upstream commit
Add a new authorized_keys option "restrict" that
includes all current and future key restrictions (no-*-forwarding, etc). Also
add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
This simplifies the task of setting up restricted keys and ensures they are
maximally-restricted, regardless of any permissions we might implement in the
future.
Example:
restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
Idea from Jann Horn; ok markus@
Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
diff --git a/sshd.8 b/sshd.8
index 3b20d9f..9bf3d5b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $
-.Dd $Mdocdate: September 11 2015 $
+.\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $
+.Dd $Mdocdate: November 16 2015 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -522,6 +522,10 @@
The following option specifications are supported (note
that option keywords are case-insensitive):
.Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
.It Cm cert-authority
Specifies that the listed key is a certification authority (CA) that is
trusted to validate signed certificates for user authentication.
@@ -616,6 +620,9 @@
A port specification of
.Cm *
matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
.It Cm principals="principals"
On a
.Cm cert-authority
@@ -627,12 +634,33 @@
signers using the
.Cm cert-authority
option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
.It Cm tunnel="n"
Force a
.Xr tun 4
device on the server.
Without this option, the next available device will be used if
the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
.El
.Pp
An example authorized_keys file:
@@ -647,6 +675,10 @@
AAAAB5...21S==
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
.Ed
.Sh SSH_KNOWN_HOSTS FILE FORMAT
The