[ssh-keyscan.1 ssh-keyscan.c]
default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
larsnooden AT openoffice.org
+ - pyr@cvs.openbsd.org 2008/05/07 05:49:37
+ [servconf.c servconf.h session.c sshd_config.5]
+ Enable the AllowAgentForwarding option in sshd_config (global and match
+ context), to specify if agents should be permitted on the server.
+ As the man page states:
+ ``Note that disabling Agent forwarding does not improve security
+ unless users are also denied shell access, as they can always install
+ their own forwarders.''
+ ok djm@, ok and a mild frown markus@
20080403
- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
-/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
+ options->allow_agent_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
+ if (options->allow_agent_forwarding == -1)
+ options->allow_agent_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->max_startups == -1)
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+ { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
intptr = &options->allow_tcp_forwarding;
goto parse_flag;
+ case sAllowAgentForwarding:
+ intptr = &options->allow_agent_forwarding;
+ goto parse_flag;
+
case sUsePrivilegeSeparation:
intptr = &use_privsep;
goto parse_flag;
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(allow_tcp_forwarding);
+ M_CP_INTOPT(allow_agent_forwarding);
M_CP_INTOPT(gateway_ports);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
-/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */
+/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
break;
case SSH_CMSG_AGENT_REQUEST_FORWARDING:
- if (no_agent_forwarding_flag || compat13) {
+ if (!options.allow_agent_forwarding ||
+ no_agent_forwarding_flag || compat13) {
debug("Authentication agent forwarding not permitted for this authentication.");
break;
}
{
static int called = 0;
packet_check_eom();
- if (no_agent_forwarding_flag) {
+ if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
debug("session_auth_agent_req: no_agent_forwarding_flag");
return 0;
}
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
in
.Xr ssh_config 5
for more information on patterns.
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling Agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is