bugzilla-daemon at mindrot.org
2013-Feb-14 22:57 UTC
[Bug 2070] New: OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Bug ID: 2070
Summary: OpenSSH daemon PermitTTY option
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: sega01 at go-beyond.org
Created attachment 2218
--> https://bugzilla.mindrot.org/attachment.cgi?id=2218&action=edit
Permit TTY patch. Apply with -p1.
Hey everyone,
I wanted a way to deny PTY allocation through the SSH daemon beyond the
authorized_keys means. I know that unless otherwise restricted, PTYs
can be allocated by the user logged into, but this prevents it solely
at the SSH level. You can use this in combination with passwordless
logins for menus and interfaces, and take out the unlikely exploitation
vector of the PTY (along with saving resources and potential
complications). Of course, this can be used in other scenarios as well.
I wrote a patch and submitted it to the mailing list. I originally
called the option NoPty, but was advised by Iain Morgan to change it to
PermitTTY. I've done so, and have tested it. It works perfectly in my
own testing, though it has not been tested in any other environments as
far as I know. The changes are pretty simple, and I've also touched the
man pages. I was unable to find a way to compile the .0 man page from
the .5 file, but I've edited both and I *think* they are identical,
though they may not be once the .0 is regenerated.
Damien suggested I send the patch here, so I have. Please let me know
if this patch is fit for inclusion in the mainline OpenSSH offering. I
can make further adjustments to the patch as needed.
Thanks,
Teran
PS: Original mailing list submission:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-February/030989.html
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 04:27 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Blocks| |2076
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Seems reasonable. We'll look at this for the next release.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jun-14 21:45 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
jhoblitt at cpan.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhoblitt at cpan.org
--- Comment #2 from jhoblitt at cpan.org ---
I haven't tested this patch but I'd like to +1 the concept. I found
this bug while trying to figure out how to set the equivalent of no-pty
from a match block in sshd_config (which turns out not to be presently
possible).
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:17 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2130
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-6.4
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-25 02:20 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2076 |
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Retarget 6.3 -> 6.4
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at natsu.mindrot.org
2013-Oct-29 09:48 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
patch applied. This will be in openssh-6.4. Thanks!
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:42 UTC
[Bug 2070] OpenSSH daemon PermitTTY option
https://bugzilla.mindrot.org/show_bug.cgi?id=2070
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Maybe Matching Threads
- OpenSSH NoPty patch
- [Bug 2736] New: Question-"PermitTTY no" is not working as expected
- DO NOT REPLY [Bug 7629] New: Blank filter file option to ignore whole directory
- [Bug 2052] New: Memory leak when SSH login and logout
- [Bug 2106] New: When TZ isn't explicitly set ls can give different time stamps