- djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5] Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
This commit is contained in:
parent
602943d117
commit
72e6b5c9ed
|
@ -15,6 +15,11 @@
|
|||
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
|
||||
GatewayPorts=no; allows client to choose address family;
|
||||
bz#2222 ok markus@
|
||||
- djm@cvs.openbsd.org 2014/07/03 22:40:43
|
||||
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
|
||||
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
|
||||
executed, mirroring the no-user-rc authorized_keys option;
|
||||
bz#2160; ok markus@
|
||||
|
||||
20140703
|
||||
- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
|
||||
|
|
14
servconf.c
14
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.250 2014/07/03 22:40:43 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->x11_display_offset = -1;
|
||||
options->x11_use_localhost = -1;
|
||||
options->permit_tty = -1;
|
||||
options->permit_user_rc = -1;
|
||||
options->xauth_location = NULL;
|
||||
options->strict_modes = -1;
|
||||
options->tcp_keep_alive = -1;
|
||||
|
@ -216,6 +217,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->xauth_location = _PATH_XAUTH;
|
||||
if (options->permit_tty == -1)
|
||||
options->permit_tty = 1;
|
||||
if (options->permit_user_rc == -1)
|
||||
options->permit_user_rc = 1;
|
||||
if (options->strict_modes == -1)
|
||||
options->strict_modes = 1;
|
||||
if (options->tcp_keep_alive == -1)
|
||||
|
@ -347,7 +350,7 @@ typedef enum {
|
|||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
|
@ -460,6 +463,7 @@ static struct {
|
|||
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
|
||||
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
|
||||
{ "permittty", sPermitTTY, SSHCFG_ALL },
|
||||
{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
|
||||
{ "match", sMatch, SSHCFG_ALL },
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
|
@ -1130,6 +1134,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
intptr = &options->permit_tty;
|
||||
goto parse_flag;
|
||||
|
||||
case sPermitUserRC:
|
||||
intptr = &options->permit_user_rc;
|
||||
goto parse_flag;
|
||||
|
||||
case sStrictModes:
|
||||
intptr = &options->strict_modes;
|
||||
goto parse_flag;
|
||||
|
@ -1766,6 +1774,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
|||
M_CP_INTOPT(x11_forwarding);
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(permit_tty);
|
||||
M_CP_INTOPT(permit_user_rc);
|
||||
M_CP_INTOPT(max_sessions);
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
|
@ -2007,6 +2016,7 @@ dump_config(ServerOptions *o)
|
|||
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
|
||||
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
|
||||
dump_cfg_fmtint(sPermitTTY, o->permit_tty);
|
||||
dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
|
||||
dump_cfg_fmtint(sStrictModes, o->strict_modes);
|
||||
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
|
||||
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.113 2014/07/03 22:40:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -83,6 +83,7 @@ typedef struct {
|
|||
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
||||
char *xauth_location; /* Location of xauth program */
|
||||
int permit_tty; /* If false, deny pty allocation */
|
||||
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
||||
int strict_modes; /* If true, require string home dir modes. */
|
||||
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
||||
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.272 2014/07/03 03:34:09 djm Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -1359,7 +1359,8 @@ do_rc_files(Session *s, const char *shell)
|
|||
|
||||
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
|
||||
if (!s->is_subsystem && options.adm_forced_command == NULL &&
|
||||
!no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) {
|
||||
!no_user_rc && options.permit_user_rc &&
|
||||
stat(_PATH_SSH_USER_RC, &st) >= 0) {
|
||||
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
|
||||
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
|
||||
if (debug_flag)
|
||||
|
|
9
sshd.8
9
sshd.8
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.275 2014/04/19 18:15:16 tedu Exp $
|
||||
.Dd $Mdocdate: April 19 2014 $
|
||||
.\" $OpenBSD: sshd.8,v 1.276 2014/07/03 22:40:43 djm Exp $
|
||||
.Dd $Mdocdate: July 3 2014 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -408,7 +408,10 @@ Changes to user's home directory.
|
|||
.It
|
||||
If
|
||||
.Pa ~/.ssh/rc
|
||||
exists, runs it; else if
|
||||
exists and the
|
||||
.Xr sshd_config 5
|
||||
.Cm PermitUserRC
|
||||
option is set, runs it; else if
|
||||
.Pa /etc/ssh/sshrc
|
||||
exists, runs
|
||||
it; otherwise runs xauth.
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
|
||||
.Dd $Mdocdate: March 28 2014 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $
|
||||
.Dd $Mdocdate: July 3 2014 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -912,6 +912,7 @@ Available keywords are
|
|||
.Cm PermitRootLogin ,
|
||||
.Cm PermitTTY ,
|
||||
.Cm PermitTunnel ,
|
||||
.Cm PermitUserRC ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RekeyLimit ,
|
||||
.Cm RhostsRSAAuthentication ,
|
||||
|
@ -1060,6 +1061,12 @@ The default is
|
|||
Enabling environment processing may enable users to bypass access
|
||||
restrictions in some configurations using mechanisms such as
|
||||
.Ev LD_PRELOAD .
|
||||
.It Cm PermitUserRC
|
||||
Specifies whether any
|
||||
.Pa ~/.ssh/rc
|
||||
file is executed.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm PidFile
|
||||
Specifies the file that contains the process ID of the
|
||||
SSH daemon.
|
||||
|
|
Loading…
Reference in New Issue