[Bug 2070] New: OpenSSH daemon PermitTTY option

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 15 09:57:53 EST 2013


https://bugzilla.mindrot.org/show_bug.cgi?id=2070

            Bug ID: 2070
           Summary: OpenSSH daemon PermitTTY option
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sega01 at go-beyond.org

Created attachment 2218
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2218&action=edit
Permit TTY patch. Apply with -p1.

Hey everyone,

I wanted a way to deny PTY allocation through the SSH daemon beyond the
authorized_keys means. I know that unless otherwise restricted, PTYs
can be allocated by the user logged into, but this prevents it solely
at the SSH level. You can use this in combination with passwordless
logins for menus and interfaces, and take out the unlikely exploitation
vector of the PTY (along with saving resources and potential
complications). Of course, this can be used in other scenarios as well.

I wrote a patch and submitted it to the mailing list. I originally
called the option NoPty, but was advised by Iain Morgan to change it to
PermitTTY. I've done so, and have tested it. It works perfectly in my
own testing, though it has not been tested in any other environments as
far as I know. The changes are pretty simple, and I've also touched the
man pages. I was unable to find a way to compile the .0 man page from
the .5 file, but I've edited both and I *think* they are identical,
though they may not be once the .0 is regenerated.

Damien suggested I send the patch here, so I have. Please let me know
if this patch is fit for inclusion in the mainline OpenSSH offering. I
can make further adjustments to the patch as needed.

Thanks,
Teran

PS: Original mailing list submission:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-February/030989.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list