Hey everyone,
I wanted to add support for denying PTY allocation through OpenSSH. I'm
not certain if this is quite thorough enough for all cases, but for me
it might work for the moment.
I know that you can currently do this through authorized_keys, but as
far as I know that only works for an actual key. In my use case, I
wanted a user with no password which is forced to run a specific
command, and without a PTY. I didn't see any other good options for
this, so I wrote my own based off of the X11Forwarding directive.
This patch seems complete, but the man page stuff is not. I wrote in the
sshd_config.0 for an example of how I think it could look, but I'm not
very familiar with the syntax in sshd_config.5, so didn't do much there.
I imagine the things I wrote in sshd_config.0 would be overwritten most
of the time, anyways.
I tested it as a server-wide directive and inside a Match clause. It
works in both cases.
Please let me know if you'd like me to clean up this patch further, if
you can take it from here, or if why it's not a useful feature in the
main distribution of OpenSSH. I'm happy to use it on my own either way,
just thought I'd send it your way in case it's something you guys can
use.
Thanks,
Teran
PS: I hereby release my changes in the patch into the public domain, so
you can do whatever you want with it.
PPS: Please include me in all replies directly as I'm not on the list.
-------------- next part --------------
diff -rupN openssh-6.1p1/servconf.c openssh-6.1p1-new/servconf.c
--- openssh-6.1p1/servconf.c 2012-07-31 02:22:38.000000000 +0000
+++ openssh-6.1p1-new/servconf.c 2013-01-31 17:12:36.000000000 +0000
@@ -85,6 +85,7 @@ initialize_server_options(ServerOptions
options->x11_forwarding = -1;
options->x11_display_offset = -1;
options->x11_use_localhost = -1;
+ options->no_pty = -1;
options->xauth_location = NULL;
options->strict_modes = -1;
options->tcp_keep_alive = -1;
@@ -201,6 +202,8 @@ fill_default_server_options(ServerOption
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH;
+ if (options->no_pty == -1)
+ options->no_pty = 0;
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->tcp_keep_alive == -1)
@@ -314,7 +317,7 @@ typedef enum {
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+ sNoPty, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -411,6 +414,7 @@ static struct {
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
+ { "nopty", sNoPty, SSHCFG_ALL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
@@ -1075,6 +1079,10 @@ process_server_config_line(ServerOptions
charptr = &options->xauth_location;
goto parse_filename;
+ case sNoPty:
+ intptr = &options->no_pty;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
@@ -1657,6 +1665,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost);
+ M_CP_INTOPT(no_pty);
M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
@@ -1883,6 +1892,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+ dump_cfg_fmtint(sNoPty, o->no_pty);
dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff -rupN openssh-6.1p1/servconf.h openssh-6.1p1-new/servconf.h
--- openssh-6.1p1/servconf.h 2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-new/servconf.h 2013-01-31 17:36:33.000000000 +0000
@@ -74,6 +74,7 @@ typedef struct {
* searching at */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
+ int no_pty; /* If true, do not create ptys */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
diff -rupN openssh-6.1p1/session.c openssh-6.1p1-new/session.c
--- openssh-6.1p1/session.c 2012-04-22 01:08:10.000000000 +0000
+++ openssh-6.1p1-new/session.c 2013-01-31 17:07:50.000000000 +0000
@@ -2018,7 +2018,7 @@ session_pty_req(Session *s)
u_int len;
int n_bytes;
- if (no_pty_flag) {
+ if (no_pty_flag || options.no_pty) {
debug("Allocating a pty not permitted for this authentication.");
return 0;
}
diff -rupN openssh-6.1p1/sshd_config openssh-6.1p1-new/sshd_config
--- openssh-6.1p1/sshd_config 2012-07-31 02:21:34.000000000 +0000
+++ openssh-6.1p1-new/sshd_config 2013-01-31 17:15:15.000000000 +0000
@@ -95,6 +95,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
+#NoPty no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
@@ -121,4 +122,5 @@ Subsystem sftp /usr/libexec/sftp-server
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# NoPty yes
# ForceCommand cvs server
diff -rupN openssh-6.1p1/sshd_config.0 openssh-6.1p1-new/sshd_config.0
--- openssh-6.1p1/sshd_config.0 2012-08-29 00:53:04.000000000 +0000
+++ openssh-6.1p1-new/sshd_config.0 2013-01-31 17:21:29.000000000 +0000
@@ -410,7 +410,7 @@ DESCRIPTION
PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
PermitRootLogin, PermitTunnel, PubkeyAuthentication,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
- X11Forwarding and X11UseLocalHost.
+ X11Forwarding, X11UseLocalHost, and NoPty.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -683,6 +683,10 @@ DESCRIPTION
Specifies the full pathname of the xauth(1) program. The default
is /usr/X11R6/bin/xauth.
+ NoPty
+ Specifies whether creation of PTYs is denied. The argument must be
+ ``yes'' or ``no''. The default is ``yes''.
+
TIME FORMATS
sshd(8) command-line arguments and configuration file options that
specify time may be expressed using a sequence of the form:
diff -rupN openssh-6.1p1/sshd_config.5 openssh-6.1p1-new/sshd_config.5
--- openssh-6.1p1/sshd_config.5 2012-07-02 08:53:38.000000000 +0000
+++ openssh-6.1p1-new/sshd_config.5 2013-01-31 17:19:02.000000000 +0000
@@ -735,9 +735,10 @@ Available keywords are
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
-.Cm X11Forwarding
+.Cm X11Forwarding ,
+.Cm X11UseLocalHost ,
and
-.Cm X11UseLocalHost .
+.Cm NoPty .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130131/1cc02653/attachment.bin>