Rivoreo Source Code Repositories
src.rivoreo.one / security / openssh-library / 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0
commit383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0[log] [download]
authordjm@openbsd.org <djm@openbsd.org>Mon Nov 16 00:30:02 2015 +0000
committerDamien Miller <djm@mindrot.org>Mon Nov 16 11:31:41 2015 +1100
tree5204277775a7cbd10a88c9645024958f4a120665
parente41a071f7bda6af1fb3f081bed0151235fa61f15 [diff]
upstream commit

Add a new authorized_keys option "restrict" that
 includes all current and future key restrictions (no-*-forwarding, etc). Also
 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
 This simplifies the task of setting up restricted keys and ensures they are
 maximally-restricted, regardless of any permissions we might implement in the
 future.

Example:

restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...

Idea from Jann Horn; ok markus@

Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
2 files changed
tree: 5204277775a7cbd10a88c9645024958f4a120665
  1. .cvsignore
  2. CREDITS
  3. INSTALL
  4. LICENCE
  5. Makefile.in
  6. OVERVIEW
  7. PROTOCOL
  8. PROTOCOL.agent
  9. PROTOCOL.certkeys
  10. PROTOCOL.chacha20poly1305
  11. PROTOCOL.key
  12. PROTOCOL.krl
  13. PROTOCOL.mux
  14. README
  15. README.dns
  16. README.platform
  17. README.privsep
  18. README.tun
  19. TODO
  20. aclocal.m4
  21. addrmatch.c
  22. atomicio.c
  23. atomicio.h
  24. audit-bsm.c
  25. audit-linux.c
  26. audit.c
  27. audit.h
  28. auth-bsdauth.c
  29. auth-chall.c
  30. auth-krb5.c
  31. auth-options.c
  32. auth-options.h
  33. auth-pam.c
  34. auth-pam.h
  35. auth-passwd.c
  36. auth-rh-rsa.c
  37. auth-rhosts.c
  38. auth-rsa.c
  39. auth-shadow.c
  40. auth-sia.c
  41. auth-sia.h
  42. auth-skey.c
  43. auth.c
  44. auth.h
  45. auth1.c
  46. auth2-chall.c
  47. auth2-gss.c
  48. auth2-hostbased.c
  49. auth2-kbdint.c
  50. auth2-none.c
  51. auth2-passwd.c
  52. auth2-pubkey.c
  53. auth2.c
  54. authfd.c
  55. authfd.h
  56. authfile.c
  57. authfile.h
  58. bitmap.c
  59. bitmap.h
  60. blocks.c
  61. bufaux.c
  62. bufbn.c
  63. bufec.c
  64. buffer.c
  65. buffer.h
  66. buildpkg.sh.in
  67. canohost.c
  68. canohost.h
  69. chacha.c
  70. chacha.h
  71. channels.c
  72. channels.h
  73. cipher-3des1.c
  74. cipher-aes.c
  75. cipher-aesctr.c
  76. cipher-aesctr.h
  77. cipher-bf1.c
  78. cipher-chachapoly.c
  79. cipher-chachapoly.h
  80. cipher-ctr.c
  81. cipher.c
  82. cipher.h
  83. cleanup.c
  84. clientloop.c
  85. clientloop.h
  86. compat.c
  87. compat.h
  88. config.guess
  89. config.sub
  90. configure.ac
  91. contrib/
  92. crc32.c
  93. crc32.h
  94. crypto_api.h
  95. deattack.c
  96. deattack.h
  97. defines.h
  98. dh.c
  99. dh.h
  100. digest-libc.c
  101. digest-openssl.c
  102. digest.h
  103. dispatch.c
  104. dispatch.h
  105. dns.c
  106. dns.h
  107. ed25519.c
  108. entropy.c
  109. entropy.h
  110. fatal.c
  111. fe25519.c
  112. fe25519.h
  113. fixalgorithms
  114. fixpaths
  115. fixprogs
  116. ge25519.c
  117. ge25519.h
  118. ge25519_base.data
  119. groupaccess.c
  120. groupaccess.h
  121. gss-genr.c
  122. gss-serv-krb5.c
  123. gss-serv.c
  124. hash.c
  125. hmac.c
  126. hmac.h
  127. hostfile.c
  128. hostfile.h
  129. includes.h
  130. install-sh
  131. kex.c
  132. kex.h
  133. kexc25519.c
  134. kexc25519c.c
  135. kexc25519s.c
  136. kexdh.c
  137. kexdhc.c
  138. kexdhs.c
  139. kexecdh.c
  140. kexecdhc.c
  141. kexecdhs.c
  142. kexgex.c
  143. kexgexc.c
  144. kexgexs.c
  145. key.c
  146. key.h
  147. krl.c
  148. krl.h
  149. log.c
  150. log.h
  151. loginrec.c
  152. loginrec.h
  153. logintest.c
  154. mac.c
  155. mac.h
  156. match.c
  157. match.h
  158. md-sha256.c
  159. md5crypt.c
  160. md5crypt.h
  161. mdoc2man.awk
  162. misc.c
  163. misc.h
  164. mkinstalldirs
  165. moduli
  166. moduli.5
  167. moduli.c
  168. monitor.c
  169. monitor.h
  170. monitor_fdpass.c
  171. monitor_fdpass.h
  172. monitor_mm.c
  173. monitor_mm.h
  174. monitor_wrap.c
  175. monitor_wrap.h
  176. msg.c
  177. msg.h
  178. mux.c
  179. myproposal.h
  180. nchan.c
  181. nchan.ms
  182. nchan2.ms
  183. opacket.c
  184. opacket.h
  185. openbsd-compat/
  186. openssh.xml.in
  187. opensshd.init.in
  188. packet.c
  189. packet.h
  190. pathnames.h
  191. pkcs11.h
  192. platform.c
  193. platform.h
  194. poly1305.c
  195. poly1305.h
  196. progressmeter.c
  197. progressmeter.h
  198. readconf.c
  199. readconf.h
  200. readpass.c
  201. regress/
  202. rijndael.c
  203. rijndael.h
  204. roaming.h
  205. roaming_client.c
  206. roaming_common.c
  207. roaming_dummy.c
  208. roaming_serv.c
  209. rsa.c
  210. rsa.h
  211. sandbox-capsicum.c
  212. sandbox-darwin.c
  213. sandbox-null.c
  214. sandbox-pledge.c
  215. sandbox-rlimit.c
  216. sandbox-seccomp-filter.c
  217. sandbox-systrace.c
  218. sc25519.c
  219. sc25519.h
  220. scard/
  221. scp.1
  222. scp.c
  223. servconf.c
  224. servconf.h
  225. serverloop.c
  226. serverloop.h
  227. session.c
  228. session.h
  229. sftp-client.c
  230. sftp-client.h
  231. sftp-common.c
  232. sftp-common.h
  233. sftp-glob.c
  234. sftp-server-main.c
  235. sftp-server.8
  236. sftp-server.c
  237. sftp.1
  238. sftp.c
  239. sftp.h
  240. smult_curve25519_ref.c
  241. ssh-add.1
  242. ssh-add.c
  243. ssh-agent.1
  244. ssh-agent.c
  245. ssh-dss.c
  246. ssh-ecdsa.c
  247. ssh-ed25519.c
  248. ssh-gss.h
  249. ssh-keygen.1
  250. ssh-keygen.c
  251. ssh-keyscan.1
  252. ssh-keyscan.c
  253. ssh-keysign.8
  254. ssh-keysign.c
  255. ssh-pkcs11-client.c
  256. ssh-pkcs11-helper.8
  257. ssh-pkcs11-helper.c
  258. ssh-pkcs11.c
  259. ssh-pkcs11.h
  260. ssh-rsa.c
  261. ssh-sandbox.h
  262. ssh.1
  263. ssh.c
  264. ssh.h
  265. ssh1.h
  266. ssh2.h
  267. ssh_api.c
  268. ssh_api.h
  269. ssh_config
  270. ssh_config.5
  271. sshbuf-getput-basic.c
  272. sshbuf-getput-crypto.c
  273. sshbuf-misc.c
  274. sshbuf.c
  275. sshbuf.h
  276. sshconnect.c
  277. sshconnect.h
  278. sshconnect1.c
  279. sshconnect2.c
  280. sshd.8
  281. sshd.c
  282. sshd_config
  283. sshd_config.5
  284. ssherr.c
  285. ssherr.h
  286. sshkey.c
  287. sshkey.h
  288. sshlogin.c
  289. sshlogin.h
  290. sshpty.c
  291. sshpty.h
  292. sshtty.c
  293. survey.sh.in
  294. ttymodes.c
  295. ttymodes.h
  296. uidswap.c
  297. uidswap.h
  298. umac.c
  299. umac.h
  300. uuencode.c
  301. uuencode.h
  302. verify.c
  303. version.h
  304. xmalloc.c
  305. xmalloc.h