From 47f20256edbcc4caaf925df4e8e772e6412e93f7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 26 Mar 2008 21:28:15 +0000 Subject: add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc --- usr.bin/ssh/auth-options.c | 11 ++++++++++- usr.bin/ssh/auth-options.h | 3 ++- usr.bin/ssh/session.c | 4 ++-- usr.bin/ssh/sshd.8 | 7 +++++-- 4 files changed, 19 insertions(+), 6 deletions(-) (limited to 'usr.bin/ssh') diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c index a2fbed9d308..b921aff2aab 100644 --- a/usr.bin/ssh/auth-options.c +++ b/usr.bin/ssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,6 +40,7 @@ int no_port_forwarding_flag = 0; int no_agent_forwarding_flag = 0; int no_x11_forwarding_flag = 0; int no_pty_flag = 0; +int no_user_rc = 0; /* "command=" option. */ char *forced_command = NULL; @@ -59,6 +60,7 @@ auth_clear_options(void) no_port_forwarding_flag = 0; no_pty_flag = 0; no_x11_forwarding_flag = 0; + no_user_rc = 0; while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; @@ -119,6 +121,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) opts += strlen(cp); goto next_option; } + cp = "no-user-rc"; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + auth_debug_add("User rc file execution disabled."); + no_user_rc = 1; + opts += strlen(cp); + goto next_option; + } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); diff --git a/usr.bin/ssh/auth-options.h b/usr.bin/ssh/auth-options.h index 853f8b517c1..14488f72d8d 100644 --- a/usr.bin/ssh/auth-options.h +++ b/usr.bin/ssh/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -26,6 +26,7 @@ extern int no_port_forwarding_flag; extern int no_agent_forwarding_flag; extern int no_x11_forwarding_flag; extern int no_pty_flag; +extern int no_user_rc; extern char *forced_command; extern struct envstring *custom_environment; extern int forced_tun_device; diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index c2efa553cd5..4a2ea9f0a9f 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ +/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -880,7 +880,7 @@ do_rc_files(Session *s, const char *shell) /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ if (!s->is_subsystem && options.adm_forced_command == NULL && - (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index bb8df5a2e38..0231b311783 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $ +.Dd $Mdocdate: March 26 2008 $ .Dt SSHD 8 .Os .Sh NAME @@ -504,6 +504,9 @@ This might be used, e.g. in connection with the option. .It Cm no-pty Prevents tty allocation (a request to allocate a pty will fail). +.It Cm no-user-rc +Disables execution of +.Pa ~/.ssh/rc . .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. -- cgit v1.2.3