|
||||
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
|
||||
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
|
@ -82,6 +82,7 @@ typedef struct {
|
|||
* searching at */
|
||||
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
||||
char *xauth_location; /* Location of xauth program */
|
||||
int permit_tty; /* If false, deny pty allocation */
|
||||
int strict_modes; /* If true, require string home dir modes. */
|
||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
||||
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
|
@ -2062,7 +2062,7 @@ session_pty_req(Session *s)
|
|||
u_int len;
|
||||
int n_bytes;
|
||||
|
||||
if (no_pty_flag) {
|
||||
if (no_pty_flag || !options.permit_tty) {
|
||||
debug("Allocating a pty not permitted for this authentication.");
|
||||
return 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $
|
||||
# $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
|
@ -101,6 +101,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
#X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
|
|
@ -127,4 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server
|
|||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
|
|
|
|||
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $
|
||||
.Dd $Mdocdate: October 24 2013 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $
|
||||
.Dd $Mdocdate: October 29 2013 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -813,6 +813,7 @@ Available keywords are
|
|||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
.Cm PermitRootLogin ,
|
||||
.Cm PermitTTY ,
|
||||
.Cm PermitTunnel ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RekeyLimit ,
|
||||
|
|
@ -942,6 +943,12 @@ and
|
|||
.Dq ethernet .
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm PermitTTY
|
||||
Specifies whether
|
||||
.Xr pty 7
|
||||
allocation is permitted.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm PermitUserEnvironment
|
||||
Specifies whether
|
||||
.Pa ~/.ssh/environment
|
||||
|
|
|
|||
Loading…
Reference in New Issue