diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2022-11-28 01:37:37 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2022-11-28 01:37:37 +0000 |
| commit | 4225e0f8d8454dfc323072768024be4c765f88ee (patch) | |
| tree | 47596d85c88410a3720d7883a3bb19dd96e072b7 /usr.bin/ssh/clientloop.c | |
| parent | b57ff6540bca63a465dbf4b757bd22c5f1cebf23 (diff) | |
New EnableEscapeCommandline ssh_config(5) option
This option (default "no") controls whether the ~C escape is available.
Turning it off by default means we will soon be able to use a stricter
default pledge(2) in the client.
feedback deraadt@ dtucker@; tested in snaps for a while
Diffstat (limited to 'usr.bin/ssh/clientloop.c')
| -rw-r--r-- | usr.bin/ssh/clientloop.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index 1c2da07f909..d17e3aa1c73 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.383 2022/11/28 01:37:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -878,6 +878,7 @@ out: #define SUPPRESS_MUXCLIENT 1 /* don't show in mux client sessions */ #define SUPPRESS_MUXMASTER 2 /* don't show in mux master sessions */ #define SUPPRESS_SYSLOG 4 /* don't show when logging to syslog */ +#define SUPPRESS_NOCMDLINE 8 /* don't show when cmdline disabled*/ struct escape_help_text { const char *cmd; const char *text; @@ -888,7 +889,7 @@ static struct escape_help_text esc_txt[] = { {".", "terminate connection (and any multiplexed sessions)", SUPPRESS_MUXCLIENT}, {"B", "send a BREAK to the remote system", SUPPRESS_NEVER}, - {"C", "open a command line", SUPPRESS_MUXCLIENT}, + {"C", "open a command line", SUPPRESS_MUXCLIENT|SUPPRESS_NOCMDLINE}, {"R", "request rekey", SUPPRESS_NEVER}, {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, @@ -912,7 +913,8 @@ print_escape_help(struct sshbuf *b, int escape_char, int mux_client, suppress_flags = (mux_client ? SUPPRESS_MUXCLIENT : 0) | (mux_client ? 0 : SUPPRESS_MUXMASTER) | - (using_stderr ? 0 : SUPPRESS_SYSLOG); + (using_stderr ? 0 : SUPPRESS_SYSLOG) | + (options.enable_escape_commandline == 0 ? SUPPRESS_NOCMDLINE : 0); for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { if (esc_txt[i].flags & suppress_flags) @@ -1106,6 +1108,12 @@ process_escapes(struct ssh *ssh, Channel *c, case 'C': if (c && c->ctl_chan != -1) goto noescape; + if (options.enable_escape_commandline == 0) { + if ((r = sshbuf_putf(berr, + "commandline disabled\r\n")) != 0) + fatal_fr(r, "sshbuf_putf"); + continue; + } process_cmdline(ssh); continue; |