diff options
| author |   djm <djm@openbsd.org> | 2016-11-30 03:00:05 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-11-30 03:00:05 +0000 |
| commit | bba1ec4c1e326f67b2ff84f542d993f520876a57 (patch) | |
| tree | 65bb07513f7119074cb5427ff19aad4398768069 /usr.bin/ssh/serverloop.c | |
| parent | When a forced-command appears in both a certificate and an (diff) | |
| download | wireguard-openbsd-bba1ec4c1e326f67b2ff84f542d993f520876a57.tar.xz wireguard-openbsd-bba1ec4c1e326f67b2ff84f542d993f520876a57.zip | |
Add a sshd_config DisableForwaring option that disables X11, agent,
TCP, tunnel and Unix domain socket forwarding, as well as anything
else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Diffstat (limited to 'usr.bin/ssh/serverloop.c')
| -rw-r--r-- | usr.bin/ssh/serverloop.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 15d7d400265..679ad13c044 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.188 2016/11/30 03:00:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -440,7 +440,7 @@ server_request_direct_tcpip(void) /* XXX fine grained permissions */ if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && - !no_port_forwarding_flag) { + !no_port_forwarding_flag && !options.disable_forwarding) { c = channel_connect_to_port(target, target_port, "direct-tcpip", "direct-tcpip"); } else { @@ -472,7 +472,7 @@ server_request_direct_streamlocal(void) /* XXX fine grained permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && - !no_port_forwarding_flag) { + !no_port_forwarding_flag && !options.disable_forwarding) { c = channel_connect_to_path(target, "direct-streamlocal@openssh.com", "direct-streamlocal"); } else { @@ -710,7 +710,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) /* check permissions */ if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || - no_port_forwarding_flag || + no_port_forwarding_flag || options.disable_forwarding || (!want_reply && fwd.listen_port == 0) || (fwd.listen_port != 0 && !bind_permitted(fwd.listen_port, pw->pw_uid))) { @@ -748,7 +748,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) /* check permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 - || no_port_forwarding_flag) { + || no_port_forwarding_flag || options.disable_forwarding) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { |