Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0^! / . / sshd.8
commit383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Mon Nov 16 00:30:02 2015 +0000
committerDamien Miller <djm@mindrot.org>Mon Nov 16 11:31:41 2015 +1100
tree5204277775a7cbd10a88c9645024958f4a120665
parente41a071f7bda6af1fb3f081bed0151235fa61f15 [diff] [blame]
upstream commit

Add a new authorized_keys option "restrict" that
 includes all current and future key restrictions (no-*-forwarding, etc). Also
 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
 This simplifies the task of setting up restricted keys and ensures they are
 maximally-restricted, regardless of any permissions we might implement in the
 future.

Example:

restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...

Idea from Jann Horn; ok markus@

Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0

diff --git a/sshd.8 b/sshd.8
index 3b20d9f..9bf3d5b 100644
--- a/sshd.8
+++ b/sshd.8

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $
-.Dd $Mdocdate: September 11 2015 $
+.\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $
+.Dd $Mdocdate: November 16 2015 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -522,6 +522,10 @@
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
 .It Cm cert-authority
 Specifies that the listed key is a certification authority (CA) that is
 trusted to validate signed certificates for user authentication.
@@ -616,6 +620,9 @@
 A port specification of
 .Cm *
 matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
 .It Cm principals="principals"
 On a
 .Cm cert-authority
@@ -627,12 +634,33 @@
 signers using the
 .Cm cert-authority
 option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
 .It Cm tunnel="n"
 Force a
 .Xr tun 4
 device on the server.
 Without this option, the next available device will be used if
 the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
 .El
 .Pp
 An example authorized_keys file:
@@ -647,6 +675,10 @@
 AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The