RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/07/03 22:40:43 

[servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@
This commit is contained in:
Damien Miller 2014-07-04 09:00:04 +10:00
parent 602943d117
commit 72e6b5c9ed
6 changed files with 37 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -15,6 +15,11 @@
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
GatewayPorts=no; allows client to choose address family; GatewayPorts=no; allows client to choose address family;
bz#2222 ok markus@ bz#2222 ok markus@
- djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
20140703 20140703
- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto

14
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.250 2014/07/03 22:40:43 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
options->x11_display_offset = -1; options->x11_display_offset = -1;
options->x11_use_localhost = -1; options->x11_use_localhost = -1;
options->permit_tty = -1; options->permit_tty = -1;
options->permit_user_rc = -1;
options->xauth_location = NULL; options->xauth_location = NULL;
options->strict_modes = -1; options->strict_modes = -1;
options->tcp_keep_alive = -1; options->tcp_keep_alive = -1;
@ -216,6 +217,8 @@ fill_default_server_options(ServerOptions *options)
options->xauth_location = _PATH_XAUTH; options->xauth_location = _PATH_XAUTH;
if (options->permit_tty == -1) if (options->permit_tty == -1)
options->permit_tty = 1; options->permit_tty = 1;
if (options->permit_user_rc == -1)
options->permit_user_rc = 1;
if (options->strict_modes == -1) if (options->strict_modes == -1)
options->strict_modes = 1; options->strict_modes = 1;
if (options->tcp_keep_alive == -1) if (options->tcp_keep_alive == -1)
@ -347,7 +350,7 @@ typedef enum {
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum, sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@ -460,6 +463,7 @@ static struct {
{ "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "permittty", sPermitTTY, SSHCFG_ALL }, { "permittty", sPermitTTY, SSHCFG_ALL },
{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL },
@ -1130,6 +1134,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->permit_tty; intptr = &options->permit_tty;
goto parse_flag; goto parse_flag;
case sPermitUserRC:
intptr = &options->permit_user_rc;
goto parse_flag;
case sStrictModes: case sStrictModes:
intptr = &options->strict_modes; intptr = &options->strict_modes;
goto parse_flag; goto parse_flag;
@ -1766,6 +1774,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty); M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc);
M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
@ -2007,6 +2016,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
dump_cfg_fmtint(sPermitTTY, o->permit_tty); dump_cfg_fmtint(sPermitTTY, o->permit_tty);
dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);

3
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.113 2014/07/03 22:40:43 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -83,6 +83,7 @@ typedef struct {
int x11_use_localhost; /* If true, use localhost for fake X11 server. */ int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */ char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */ int permit_tty; /* If false, deny pty allocation */
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
int strict_modes; /* If true, require string home dir modes. */ int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */

5
session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.272 2014/07/03 03:34:09 djm Exp $ */ /* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -1359,7 +1359,8 @@ do_rc_files(Session *s, const char *shell)
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
if (!s->is_subsystem && options.adm_forced_command == NULL && if (!s->is_subsystem && options.adm_forced_command == NULL &&
!no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) { !no_user_rc && options.permit_user_rc &&
stat(_PATH_SSH_USER_RC, &st) >= 0) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'", snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC); shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag) if (debug_flag)

9
sshd.8
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.275 2014/04/19 18:15:16 tedu Exp $ .\" $OpenBSD: sshd.8,v 1.276 2014/07/03 22:40:43 djm Exp $
.Dd $Mdocdate: April 19 2014 $ .Dd $Mdocdate: July 3 2014 $
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
.Sh NAME .Sh NAME
@ -408,7 +408,10 @@ Changes to user's home directory.
.It .It
If If
.Pa ~/.ssh/rc .Pa ~/.ssh/rc
exists, runs it; else if exists and the
.Xr sshd_config 5
.Cm PermitUserRC
option is set, runs it; else if
.Pa /etc/ssh/sshrc .Pa /etc/ssh/sshrc
exists, runs exists, runs
it; otherwise runs xauth. it; otherwise runs xauth.

11
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $ .\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $
.Dd $Mdocdate: March 28 2014 $ .Dd $Mdocdate: July 3 2014 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -912,6 +912,7 @@ Available keywords are
.Cm PermitRootLogin , .Cm PermitRootLogin ,
.Cm PermitTTY , .Cm PermitTTY ,
.Cm PermitTunnel , .Cm PermitTunnel ,
.Cm PermitUserRC ,
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
.Cm RekeyLimit , .Cm RekeyLimit ,
.Cm RhostsRSAAuthentication , .Cm RhostsRSAAuthentication ,
@ -1060,6 +1061,12 @@ The default is
Enabling environment processing may enable users to bypass access Enabling environment processing may enable users to bypass access
restrictions in some configurations using mechanisms such as restrictions in some configurations using mechanisms such as
.Ev LD_PRELOAD . .Ev LD_PRELOAD .
.It Cm PermitUserRC
Specifies whether any
.Pa ~/.ssh/rc
file is executed.
The default is
.Dq yes .
.It Cm PidFile .It Cm PidFile
Specifies the file that contains the process ID of the Specifies the file that contains the process ID of the
SSH daemon. SSH daemon.