OpenSSH NoPty patch

Teran McKinney sega01 at go-beyond.org
Fri Feb 1 06:12:11 EST 2013 

Hey everyone,

I wanted to add support for denying PTY allocation through OpenSSH. I'm
not certain if this is quite thorough enough for all cases, but for me
it might work for the moment.

I know that you can currently do this through authorized_keys, but as
far as I know that only works for an actual key. In my use case, I
wanted a user with no password which is forced to run a specific
command, and without a PTY. I didn't see any other good options for
this, so I wrote my own based off of the X11Forwarding directive.

This patch seems complete, but the man page stuff is not. I wrote in the
sshd_config.0 for an example of how I think it could look, but I'm not
very familiar with the syntax in sshd_config.5, so didn't do much there.
I imagine the things I wrote in sshd_config.0 would be overwritten most
of the time, anyways.

I tested it as a server-wide directive and inside a Match clause. It
works in both cases.

Please let me know if you'd like me to clean up this patch further, if
you can take it from here, or if why it's not a useful feature in the
main distribution of OpenSSH. I'm happy to use it on my own either way,
just thought I'd send it your way in case it's something you guys can
use.

Thanks,
Teran

PS: I hereby release my changes in the patch into the public domain, so
you can do whatever you want with it.

PPS: Please include me in all replies directly as I'm not on the list.
-------------- next part --------------
diff -rupN openssh-6.1p1/servconf.c openssh-6.1p1-new/servconf.c
--- openssh-6.1p1/servconf.c	2012-07-31 02:22:38.000000000 +0000
+++ openssh-6.1p1-new/servconf.c	2013-01-31 17:12:36.000000000 +0000
@@ -85,6 +85,7 @@ initialize_server_options(ServerOptions
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
 	options->x11_use_localhost = -1;
+	options->no_pty = -1;
 	options->xauth_location = NULL;
 	options->strict_modes = -1;
 	options->tcp_keep_alive = -1;
@@ -201,6 +202,8 @@ fill_default_server_options(ServerOption
 		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
 		options->xauth_location = _PATH_XAUTH;
+	if (options->no_pty == -1)
+		options->no_pty = 0;
 	if (options->strict_modes == -1)
 		options->strict_modes = 1;
 	if (options->tcp_keep_alive == -1)
@@ -314,7 +317,7 @@ typedef enum {
 	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+	sNoPty, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -411,6 +414,7 @@ static struct {
 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
+	{ "nopty", sNoPty, SSHCFG_ALL },
 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
@@ -1075,6 +1079,10 @@ process_server_config_line(ServerOptions
 		charptr = &options->xauth_location;
 		goto parse_filename;
 
+	case sNoPty:
+		intptr = &options->no_pty;
+		goto parse_flag;
+
 	case sStrictModes:
 		intptr = &options->strict_modes;
 		goto parse_flag;
@@ -1657,6 +1665,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);
 	M_CP_INTOPT(x11_use_localhost);
+	M_CP_INTOPT(no_pty);
 	M_CP_INTOPT(max_sessions);
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
@@ -1883,6 +1892,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+	dump_cfg_fmtint(sNoPty, o->no_pty);
 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff -rupN openssh-6.1p1/servconf.h openssh-6.1p1-new/servconf.h
--- openssh-6.1p1/servconf.h	2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-new/servconf.h	2013-01-31 17:36:33.000000000 +0000
@@ -74,6 +74,7 @@ typedef struct {
 					 * searching at */
 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
 	char   *xauth_location;	/* Location of xauth program */
+	int	no_pty;	/* If true, do not create ptys */
 	int     strict_modes;	/* If true, require string home dir modes. */
 	int     tcp_keep_alive;	/* If true, set SO_KEEPALIVE. */
 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
diff -rupN openssh-6.1p1/session.c openssh-6.1p1-new/session.c
--- openssh-6.1p1/session.c	2012-04-22 01:08:10.000000000 +0000
+++ openssh-6.1p1-new/session.c	2013-01-31 17:07:50.000000000 +0000
@@ -2018,7 +2018,7 @@ session_pty_req(Session *s)
 	u_int len;
 	int n_bytes;
 
-	if (no_pty_flag) {
+	if (no_pty_flag || options.no_pty) {
 		debug("Allocating a pty not permitted for this authentication.");
 		return 0;
 	}
diff -rupN openssh-6.1p1/sshd_config openssh-6.1p1-new/sshd_config
--- openssh-6.1p1/sshd_config	2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-new/sshd_config	2013-01-31 17:15:15.000000000 +0000
@@ -95,6 +95,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+#NoPty no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
@@ -121,4 +122,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
+#	NoPty yes
 #	ForceCommand cvs server
diff -rupN openssh-6.1p1/sshd_config.0 openssh-6.1p1-new/sshd_config.0
--- openssh-6.1p1/sshd_config.0	2012-08-29 00:53:04.000000000 +0000
+++ openssh-6.1p1-new/sshd_config.0	2013-01-31 17:21:29.000000000 +0000
@@ -410,7 +410,7 @@ DESCRIPTION
              PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
              PermitRootLogin, PermitTunnel, PubkeyAuthentication,
              RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
-             X11Forwarding and X11UseLocalHost.
+             X11Forwarding, X11UseLocalHost, and NoPty.
 
      MaxAuthTries
              Specifies the maximum number of authentication attempts permitted
@@ -683,6 +683,10 @@ DESCRIPTION
              Specifies the full pathname of the xauth(1) program.  The default
              is /usr/X11R6/bin/xauth.
 
+     NoPty
+             Specifies whether creation of PTYs is denied. The argument must be
+             ``yes'' or ``no''. The default is ``yes''.
+
 TIME FORMATS
      sshd(8) command-line arguments and configuration file options that
      specify time may be expressed using a sequence of the form:
diff -rupN openssh-6.1p1/sshd_config.5 openssh-6.1p1-new/sshd_config.5
--- openssh-6.1p1/sshd_config.5	2012-07-02 08:53:38.000000000 +0000
+++ openssh-6.1p1-new/sshd_config.5	2013-01-31 17:19:02.000000000 +0000
@@ -735,9 +735,10 @@ Available keywords are
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
-.Cm X11Forwarding
+.Cm X11Forwarding ,
+.Cm X11UseLocalHost ,
 and
-.Cm X11UseLocalHost .
+.Cm NoPty .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130131/1cc02653/attachment.bin>

More information about the openssh-unix-dev mailing list