Created attachment 2218 [details] Permit TTY patch. Apply with -p1. Hey everyone, I wanted a way to deny PTY allocation through the SSH daemon beyond the authorized_keys means. I know that unless otherwise restricted, PTYs can be allocated by the user logged into, but this prevents it solely at the SSH level. You can use this in combination with passwordless logins for menus and interfaces, and take out the unlikely exploitation vector of the PTY (along with saving resources and potential complications). Of course, this can be used in other scenarios as well. I wrote a patch and submitted it to the mailing list. I originally called the option NoPty, but was advised by Iain Morgan to change it to PermitTTY. I've done so, and have tested it. It works perfectly in my own testing, though it has not been tested in any other environments as far as I know. The changes are pretty simple, and I've also touched the man pages. I was unable to find a way to compile the .0 man page from the .5 file, but I've edited both and I *think* they are identical, though they may not be once the .0 is regenerated. Damien suggested I send the patch here, so I have. Please let me know if this patch is fit for inclusion in the mainline OpenSSH offering. I can make further adjustments to the patch as needed. Thanks, Teran PS: Original mailing list submission: http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-February/030989.html
Seems reasonable. We'll look at this for the next release.
I haven't tested this patch but I'd like to +1 the concept. I found this bug while trying to figure out how to set the equivalent of no-pty from a match block in sshd_config (which turns out not to be presently possible).
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
patch applied. This will be in openssh-6.4. Thanks!
Close all resolved bugs after 7.3p1 release