Bugzilla – Attachment 1094 Details for
Bug 1172
[PATCH] Restrict public key authentication to scp access only
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Implements "scp-only" as separate option
1172_scponly.patch (text/plain), 2.13 KB, created by
Tom Williams
on 2006-03-09 10:08:42 AEDT
(
hide
)
Description:
Implements "scp-only" as separate option
Filename:
MIME Type:
Creator:
Tom Williams
Created:
2006-03-09 10:08:42 AEDT
Size:
2.13 KB
patch
obsolete
>--- auth-options.c.orig 2005-12-13 02:33:20.000000000 -0600 >+++ auth-options.c 2006-03-08 15:36:20.000000000 -0600 >@@ -28,6 +28,7 @@ int no_port_forwarding_flag = 0; > int no_agent_forwarding_flag = 0; > int no_x11_forwarding_flag = 0; > int no_pty_flag = 0; >+int scp_only_flag = 0; > > /* "command=" option. */ > char *forced_command = NULL; >@@ -47,6 +48,7 @@ auth_clear_options(void) > no_port_forwarding_flag = 0; > no_pty_flag = 0; > no_x11_forwarding_flag = 0; >+ scp_only_flag = 0; > while (custom_environment) { > struct envstring *ce = custom_environment; > custom_environment = ce->next; >@@ -79,6 +81,13 @@ auth_parse_options(struct passwd *pw, ch > return 1; > > while (*opts && *opts != ' ' && *opts != '\t') { >+ cp = "scp-only"; >+ if (strncasecmp(opts, cp, strlen(cp)) == 0) { >+ auth_debug_add("scp-only is enabled."); >+ scp_only_flag = 1; >+ opts += strlen(cp); >+ goto next_option; >+ } > cp = "no-port-forwarding"; > if (strncasecmp(opts, cp, strlen(cp)) == 0) { > auth_debug_add("Port forwarding disabled."); >--- auth-options.h.orig 2005-12-13 02:29:02.000000000 -0600 >+++ auth-options.h 2006-03-08 15:37:49.000000000 -0600 >@@ -26,6 +26,7 @@ extern int no_port_forwarding_flag; > extern int no_agent_forwarding_flag; > extern int no_x11_forwarding_flag; > extern int no_pty_flag; >+extern int scp_only_flag; > extern char *forced_command; > extern struct envstring *custom_environment; > extern int forced_tun_device; >--- session.c.orig 2006-02-07 17:18:55.000000000 -0600 >+++ session.c 2006-03-08 16:19:34.000000000 -0600 >@@ -656,6 +656,21 @@ do_exec(Session *s, const char *command) > command = forced_command; > debug("Forced command '%.900s'", command); > } >+ /* Restrict to scp only access? */ >+ if (scp_only_flag) { >+ if (!command) { >+ fatal("scp-only but attempting shell access"); >+ } else if (strncmp(command,"scp ",4) == 0) { >+ /* check for funny business */ >+ const char *p; >+ for (p = command; *p && *p != ';'; p++) ; >+ if (*p == ';') { >+ fatal("scp-only command contains ';': %.900s",command); >+ } >+ } else { >+ fatal("scp-only but attempting command: %.900s",command); >+ } >+ } > > #ifdef SSH_AUDIT_EVENTS > if (command != NULL)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1094">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1172
:
1093
| 1094