mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-27 05:46:36 +08:00
upstream: Add a sshd_config "RefuseConnection" option
If set, this will terminate the connection at the first authentication request (this is the earliest we can evaluate sshd_config Match blocks) ok markus@ OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
This commit is contained in:
parent
acad117e66
commit
8d21713b66
12
monitor.c
12
monitor.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -96,6 +96,7 @@
|
||||
#include "match.h"
|
||||
#include "ssherr.h"
|
||||
#include "sk-api.h"
|
||||
#include "srclimit.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
static Gssctxt *gsscontext = NULL;
|
||||
@ -797,6 +798,15 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
ssh_packet_set_log_preamble(ssh, "%suser %s",
|
||||
authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
|
||||
|
||||
if (options.refuse_connection) {
|
||||
logit("administratively prohibited connection for "
|
||||
"%s%s from %.128s port %d",
|
||||
authctxt->valid ? "" : "invalid user ",
|
||||
authctxt->user, ssh_remote_ipaddr(ssh),
|
||||
ssh_remote_port(ssh));
|
||||
cleanup_exit(EXIT_CONFIG_REFUSED);
|
||||
}
|
||||
|
||||
/* Send active options to unpriv */
|
||||
mm_encode_server_options(m);
|
||||
|
||||
|
15
servconf.c
15
servconf.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.c,v 1.414 2024/09/15 00:58:01 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -213,6 +213,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->num_channel_timeouts = 0;
|
||||
options->unused_connection_timeout = -1;
|
||||
options->sshd_session_path = NULL;
|
||||
options->refuse_connection = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@ -489,6 +490,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->unused_connection_timeout = 0;
|
||||
if (options->sshd_session_path == NULL)
|
||||
options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
|
||||
if (options->refuse_connection == -1)
|
||||
options->refuse_connection = 0;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@ -571,7 +574,7 @@ typedef enum {
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
||||
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
|
||||
sSshdSessionPath,
|
||||
sSshdSessionPath, sRefuseConnection,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@ -739,6 +742,7 @@ static struct {
|
||||
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
|
||||
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
|
||||
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
|
||||
{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@ -2655,6 +2659,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
charptr = &options->sshd_session_path;
|
||||
goto parse_filename;
|
||||
|
||||
case sRefuseConnection:
|
||||
intptr = &options->refuse_connection;
|
||||
multistate_ptr = multistate_flag;
|
||||
goto parse_multistate;
|
||||
|
||||
case sDeprecated:
|
||||
case sIgnore:
|
||||
case sUnsupported:
|
||||
@ -2870,6 +2879,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(log_level);
|
||||
M_CP_INTOPT(required_rsa_size);
|
||||
M_CP_INTOPT(unused_connection_timeout);
|
||||
M_CP_INTOPT(refuse_connection);
|
||||
|
||||
/*
|
||||
* The bind_mask is a mode_t that may be unsigned, so we can't use
|
||||
@ -3200,6 +3210,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
|
||||
dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -248,6 +248,8 @@ typedef struct {
|
||||
int unused_connection_timeout;
|
||||
|
||||
char *sshd_session_path;
|
||||
|
||||
int refuse_connection;
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
|
@ -32,6 +32,7 @@ void srclimit_done(int);
|
||||
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
|
||||
#define EXIT_CHILD_CRASH 4 /* preauth child crashed */
|
||||
#define EXIT_AUTH_ATTEMPTED 5 /* at least one auth attempt made */
|
||||
#define EXIT_CONFIG_REFUSED 6 /* sshd_config RefuseConnection */
|
||||
|
||||
void srclimit_penalise(struct xaddr *, int);
|
||||
int srclimit_penalty_check_allow(int, const char **);
|
||||
|
@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $
|
||||
.Dd $Mdocdate: September 9 2024 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
|
||||
.Dd $Mdocdate: September 15 2024 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -1325,6 +1325,7 @@ Available keywords are
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm PubkeyAuthOptions ,
|
||||
.Cm RekeyLimit ,
|
||||
.Cm RefuseConnection ,
|
||||
.Cm RevokedKeys ,
|
||||
.Cm RDomain ,
|
||||
.Cm SetEnv ,
|
||||
@ -1761,6 +1762,13 @@ options have any effect for other, non-FIDO, public key types.
|
||||
Specifies whether public key authentication is allowed.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm RefuseConnection
|
||||
Indicates that
|
||||
.Xr sshd 8
|
||||
should unconditionally terminate the connection.
|
||||
This option is only really useful in a
|
||||
.Cm Match
|
||||
block.
|
||||
.It Cm RekeyLimit
|
||||
Specifies the maximum amount of data that may be transmitted or received
|
||||
before the session key is renegotiated, optionally followed by a maximum
|
||||
|
Loading…
Reference in New Issue
Block a user