Bug 2070

Summary:

OpenSSH daemon PermitTTY option

Product:

Portable OpenSSH

Reporter:

Teran McKinney <sega01>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm, jhoblitt

Priority:

Version:

6.1p1

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

2130

Attachments:

Description	Flags
Permit TTY patch. Apply with -p1.	none

Description Teran McKinney 2013-02-15 09:57:53 AEDT

Created attachment 2218 [details]
Permit TTY patch. Apply with -p1.

Hey everyone,

I wanted a way to deny PTY allocation through the SSH daemon beyond the authorized_keys means. I know that unless otherwise restricted, PTYs can be allocated by the user logged into, but this prevents it solely at the SSH level. You can use this in combination with passwordless logins for menus and interfaces, and take out the unlikely exploitation vector of the PTY (along with saving resources and potential complications). Of course, this can be used in other scenarios as well.

I wrote a patch and submitted it to the mailing list. I originally called the option NoPty, but was advised by Iain Morgan to change it to PermitTTY. I've done so, and have tested it. It works perfectly in my own testing, though it has not been tested in any other environments as far as I know. The changes are pretty simple, and I've also touched the man pages. I was unable to find a way to compile the .0 man page from the .5 file, but I've edited both and I *think* they are identical, though they may not be once the .0 is regenerated.

Damien suggested I send the patch here, so I have. Please let me know if this patch is fit for inclusion in the mainline OpenSSH offering. I can make further adjustments to the patch as needed.

Thanks,
Teran

PS: Original mailing list submission: http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-February/030989.html

Comment 1 Damien Miller 2013-05-10 14:27:29 AEST

Seems reasonable. We'll look at this for the next release.

Comment 2 Joshua Hoblitt 2013-06-15 07:45:20 AEST

I haven't tested this patch but I'd like to +1 the concept.  I found this bug while trying to figure out how to set the equivalent of no-pty from a match block in sshd_config (which turns out not to be presently possible).

Comment 3 Damien Miller 2013-07-25 12:17:38 AEST

Retarget to openssh-6.4

Comment 4 Damien Miller 2013-07-25 12:20:33 AEST

Retarget 6.3 -> 6.4

Comment 5 Damien Miller 2013-10-29 20:48:19 AEDT

patch applied. This will be in openssh-6.4. Thanks!

Comment 6 Damien Miller 2016-08-02 10:42:45 AEST

Close all resolved bugs after 7.3p1 release