diff options
| author | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2008-05-07 05:49:38 +0000 |
|---|---|---|
| committer | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2008-05-07 05:49:38 +0000 |
| commit | 8370a3080477e7b676b11cf6420090354ccc2e6a (patch) | |
| tree | 49dc4f9d730cf10dcdf9adfa9b02a8a8c6340d14 /usr.bin/ssh/session.c | |
| parent | 65a24792bc9ddbf77a4e57b878d5ef077e00c636 (diff) | |
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
Diffstat (limited to 'usr.bin/ssh/session.c')
| -rw-r--r-- | usr.bin/ssh/session.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index fb078f361bc..5a874043187 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -322,7 +322,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -1634,7 +1635,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } |