diff options
Diffstat (limited to '')
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | servconf.c | 13 | ||||
| -rw-r--r-- | servconf.h | 3 | ||||
| -rw-r--r-- | session.c | 7 | ||||
| -rw-r--r-- | sshd_config.5 | 13 |
5 files changed, 38 insertions, 9 deletions
@@ -43,6 +43,15 @@ [ssh-keyscan.1 ssh-keyscan.c] default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by larsnooden AT openoffice.org + - pyr@cvs.openbsd.org 2008/05/07 05:49:37 + [servconf.c servconf.h session.c sshd_config.5] + Enable the AllowAgentForwarding option in sshd_config (global and match + context), to specify if agents should be permitted on the server. + As the man page states: + ``Note that disabling Agent forwarding does not improve security + unless users are also denied shell access, as they can always install + their own forwarders.'' + ok djm@, ok and a mild frown markus@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3903,4 +3912,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $ +$Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $ diff --git a/servconf.c b/servconf.c index 9add96ca1..e6d49099b 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options) options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; + options->allow_agent_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; + if (options->allow_agent_forwarding == -1) + options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -293,7 +296,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, + sUsePrivilegeSeparation, sAllowAgentForwarding, sDeprecated, sUnsupported } ServerOpCodes; @@ -379,6 +382,7 @@ static struct { { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, @@ -1005,6 +1009,10 @@ parse_flag: intptr = &options->allow_tcp_forwarding; goto parse_flag; + case sAllowAgentForwarding: + intptr = &options->allow_agent_forwarding; + goto parse_flag; + case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; @@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(permit_root_login); M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(allow_agent_forwarding); M_CP_INTOPT(gateway_ports); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); diff --git a/servconf.h b/servconf.h index 5b88067db..aaf87cd18 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -101,6 +101,7 @@ typedef struct { int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; + int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } diff --git a/sshd_config.5 b/sshd_config.5 index 6edaa9260..b93c801e3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ -.Dd $Mdocdate: April 5 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ +.Dd $Mdocdate: May 7 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -114,6 +114,15 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Dq yes . +Note that disabling Agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is |