openssh bugs - Feb 2013 - [Bug 2070] New: OpenSSH daemon PermitTTY option

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

            Bug ID: 2070
           Summary: OpenSSH daemon PermitTTY option
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sega01 at go-beyond.org

Created attachment 2218
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2218&action=edit
Permit TTY patch. Apply with -p1.

Hey everyone,

I wanted a way to deny PTY allocation through the SSH daemon beyond the
authorized_keys means. I know that unless otherwise restricted, PTYs
can be allocated by the user logged into, but this prevents it solely
at the SSH level. You can use this in combination with passwordless
logins for menus and interfaces, and take out the unlikely exploitation
vector of the PTY (along with saving resources and potential
complications). Of course, this can be used in other scenarios as well.

I wrote a patch and submitted it to the mailing list. I originally
called the option NoPty, but was advised by Iain Morgan to change it to
PermitTTY. I've done so, and have tested it. It works perfectly in my
own testing, though it has not been tested in any other environments as
far as I know. The changes are pretty simple, and I've also touched the
man pages. I was unable to find a way to compile the .0 man page from
the .5 file, but I've edited both and I *think* they are identical,
though they may not be once the .0 is regenerated.

Damien suggested I send the patch here, so I have. Please let me know
if this patch is fit for inclusion in the mainline OpenSSH offering. I
can make further adjustments to the patch as needed.

Thanks,
Teran

PS: Original mailing list submission:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-February/030989.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2076

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Seems reasonable. We'll look at this for the next release.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

jhoblitt at cpan.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jhoblitt at cpan.org

--- Comment #2 from jhoblitt at cpan.org ---
I haven't tested this patch but I'd like to +1 the concept.  I found
this bug while trying to figure out how to set the equivalent of no-pty
from a match block in sshd_config (which turns out not to be presently
possible).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2130

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-6.4

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2076                        |

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Retarget 6.3 -> 6.4

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
patch applied. This will be in openssh-6.4. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2070

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.