From 7844f357cdd90530eec81340847783f1f1da010b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 30 Nov 2016 03:00:05 +0000 Subject: [PATCH] upstream commit Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7 --- servconf.c | 14 ++++++++++++-- servconf.h | 3 ++- serverloop.c | 10 +++++----- session.c | 4 ++-- sshd_config.5 | 10 ++++++++-- 5 files changed, 29 insertions(+), 12 deletions(-) diff --git a/servconf.c b/servconf.c index e0bfbe67d..795ddbab7 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.300 2016/11/23 23:14:15 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options) options->ip_qos_bulk = -1; options->version_addendum = NULL; options->fingerprint_hash = -1; + options->disable_forwarding = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->disable_forwarding == -1) + options->disable_forwarding = 0; assemble_algorithms(options); @@ -414,7 +417,7 @@ typedef enum { sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, - sAllowStreamLocalForwarding, sFingerprintHash, + sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -557,6 +560,7 @@ static struct { { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1356,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->allow_agent_forwarding; goto parse_flag; + case sDisableForwarding: + intptr = &options->disable_forwarding; + goto parse_flag; + case sUsePrivilegeSeparation: intptr = &use_privsep; multistate_ptr = multistate_privsep; @@ -1965,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(allow_tcp_forwarding); M_CP_INTOPT(allow_streamlocal_forwarding); M_CP_INTOPT(allow_agent_forwarding); + M_CP_INTOPT(disable_forwarding); M_CP_INTOPT(permit_tun); M_CP_INTOPT(fwd_opts.gateway_ports); M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); @@ -2263,6 +2272,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); + dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); diff --git a/servconf.h b/servconf.h index 8af460f5a..5853a9747 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.122 2016/08/19 03:18:06 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.123 2016/11/30 03:00:05 djm Exp $ */ /* * Author: Tatu Ylonen @@ -125,6 +125,7 @@ typedef struct { int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_streamlocal_forwarding; /* One of FORWARD_* */ int allow_agent_forwarding; + int disable_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; diff --git a/serverloop.c b/serverloop.c index 4a9a16d41..955f5cc91 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -447,7 +447,7 @@ server_request_direct_tcpip(void) /* XXX fine grained permissions */ if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && - !no_port_forwarding_flag) { + !no_port_forwarding_flag && !options.disable_forwarding) { c = channel_connect_to_port(target, target_port, "direct-tcpip", "direct-tcpip"); } else { @@ -479,7 +479,7 @@ server_request_direct_streamlocal(void) /* XXX fine grained permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && - !no_port_forwarding_flag) { + !no_port_forwarding_flag && !options.disable_forwarding) { c = channel_connect_to_path(target, "direct-streamlocal@openssh.com", "direct-streamlocal"); } else { @@ -722,7 +722,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) /* check permissions */ if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || - no_port_forwarding_flag || + no_port_forwarding_flag || options.disable_forwarding || (!want_reply && fwd.listen_port == 0) || (fwd.listen_port != 0 && !bind_permitted(fwd.listen_port, pw->pw_uid))) { @@ -760,7 +760,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) /* check permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 - || no_port_forwarding_flag) { + || no_port_forwarding_flag || options.disable_forwarding) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { diff --git a/session.c b/session.c index 85805f5a0..a08aa69d1 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.285 2016/08/23 16:21:45 otto Exp $ */ +/* $OpenBSD: session.c,v 1.286 2016/11/30 03:00:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -257,7 +257,7 @@ do_authenticated(Authctxt *authctxt) /* setup the channel layer */ /* XXX - streamlocal? */ - if (no_port_forwarding_flag || + if (no_port_forwarding_flag || options.disable_forwarding || (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) channel_disable_adm_local_opens(); else diff --git a/sshd_config.5 b/sshd_config.5 index 281de141f..32b29d240 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.238 2016/11/23 23:14:15 markus Exp $ -.Dd $Mdocdate: November 23 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $ +.Dd $Mdocdate: November 30 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -564,6 +564,12 @@ and finally See PATTERNS in .Xr ssh_config 5 for more information on patterns. +.It Cm DisableForwarding +Disables all forwarding features, including X11, +.Xr ssh-agent 1 , +TCP and StreamLocal. +This option overrides all other forwarding-related options and may +simplify restricted configurations. .It Cm FingerprintHash Specifies the hash algorithm used when logging key fingerprints. Valid options are: