diff options
-rw-r--r-- | clientloop.c | 14 | ||||
-rw-r--r-- | readconf.c | 12 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | ssh.1 | 5 | ||||
-rw-r--r-- | ssh_config.5 | 10 |
5 files changed, 35 insertions, 9 deletions
diff --git a/clientloop.c b/clientloop.c index 02349ccb..3cc185b6 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.383 2022/11/28 01:37:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -887,6 +887,7 @@ out: #define SUPPRESS_MUXCLIENT 1 /* don't show in mux client sessions */ #define SUPPRESS_MUXMASTER 2 /* don't show in mux master sessions */ #define SUPPRESS_SYSLOG 4 /* don't show when logging to syslog */ +#define SUPPRESS_NOCMDLINE 8 /* don't show when cmdline disabled*/ struct escape_help_text { const char *cmd; const char *text; @@ -897,7 +898,7 @@ static struct escape_help_text esc_txt[] = { {".", "terminate connection (and any multiplexed sessions)", SUPPRESS_MUXCLIENT}, {"B", "send a BREAK to the remote system", SUPPRESS_NEVER}, - {"C", "open a command line", SUPPRESS_MUXCLIENT}, + {"C", "open a command line", SUPPRESS_MUXCLIENT|SUPPRESS_NOCMDLINE}, {"R", "request rekey", SUPPRESS_NEVER}, {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, @@ -921,7 +922,8 @@ print_escape_help(struct sshbuf *b, int escape_char, int mux_client, suppress_flags = (mux_client ? SUPPRESS_MUXCLIENT : 0) | (mux_client ? 0 : SUPPRESS_MUXMASTER) | - (using_stderr ? 0 : SUPPRESS_SYSLOG); + (using_stderr ? 0 : SUPPRESS_SYSLOG) | + (options.enable_escape_commandline == 0 ? SUPPRESS_NOCMDLINE : 0); for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { if (esc_txt[i].flags & suppress_flags) @@ -1115,6 +1117,12 @@ process_escapes(struct ssh *ssh, Channel *c, case 'C': if (c && c->ctl_chan != -1) goto noescape; + if (options.enable_escape_commandline == 0) { + if ((r = sshbuf_putf(berr, + "commandline disabled\r\n")) != 0) + fatal_fr(r, "sshbuf_putf"); + continue; + } process_cmdline(ssh); continue; @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.369 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.370 2022/11/28 01:37:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -175,6 +175,7 @@ typedef enum { oFingerprintHash, oUpdateHostkeys, oHostbasedAcceptedAlgorithms, oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, + oEnableEscapeCommandline, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -321,6 +322,7 @@ static struct { { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, { "requiredrsasize", oRequiredRSASize }, + { "enableescapecommandline", oEnableEscapeCommandline }, { NULL, oBadOption } }; @@ -2177,6 +2179,10 @@ parse_pubkey_algos: *charptr = xstrdup(arg); break; + case oEnableEscapeCommandline: + intptr = &options->enable_escape_commandline; + goto parse_flag; + case oRequiredRSASize: intptr = &options->required_rsa_size; goto parse_int; @@ -2429,6 +2435,7 @@ initialize_options(Options * options) options->pubkey_accepted_algos = NULL; options->known_hosts_command = NULL; options->required_rsa_size = -1; + options->enable_escape_commandline = -1; } /* @@ -2627,6 +2634,8 @@ fill_default_options(Options * options) #endif if (options->required_rsa_size == -1) options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; + if (options->enable_escape_commandline == -1) + options->enable_escape_commandline = 0; /* Expand KEX name lists */ all_cipher = cipher_alg_list(',', 0); @@ -3308,6 +3317,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); + dump_cfg_fmtint(oEnableEscapeCommandline, o->enable_escape_commandline); /* Integer options */ dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.148 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.149 2022/11/28 01:37:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -177,6 +177,7 @@ typedef struct { char *known_hosts_command; int required_rsa_size; /* minimum size of RSA keys */ + int enable_escape_commandline; /* ~C commandline */ char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.432 2022/09/17 10:33:18 djm Exp $ -.Dd $Mdocdate: September 17 2022 $ +.\" $OpenBSD: ssh.1,v 1.433 2022/11/28 01:37:36 djm Exp $ +.Dd $Mdocdate: November 28 2022 $ .Dt SSH 1 .Os .Sh NAME @@ -522,6 +522,7 @@ For full details of the options listed below, and their possible values, see .It ControlPath .It ControlPersist .It DynamicForward +.It EnableEscapeCommandline .It EscapeChar .It ExitOnForwardFailure .It FingerprintHash diff --git a/ssh_config.5 b/ssh_config.5 index f6fa33ce..ab1e5723 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.375 2022/11/07 10:09:28 dtucker Exp $ -.Dd $Mdocdate: November 7 2022 $ +.\" $OpenBSD: ssh_config.5,v 1.376 2022/11/28 01:37:36 djm Exp $ +.Dd $Mdocdate: November 28 2022 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -643,6 +643,12 @@ will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. +.It Cm EnableEscapeCommandline +Enables the command line option in the +.Cm EscapeChar +menu for interactive sessions (default +.Ql ~C ) . +By default, the command line is disabled. .It Cm EnableSSHKeysign Setting this option to .Cm yes |