tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2013/10/29 09:48:02 

[servconf.c servconf.h session.c sshd_config sshd_config.5]
     shd_config PermitTTY to disallow TTY allocation, mirroring the
     longstanding no-pty authorized_keys option;
     bz#2070, patch from Teran McKinney; ok markus@
This commit is contained in:
Damien Miller 2013-10-30 22:21:50 +11:00
parent 4a3a9d4bbf
commit 5ff30c6b68
6 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -4,6 +4,11 @@
[key.c key.h] [key.c key.h]
fix potential stack exhaustion caused by nested certificates; fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@ report by Mateusz Kocielski; ok dtucker@ markus@
- djm@cvs.openbsd.org 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
20131026 20131026
- (djm) OpenBSD CVS Sync - (djm) OpenBSD CVS Sync

14
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ /* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options)
options->x11_forwarding = -1; options->x11_forwarding = -1;
options->x11_display_offset = -1; options->x11_display_offset = -1;
options->x11_use_localhost = -1; options->x11_use_localhost = -1;
options->permit_tty = -1;
options->xauth_location = NULL; options->xauth_location = NULL;
options->strict_modes = -1; options->strict_modes = -1;
options->tcp_keep_alive = -1; options->tcp_keep_alive = -1;
@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
options->x11_use_localhost = 1; options->x11_use_localhost = 1;
if (options->xauth_location == NULL) if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH; options->xauth_location = _PATH_XAUTH;
if (options->permit_tty == -1)
options->permit_tty = 1;
if (options->strict_modes == -1) if (options->strict_modes == -1)
options->strict_modes = 1; options->strict_modes = 1;
if (options->tcp_keep_alive == -1) if (options->tcp_keep_alive == -1)
@ -329,7 +332,7 @@ typedef enum {
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@ -462,6 +465,7 @@ static struct {
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "permittty", sPermitTTY, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL },
@ -1132,6 +1136,10 @@ process_server_config_line(ServerOptions *options, char *line,
charptr = &options->xauth_location; charptr = &options->xauth_location;
goto parse_filename; goto parse_filename;
case sPermitTTY:
intptr = &options->permit_tty;
goto parse_flag;
case sStrictModes: case sStrictModes:
intptr = &options->strict_modes; intptr = &options->strict_modes;
goto parse_flag; goto parse_flag;
@ -1783,6 +1791,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty);
M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
@ -2013,6 +2022,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
dump_cfg_fmtint(sPermitTTY, o->permit_tty);
dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);

3
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ /* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -82,6 +82,7 @@ typedef struct {
* searching at */ * searching at */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */ int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */ char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */
int strict_modes; /* If true, require string home dir modes. */ int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */

4
session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */ /* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -2062,7 +2062,7 @@ session_pty_req(Session *s)
u_int len; u_int len;
int n_bytes; int n_bytes;
if (no_pty_flag) { if (no_pty_flag || !options.permit_tty) {
debug("Allocating a pty not permitted for this authentication."); debug("Allocating a pty not permitted for this authentication.");
return 0; return 0;
} }

4
sshd_config
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $ # $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -101,6 +101,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#X11Forwarding no #X11Forwarding no
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes #PrintMotd yes
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
@ -127,4 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server
#Match User anoncvs #Match User anoncvs
# X11Forwarding no # X11Forwarding no
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server

11
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ .\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $
.Dd $Mdocdate: October 24 2013 $ .Dd $Mdocdate: October 29 2013 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -813,6 +813,7 @@ Available keywords are
.Cm PermitEmptyPasswords , .Cm PermitEmptyPasswords ,
.Cm PermitOpen , .Cm PermitOpen ,
.Cm PermitRootLogin , .Cm PermitRootLogin ,
.Cm PermitTTY ,
.Cm PermitTunnel , .Cm PermitTunnel ,
.Cm PubkeyAuthentication , .Cm PubkeyAuthentication ,
.Cm RekeyLimit , .Cm RekeyLimit ,
@ -942,6 +943,12 @@ and
.Dq ethernet . .Dq ethernet .
The default is The default is
.Dq no . .Dq no .
.It Cm PermitTTY
Specifies whether
.Xr pty 7
allocation is permitted.
The default is
.Dq yes .
.It Cm PermitUserEnvironment .It Cm PermitUserEnvironment
Specifies whether Specifies whether
.Pa ~/.ssh/environment .Pa ~/.ssh/environment