OpenSSH NoPty patch
Teran McKinney
sega01 at go-beyond.org
Thu Feb 14 11:40:11 EST 2013
Edit: Resending as I don't think this made it to the list. Taking out
my PGP signature as I wonder if that is breaking it.
Hi Iain and Angel!
Thank you for your replies.
On 2013-02-01 13-46-44 , Iain Morgan wrote:
> Without commenting on the details of the code, I would like to suggest
> using a different keyword than "NoPty." Although NoPty is consistent
> with the no-pty authorized_keys keyword, it goes against the grain of
> other sshd_config options. Also, the double-negative of "NoPty yes" is
> somewhat annoying.
>
> Instead, you might want to consider "PermitTTY" which would be
> consistent with existing sshd_config options (PermitOpen, PermitUserEnv,
> etc.) and would also be consistent with the ssh_config RequestTTY
> option.
>
> --
> Iain Morgan
I've gone with Iain's suggestion of PermitTTY and have refactored the
patch. I've also fixed the issues with the man page, and the
alphabetical sorting. Only place where alphabetical sort is off is in
the default sshd_config file, which I'm not sure if that's a problem or
not.
I've tested it and it works exactly the same as the last patch, except
with a new default and name to the configuration option.
I would appreciate it if anyone else can test this new patch or let me
know of any next steps for hopefully including it into the mainstream
OpenSSH code base.
Thanks,
Teran
-------------- next part --------------
diff -rupN openssh-6.1p1/servconf.c openssh-6.1p1-permittty/servconf.c
--- openssh-6.1p1/servconf.c 2012-07-31 02:22:38.000000000 +0000
+++ openssh-6.1p1-permittty/servconf.c 2013-02-12 01:49:18.907753826 +0000
@@ -85,6 +85,7 @@ initialize_server_options(ServerOptions
options->x11_forwarding = -1;
options->x11_display_offset = -1;
options->x11_use_localhost = -1;
+ options->permit_tty = -1;
options->xauth_location = NULL;
options->strict_modes = -1;
options->tcp_keep_alive = -1;
@@ -201,6 +202,8 @@ fill_default_server_options(ServerOption
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH;
+ if (options->permit_tty == -1)
+ options->permit_tty = 1;
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->tcp_keep_alive == -1)
@@ -314,7 +317,7 @@ typedef enum {
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+ sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -443,6 +446,7 @@ static struct {
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
+ { "permittty", sPermitTTY, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -1075,6 +1079,10 @@ process_server_config_line(ServerOptions
charptr = &options->xauth_location;
goto parse_filename;
+ case sPermitTTY:
+ intptr = &options->permit_tty;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
@@ -1657,6 +1665,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost);
+ M_CP_INTOPT(permit_tty);
M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
@@ -1883,6 +1892,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+ dump_cfg_fmtint(sPermitTTY, o->permit_tty);
dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff -rupN openssh-6.1p1/servconf.h openssh-6.1p1-permittty/servconf.h
--- openssh-6.1p1/servconf.h 2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-permittty/servconf.h 2013-02-12 01:35:53.204826498 +0000
@@ -74,6 +74,7 @@ typedef struct {
* searching at */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
+ int permit_tty; /* If false, deny pty allocation */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
diff -rupN openssh-6.1p1/session.c openssh-6.1p1-permittty/session.c
--- openssh-6.1p1/session.c 2012-04-22 01:08:10.000000000 +0000
+++ openssh-6.1p1-permittty/session.c 2013-02-12 01:35:53.204826498 +0000
@@ -2018,7 +2018,7 @@ session_pty_req(Session *s)
u_int len;
int n_bytes;
- if (no_pty_flag) {
+ if (no_pty_flag || !options.permit_tty) {
debug("Allocating a pty not permitted for this authentication.");
return 0;
}
diff -rupN openssh-6.1p1/sshd_config openssh-6.1p1-permittty/sshd_config
--- openssh-6.1p1/sshd_config 2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-permittty/sshd_config 2013-02-12 01:35:53.208826448 +0000
@@ -95,6 +95,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
@@ -121,4 +122,5 @@ Subsystem sftp /usr/libexec/sftp-server
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# PermitTTY no
# ForceCommand cvs server
diff -rupN openssh-6.1p1/sshd_config.0 openssh-6.1p1-permittty/sshd_config.0
--- openssh-6.1p1/sshd_config.0 2012-08-29 00:53:04.000000000 +0000
+++ openssh-6.1p1-permittty/sshd_config.0 2013-02-12 01:47:46.937903605 +0000
@@ -408,9 +408,9 @@ DESCRIPTION
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
KerberosAuthentication, MaxAuthTries, MaxSessions,
PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
- PermitRootLogin, PermitTunnel, PubkeyAuthentication,
+ PermitRootLogin, PermitTunnel, PermitTTY, PubkeyAuthentication,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
- X11Forwarding and X11UseLocalHost.
+ X11Forwarding, and X11UseLocalHost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -481,6 +481,10 @@ DESCRIPTION
``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits
both ``point-to-point'' and ``ethernet''. The default is ``no''.
+ PermitTTY
+ Specifies whether pty(7) allocation is permitted. The default is
+ ``yes''.
+
PermitUserEnvironment
Specifies whether ~/.ssh/environment and environment= options in
~/.ssh/authorized_keys are processed by sshd(8). The default is
diff -rupN openssh-6.1p1/sshd_config.5 openssh-6.1p1-permittty/sshd_config.5
--- openssh-6.1p1/sshd_config.5 2012-07-02 08:53:38.000000000 +0000
+++ openssh-6.1p1-permittty/sshd_config.5 2013-02-12 01:35:53.208826448 +0000
@@ -731,11 +731,12 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
+.Cm PermitTTY ,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
-.Cm X11Forwarding
+.Cm X11Forwarding ,
and
.Cm X11UseLocalHost .
.It Cm MaxAuthTries
@@ -858,6 +859,12 @@ and
.Dq ethernet .
The default is
.Dq no .
+.It Cm PermitTTY
+Specifies whether
+.Xr pty 7
+allocation is permitted.
+The default is
+.Dq yes .
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
More information about the openssh-unix-dev
mailing list