From 95e80955f27d55c7a02724e72bdcb1a4ca619f25 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 11:03:05 +1100 Subject: - djm@cvs.openbsd.org 2008/03/26 21:28:14 [auth-options.c auth-options.h session.c sshd.8] add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc --- ChangeLog | 5 ++++- auth-options.c | 11 ++++++++++- auth-options.h | 3 ++- session.c | 4 ++-- sshd.8 | 7 +++++-- 5 files changed, 23 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index c9b1ec67..7da2b8b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - djm@cvs.openbsd.org 2008/03/25 23:01:41 [session.c] last patch had backwards test; spotted by termim AT gmail.com + - djm@cvs.openbsd.org 2008/03/26 21:28:14 + [auth-options.c auth-options.h session.c sshd.8] + add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3808,4 +3811,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4888 2008/03/27 00:02:27 djm Exp $ +$Id: ChangeLog,v 1.4889 2008/03/27 00:03:05 djm Exp $ diff --git a/auth-options.c b/auth-options.c index ca5e1c93..6e225696 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,6 +42,7 @@ int no_port_forwarding_flag = 0; int no_agent_forwarding_flag = 0; int no_x11_forwarding_flag = 0; int no_pty_flag = 0; +int no_user_rc = 0; /* "command=" option. */ char *forced_command = NULL; @@ -61,6 +62,7 @@ auth_clear_options(void) no_port_forwarding_flag = 0; no_pty_flag = 0; no_x11_forwarding_flag = 0; + no_user_rc = 0; while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; @@ -121,6 +123,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) opts += strlen(cp); goto next_option; } + cp = "no-user-rc"; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + auth_debug_add("User rc file execution disabled."); + no_user_rc = 1; + opts += strlen(cp); + goto next_option; + } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); diff --git a/auth-options.h b/auth-options.h index 853f8b51..14488f72 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-options.h,v 1.17 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -26,6 +26,7 @@ extern int no_port_forwarding_flag; extern int no_agent_forwarding_flag; extern int no_x11_forwarding_flag; extern int no_pty_flag; +extern int no_user_rc; extern char *forced_command; extern struct envstring *custom_environment; extern int forced_tun_device; diff --git a/session.c b/session.c index 6d9e36e4..a77dde38 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.232 2008/03/25 23:01:41 djm Exp $ */ +/* $OpenBSD: session.c,v 1.233 2008/03/26 21:28:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1204,7 +1204,7 @@ do_rc_files(Session *s, const char *shell) /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ if (!s->is_subsystem && options.adm_forced_command == NULL && - (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + !no_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) diff --git a/sshd.8 b/sshd.8 index b91ca4fc..cc44e547 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: sshd.8,v 1.240 2008/03/26 21:28:14 djm Exp $ +.Dd $Mdocdate: March 26 2008 $ .Dt SSHD 8 .Os .Sh NAME @@ -531,6 +531,9 @@ This might be used, e.g. in connection with the option. .It Cm no-pty Prevents tty allocation (a request to allocate a pty will fail). +.It Cm no-user-rc +Disables execution of +.Pa ~/.ssh/rc . .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. -- cgit v1.2.3