- djm@cvs.openbsd.org 2008/03/25 23:01:41
[session.c]
last patch had backwards test; spotted by termim AT gmail.com
+ - djm@cvs.openbsd.org 2008/03/26 21:28:14
+ [auth-options.c auth-options.h session.c sshd.8]
+ add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
20080315
- (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
-/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
int no_agent_forwarding_flag = 0;
int no_x11_forwarding_flag = 0;
int no_pty_flag = 0;
+int no_user_rc = 0;
/* "command=" option. */
char *forced_command = NULL;
no_port_forwarding_flag = 0;
no_pty_flag = 0;
no_x11_forwarding_flag = 0;
+ no_user_rc = 0;
while (custom_environment) {
struct envstring *ce = custom_environment;
custom_environment = ce->next;
opts += strlen(cp);
goto next_option;
}
+ cp = "no-user-rc";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ auth_debug_add("User rc file execution disabled.");
+ no_user_rc = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
cp = "command=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
-/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
extern int no_agent_forwarding_flag;
extern int no_x11_forwarding_flag;
extern int no_pty_flag;
+extern int no_user_rc;
extern char *forced_command;
extern struct envstring *custom_environment;
extern int forced_tun_device;
-/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */
+/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
if (!s->is_subsystem && options.adm_forced_command == NULL &&
- (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag)
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $
.Dd $Mdocdate$
.Dt SSHD 8
.Os
option.
.It Cm no-pty
Prevents tty allocation (a request to allocate a pty will fail).
+.It Cm no-user-rc
+Disables execution of
+.Pa ~/.ssh/rc .
.It Cm no-X11-forwarding
Forbids X11 forwarding when this key is used for authentication.
Any X11 forward requests by the client will return an error.