diff options
author | djm@openbsd.org <djm@openbsd.org> | 2022-11-28 01:37:36 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2022-11-30 12:16:08 +1100 |
commit | f7cebbbf407d772ed71403d314343766782fe540 (patch) | |
tree | dfda77bb010623650d4ae80ae539d6542e52641d /clientloop.c | |
parent | d323f7ecf52e3d4ec1f4939bf31693e02f891dca (diff) | |
download | openssh-git-f7cebbbf407d772ed71403d314343766782fe540.tar.gz |
upstream: New EnableEscapeCommandline ssh_config(5) option
This option (default "no") controls whether the ~C escape is available.
Turning it off by default means we will soon be able to use a stricter
default pledge(2) in the client.
feedback deraadt@ dtucker@; tested in snaps for a while
OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a
Diffstat (limited to 'clientloop.c')
-rw-r--r-- | clientloop.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/clientloop.c b/clientloop.c index 02349ccb..3cc185b6 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.383 2022/11/28 01:37:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -887,6 +887,7 @@ out: #define SUPPRESS_MUXCLIENT 1 /* don't show in mux client sessions */ #define SUPPRESS_MUXMASTER 2 /* don't show in mux master sessions */ #define SUPPRESS_SYSLOG 4 /* don't show when logging to syslog */ +#define SUPPRESS_NOCMDLINE 8 /* don't show when cmdline disabled*/ struct escape_help_text { const char *cmd; const char *text; @@ -897,7 +898,7 @@ static struct escape_help_text esc_txt[] = { {".", "terminate connection (and any multiplexed sessions)", SUPPRESS_MUXCLIENT}, {"B", "send a BREAK to the remote system", SUPPRESS_NEVER}, - {"C", "open a command line", SUPPRESS_MUXCLIENT}, + {"C", "open a command line", SUPPRESS_MUXCLIENT|SUPPRESS_NOCMDLINE}, {"R", "request rekey", SUPPRESS_NEVER}, {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, @@ -921,7 +922,8 @@ print_escape_help(struct sshbuf *b, int escape_char, int mux_client, suppress_flags = (mux_client ? SUPPRESS_MUXCLIENT : 0) | (mux_client ? 0 : SUPPRESS_MUXMASTER) | - (using_stderr ? 0 : SUPPRESS_SYSLOG); + (using_stderr ? 0 : SUPPRESS_SYSLOG) | + (options.enable_escape_commandline == 0 ? SUPPRESS_NOCMDLINE : 0); for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { if (esc_txt[i].flags & suppress_flags) @@ -1115,6 +1117,12 @@ process_escapes(struct ssh *ssh, Channel *c, case 'C': if (c && c->ctl_chan != -1) goto noescape; + if (options.enable_escape_commandline == 0) { + if ((r = sshbuf_putf(berr, + "commandline disabled\r\n")) != 0) + fatal_fr(r, "sshbuf_putf"); + continue; + } process_cmdline(ssh); continue; |