- pyr@cvs.openbsd.org 2008/05/07 05:49:37

[servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@

ChangeLog

@@ -43,6 +43,15 @@
      [ssh-keyscan.1 ssh-keyscan.c]
      default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
      larsnooden AT openoffice.org
+   - pyr@cvs.openbsd.org 2008/05/07 05:49:37
+     [servconf.c servconf.h session.c sshd_config.5]
+     Enable the AllowAgentForwarding option in sshd_config (global and match
+     context), to specify if agents should be permitted on the server.
+     As the man page states:
+     ``Note that disabling Agent forwarding does not improve security
+     unless users are also denied shell access, as they can always install
+     their own forwarders.''
+     ok djm@, ok and a mild frown markus@
 
 20080403
  - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@@ -3903,4 +3912,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $
+$Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $

servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options)
 	options->use_login = -1;
 	options->compression = -1;
 	options->allow_tcp_forwarding = -1;
+	options->allow_agent_forwarding = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
 		options->compression = COMP_DELAYED;
 	if (options->allow_tcp_forwarding == -1)
 		options->allow_tcp_forwarding = 1;
+	if (options->allow_agent_forwarding == -1)
+		options->allow_agent_forwarding = 1;
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->max_startups == -1)
@@ -293,7 +296,7 @@ typedef enum {
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-	sUsePrivilegeSeparation,
+	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -379,6 +382,7 @@ static struct {
 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
 	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
 	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
 	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
@@ -1005,6 +1009,10 @@ parse_flag:
 		intptr = &options->allow_tcp_forwarding;
 		goto parse_flag;
 
+	case sAllowAgentForwarding:
+		intptr = &options->allow_agent_forwarding;
+		goto parse_flag;
+
 	case sUsePrivilegeSeparation:
 		intptr = &use_privsep;
 		goto parse_flag;
@@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(permit_root_login);
 
 	M_CP_INTOPT(allow_tcp_forwarding);
+	M_CP_INTOPT(allow_agent_forwarding);
 	M_CP_INTOPT(gateway_ports);
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);

servconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -101,6 +101,7 @@ typedef struct {
 	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
 	int	allow_tcp_forwarding;
+	int	allow_agent_forwarding;
 	u_int num_allow_users;
 	char   *allow_users[MAX_ALLOW_USERS];
 	u_int num_deny_users;

session.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */
+/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt)
 			break;
 
 		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
-			if (no_agent_forwarding_flag || compat13) {
+			if (!options.allow_agent_forwarding ||
+			    no_agent_forwarding_flag || compat13) {
 				debug("Authentication agent forwarding not permitted for this authentication.");
 				break;
 			}
@@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s)
 {
 	static int called = 0;
 	packet_check_eom();
-	if (no_agent_forwarding_flag) {
+	if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
 		debug("session_auth_agent_req: no_agent_forwarding_flag");
 		return 0;
 	}

sshd_config.5

@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $
-.Dd $Mdocdate: April 5 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $
+.Dd $Mdocdate: May 7 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -114,6 +114,15 @@ See
 in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling Agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
 The default is