summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorPierre-Yves Ritschard <pyr@cvs.openbsd.org>2008-05-07 05:49:38 +0000
committerPierre-Yves Ritschard <pyr@cvs.openbsd.org>2008-05-07 05:49:38 +0000
commit8370a3080477e7b676b11cf6420090354ccc2e6a (patch)
tree49dc4f9d730cf10dcdf9adfa9b02a8a8c6340d14 /usr.bin
parent65a24792bc9ddbf77a4e57b878d5ef077e00c636 (diff)
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/servconf.c13
-rw-r--r--usr.bin/ssh/servconf.h3
-rw-r--r--usr.bin/ssh/session.c7
-rw-r--r--usr.bin/ssh/sshd_config.513
4 files changed, 28 insertions, 8 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 899aa30c603..cf428681382 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options)
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
+ options->allow_agent_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
@@ -211,6 +212,8 @@ fill_default_server_options(ServerOptions *options)
options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
+ if (options->allow_agent_forwarding == -1)
+ options->allow_agent_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->max_startups == -1)
@@ -268,7 +271,7 @@ typedef enum {
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -342,6 +345,7 @@ static struct {
{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+ { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
@@ -962,6 +966,10 @@ parse_flag:
intptr = &options->allow_tcp_forwarding;
goto parse_flag;
+ case sAllowAgentForwarding:
+ intptr = &options->allow_agent_forwarding;
+ goto parse_flag;
+
case sUsePrivilegeSeparation:
intptr = &use_privsep;
goto parse_flag;
@@ -1325,6 +1333,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(allow_tcp_forwarding);
+ M_CP_INTOPT(allow_agent_forwarding);
M_CP_INTOPT(gateway_ports);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index ae07cb81e39..fbb1bcff625 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -101,6 +101,7 @@ typedef struct {
int use_login; /* If true, login(1) is used */
int compression; /* If true, compression is allowed */
int allow_tcp_forwarding;
+ int allow_agent_forwarding;
u_int num_allow_users;
char *allow_users[MAX_ALLOW_USERS];
u_int num_deny_users;
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index fb078f361bc..5a874043187 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */
+/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -322,7 +322,8 @@ do_authenticated1(Authctxt *authctxt)
break;
case SSH_CMSG_AGENT_REQUEST_FORWARDING:
- if (no_agent_forwarding_flag || compat13) {
+ if (!options.allow_agent_forwarding ||
+ no_agent_forwarding_flag || compat13) {
debug("Authentication agent forwarding not permitted for this authentication.");
break;
}
@@ -1634,7 +1635,7 @@ session_auth_agent_req(Session *s)
{
static int called = 0;
packet_check_eom();
- if (no_agent_forwarding_flag) {
+ if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
debug("session_auth_agent_req: no_agent_forwarding_flag");
return 0;
}
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 643f5494686..1f95a717115 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $
-.Dd $Mdocdate: April 5 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $
+.Dd $Mdocdate: May 7 2008 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -114,6 +114,15 @@ See
in
.Xr ssh_config 5
for more information on patterns.
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling Agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is