Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0^! / . / servconf.c
commit4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0[log] [tgz]
authorDamien Miller <djm@mindrot.org>Mon May 19 14:57:41 2008 +1000
committerDamien Miller <djm@mindrot.org>Mon May 19 14:57:41 2008 +1000
tree73c05a3429a9d63d32b373fd3bd92900d43883da
parentbacb7fbd7e7716a4d3148769d43d8896cbfb2c54 [diff] [blame]
   - pyr@cvs.openbsd.org 2008/05/07 05:49:37
     [servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@

diff --git a/servconf.c b/servconf.c
index 9add96c..e6d4909 100644
--- a/servconf.c
+++ b/servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -99,6 +99,7 @@
 	options->use_login = -1;
 	options->compression = -1;
 	options->allow_tcp_forwarding = -1;
+	options->allow_agent_forwarding = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
@@ -223,6 +224,8 @@
 		options->compression = COMP_DELAYED;
 	if (options->allow_tcp_forwarding == -1)
 		options->allow_tcp_forwarding = 1;
+	if (options->allow_agent_forwarding == -1)
+		options->allow_agent_forwarding = 1;
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->max_startups == -1)
@@ -293,7 +296,7 @@
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-	sUsePrivilegeSeparation,
+	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -379,6 +382,7 @@
 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
 	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
 	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
 	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
@@ -1005,6 +1009,10 @@
 		intptr = &options->allow_tcp_forwarding;
 		goto parse_flag;
 
+	case sAllowAgentForwarding:
+		intptr = &options->allow_agent_forwarding;
+		goto parse_flag;
+
 	case sUsePrivilegeSeparation:
 		intptr = &use_privsep;
 		goto parse_flag;
@@ -1368,6 +1376,7 @@
 	M_CP_INTOPT(permit_root_login);
 
 	M_CP_INTOPT(allow_tcp_forwarding);
+	M_CP_INTOPT(allow_agent_forwarding);
 	M_CP_INTOPT(gateway_ports);
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);