diff options
| author | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2008-05-19 14:57:41 +1000 |
| commit | 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 (patch) | |
| tree | 73c05a3429a9d63d32b373fd3bd92900d43883da /session.c | |
| parent | bacb7fbd7e7716a4d3148769d43d8896cbfb2c54 (diff) | |
| download | openssh-git-4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0.tar.gz | |
- pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } |