mirror of git://anongit.mindrot.org/openssh.git
upstream commit
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
This commit is contained in:
parent
fd6dcef203
commit
7844f357cd
14
servconf.c
14
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
|
@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
|
@ -414,7 +417,7 @@ typedef enum {
|
|||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
|
@ -557,6 +560,7 @@ static struct {
|
|||
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
|
||||
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
|
||||
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
||||
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
|
@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
intptr = &options->allow_agent_forwarding;
|
||||
goto parse_flag;
|
||||
|
||||
case sDisableForwarding:
|
||||
intptr = &options->disable_forwarding;
|
||||
goto parse_flag;
|
||||
|
||||
case sUsePrivilegeSeparation:
|
||||
intptr = &use_privsep;
|
||||
multistate_ptr = multistate_privsep;
|
||||
|
@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
|||
M_CP_INTOPT(allow_tcp_forwarding);
|
||||
M_CP_INTOPT(allow_streamlocal_forwarding);
|
||||
M_CP_INTOPT(allow_agent_forwarding);
|
||||
M_CP_INTOPT(disable_forwarding);
|
||||
M_CP_INTOPT(permit_tun);
|
||||
M_CP_INTOPT(fwd_opts.gateway_ports);
|
||||
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
|
||||
|
@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o)
|
|||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.123 2016/11/30 03:00:05 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -125,6 +125,7 @@ typedef struct {
|
|||
int allow_tcp_forwarding; /* One of FORWARD_* */
|
||||
int allow_streamlocal_forwarding; /* One of FORWARD_* */
|
||||
int allow_agent_forwarding;
|
||||
int disable_forwarding;
|
||||
u_int num_allow_users;
|
||||
char *allow_users[MAX_ALLOW_USERS];
|
||||
u_int num_deny_users;
|
||||
|
|
10
serverloop.c
10
serverloop.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
|
||||
/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -447,7 +447,7 @@ server_request_direct_tcpip(void)
|
|||
|
||||
/* XXX fine grained permissions */
|
||||
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
|
||||
!no_port_forwarding_flag) {
|
||||
!no_port_forwarding_flag && !options.disable_forwarding) {
|
||||
c = channel_connect_to_port(target, target_port,
|
||||
"direct-tcpip", "direct-tcpip");
|
||||
} else {
|
||||
|
@ -479,7 +479,7 @@ server_request_direct_streamlocal(void)
|
|||
|
||||
/* XXX fine grained permissions */
|
||||
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
||||
!no_port_forwarding_flag) {
|
||||
!no_port_forwarding_flag && !options.disable_forwarding) {
|
||||
c = channel_connect_to_path(target,
|
||||
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
||||
} else {
|
||||
|
@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
|
|||
|
||||
/* check permissions */
|
||||
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
|
||||
no_port_forwarding_flag ||
|
||||
no_port_forwarding_flag || options.disable_forwarding ||
|
||||
(!want_reply && fwd.listen_port == 0) ||
|
||||
(fwd.listen_port != 0 &&
|
||||
!bind_permitted(fwd.listen_port, pw->pw_uid))) {
|
||||
|
@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
|
|||
|
||||
/* check permissions */
|
||||
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
||||
|| no_port_forwarding_flag) {
|
||||
|| no_port_forwarding_flag || options.disable_forwarding) {
|
||||
success = 0;
|
||||
packet_send_debug("Server has disabled port forwarding.");
|
||||
} else {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.285 2016/08/23 16:21:45 otto Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.286 2016/11/30 03:00:05 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -257,7 +257,7 @@ do_authenticated(Authctxt *authctxt)
|
|||
|
||||
/* setup the channel layer */
|
||||
/* XXX - streamlocal? */
|
||||
if (no_port_forwarding_flag ||
|
||||
if (no_port_forwarding_flag || options.disable_forwarding ||
|
||||
(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
|
||||
channel_disable_adm_local_opens();
|
||||
else
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $
|
||||
.Dd $Mdocdate: November 23 2016 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
|
||||
.Dd $Mdocdate: November 30 2016 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -564,6 +564,12 @@ and finally
|
|||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
for more information on patterns.
|
||||
.It Cm DisableForwarding
|
||||
Disables all forwarding features, including X11,
|
||||
.Xr ssh-agent 1 ,
|
||||
TCP and StreamLocal.
|
||||
This option overrides all other forwarding-related options and may
|
||||
simplify restricted configurations.
|
||||
.It Cm FingerprintHash
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are:
|
||||
|
|
Loading…
Reference in New Issue