diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2024-09-15 01:09:41 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2024-09-15 01:09:41 +0000 |
| commit | bc9fad6393e1196554845308976618994d1fd873 (patch) | |
| tree | 05ebdcac75ec85ef0fb4364563ef4019e3dcb716 /usr.bin/ssh | |
| parent | 39e7d340efe643dee20e08675bdaa90b10f8930d (diff) | |
Add a sshd_config "RefuseConnection" option
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/monitor.c | 12 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.c | 15 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/srclimit.h | 1 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 12 |
5 files changed, 38 insertions, 6 deletions
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index be2981eca99..6d34e7240f7 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -81,6 +81,7 @@ #include "match.h" #include "ssherr.h" #include "sk-api.h" +#include "srclimit.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -723,6 +724,15 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) ssh_packet_set_log_preamble(ssh, "%suser %s", authctxt->valid ? "authenticating" : "invalid ", authctxt->user); + if (options.refuse_connection) { + logit("administratively prohibited connection for " + "%s%s from %.128s port %d", + authctxt->valid ? "" : "invalid user ", + authctxt->user, ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh)); + cleanup_exit(EXIT_CONFIG_REFUSED); + } + /* Send active options to unpriv */ mm_encode_server_options(m); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 1ee0abb4067..e9dc37454e6 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.414 2024/09/15 00:58:01 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -190,6 +190,7 @@ initialize_server_options(ServerOptions *options) options->num_channel_timeouts = 0; options->unused_connection_timeout = -1; options->sshd_session_path = NULL; + options->refuse_connection = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -457,6 +458,8 @@ fill_default_server_options(ServerOptions *options) options->unused_connection_timeout = 0; if (options->sshd_session_path == NULL) options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION); + if (options->refuse_connection == -1) + options->refuse_connection = 0; assemble_algorithms(options); @@ -536,7 +539,7 @@ typedef enum { sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, - sSshdSessionPath, + sSshdSessionPath, sRefuseConnection, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -686,6 +689,7 @@ static struct { { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, + { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -2575,6 +2579,11 @@ process_server_config_line_depth(ServerOptions *options, char *line, charptr = &options->sshd_session_path; goto parse_filename; + case sRefuseConnection: + intptr = &options->refuse_connection; + multistate_ptr = multistate_flag; + goto parse_multistate; + case sDeprecated: case sIgnore: case sUnsupported: @@ -2790,6 +2799,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(log_level); M_CP_INTOPT(required_rsa_size); M_CP_INTOPT(unused_connection_timeout); + M_CP_INTOPT(refuse_connection); /* * The bind_mask is a mode_t that may be unsigned, so we can't use @@ -3112,6 +3122,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); + dump_cfg_fmtint(sRefuseConnection, o->refuse_connection); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 442dacdcdf5..69dfccfc4ca 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -245,6 +245,8 @@ typedef struct { int unused_connection_timeout; char *sshd_session_path; + + int refuse_connection; } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/usr.bin/ssh/srclimit.h b/usr.bin/ssh/srclimit.h index 74a6f2b836d..13164515b32 100644 --- a/usr.bin/ssh/srclimit.h +++ b/usr.bin/ssh/srclimit.h @@ -32,6 +32,7 @@ void srclimit_done(int); #define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */ #define EXIT_CHILD_CRASH 4 /* preauth child crashed */ #define EXIT_AUTH_ATTEMPTED 5 /* at least one auth attempt made */ +#define EXIT_CONFIG_REFUSED 6 /* sshd_config RefuseConnection */ void srclimit_penalise(struct xaddr *, int); int srclimit_penalty_check_allow(int, const char **); diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 41675a1238c..42131f6b332 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $ -.Dd $Mdocdate: September 9 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $ +.Dd $Mdocdate: September 15 2024 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1325,6 +1325,7 @@ Available keywords are .Cm PubkeyAuthentication , .Cm PubkeyAuthOptions , .Cm RekeyLimit , +.Cm RefuseConnection , .Cm RevokedKeys , .Cm RDomain , .Cm SetEnv , @@ -1754,6 +1755,13 @@ options have any effect for other, non-FIDO, public key types. Specifies whether public key authentication is allowed. The default is .Cm yes . +.It Cm RefuseConnection +Indicates that +.Xr sshd 8 +should unconditionally terminate the connection. +This option is only really useful in a +.Cm Match +block. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted or received before the session key is renegotiated, optionally followed by a maximum |