- djm@cvs.openbsd.org 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
diff --git a/ChangeLog b/ChangeLog
index 54f7b00..84283a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
[key.c key.h]
fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@
+ - djm@cvs.openbsd.org 2013/10/29 09:48:02
+ [servconf.c servconf.h session.c sshd_config sshd_config.5]
+ shd_config PermitTTY to disallow TTY allocation, mirroring the
+ longstanding no-pty authorized_keys option;
+ bz#2070, patch from Teran McKinney; ok markus@
20131026
- (djm) OpenBSD CVS Sync
diff --git a/servconf.c b/servconf.c
index 8214672..0f1bdd0 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.244 2013/10/29 09:48:02 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -92,6 +92,7 @@
options->x11_forwarding = -1;
options->x11_display_offset = -1;
options->x11_use_localhost = -1;
+ options->permit_tty = -1;
options->xauth_location = NULL;
options->strict_modes = -1;
options->tcp_keep_alive = -1;
@@ -212,6 +213,8 @@
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH;
+ if (options->permit_tty == -1)
+ options->permit_tty = 1;
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->tcp_keep_alive == -1)
@@ -329,7 +332,7 @@
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+ sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -462,6 +465,7 @@
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
+ { "permittty", sPermitTTY, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -1132,6 +1136,10 @@
charptr = &options->xauth_location;
goto parse_filename;
+ case sPermitTTY:
+ intptr = &options->permit_tty;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
@@ -1783,6 +1791,7 @@
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost);
+ M_CP_INTOPT(permit_tty);
M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
@@ -2013,6 +2022,7 @@
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+ dump_cfg_fmtint(sPermitTTY, o->permit_tty);
dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff --git a/servconf.h b/servconf.h
index 98aad8b..2d4b6ec 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */
+/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -82,6 +82,7 @@
* searching at */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
+ int permit_tty; /* If false, deny pty allocation */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
diff --git a/session.c b/session.c
index 6e48a2f..a0a0c2d 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.267 2013/10/14 21:20:52 djm Exp $ */
+/* $OpenBSD: session.c,v 1.268 2013/10/29 09:48:02 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -2062,7 +2062,7 @@
u_int len;
int n_bytes;
- if (no_pty_flag) {
+ if (no_pty_flag || !options.permit_tty) {
debug("Allocating a pty not permitted for this authentication.");
return 0;
}
diff --git a/sshd_config b/sshd_config
index dbda749..235459a 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.91 2013/09/07 13:53:11 sthen Exp $
+# $OpenBSD: sshd_config,v 1.92 2013/10/29 09:48:02 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -101,6 +101,7 @@
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
@@ -127,4 +128,5 @@
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# PermitTTY no
# ForceCommand cvs server
diff --git a/sshd_config.5 b/sshd_config.5
index 0536cc3..c3e30e6 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $
-.Dd $Mdocdate: October 24 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.164 2013/10/29 09:48:02 djm Exp $
+.Dd $Mdocdate: October 29 2013 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -813,6 +813,7 @@
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
+.Cm PermitTTY ,
.Cm PermitTunnel ,
.Cm PubkeyAuthentication ,
.Cm RekeyLimit ,
@@ -942,6 +943,12 @@
.Dq ethernet .
The default is
.Dq no .
+.It Cm PermitTTY
+Specifies whether
+.Xr pty 7
+allocation is permitted.
+The default is
+.Dq yes .
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment