diff options
author | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2008-05-07 05:49:38 +0000 |
---|---|---|
committer | Pierre-Yves Ritschard <pyr@cvs.openbsd.org> | 2008-05-07 05:49:38 +0000 |
commit | 8370a3080477e7b676b11cf6420090354ccc2e6a (patch) | |
tree | 49dc4f9d730cf10dcdf9adfa9b02a8a8c6340d14 /usr.bin | |
parent | 65a24792bc9ddbf77a4e57b878d5ef077e00c636 (diff) |
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/servconf.c | 13 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.h | 3 | ||||
-rw-r--r-- | usr.bin/ssh/session.c | 7 | ||||
-rw-r--r-- | usr.bin/ssh/sshd_config.5 | 13 |
4 files changed, 28 insertions, 8 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 899aa30c603..cf428681382 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options) options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; + options->allow_agent_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -211,6 +212,8 @@ fill_default_server_options(ServerOptions *options) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; + if (options->allow_agent_forwarding == -1) + options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -268,7 +271,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, + sUsePrivilegeSeparation, sAllowAgentForwarding, sDeprecated, sUnsupported } ServerOpCodes; @@ -342,6 +345,7 @@ static struct { { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, @@ -962,6 +966,10 @@ parse_flag: intptr = &options->allow_tcp_forwarding; goto parse_flag; + case sAllowAgentForwarding: + intptr = &options->allow_agent_forwarding; + goto parse_flag; + case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; @@ -1325,6 +1333,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(permit_root_login); M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(allow_agent_forwarding); M_CP_INTOPT(gateway_ports); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index ae07cb81e39..fbb1bcff625 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -101,6 +101,7 @@ typedef struct { int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; + int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index fb078f361bc..5a874043187 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -322,7 +322,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -1634,7 +1635,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 643f5494686..1f95a717115 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ -.Dd $Mdocdate: April 5 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ +.Dd $Mdocdate: May 7 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -114,6 +114,15 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Dq yes . +Note that disabling Agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is |