Add "restrict" authorized_keys option

2 files changed, 16 insertions, 0 deletions

diff --git a/dropbear.8 b/dropbear.8
index 75b62b1..0348e26 100644
--- a/dropbear.8
+++ b/dropbear.8
@@ -135,6 +135,10 @@ Disable PTY allocation. Note that a user can still obtain most of the
 same functionality with other means even if no-pty is set.
 
 .TP
+.B restrict
+Applies all the no- restrictions listed above.
+
+.TP
 .B command=\fR"\fIforced_command\fR"
 Disregard the command provided by the user and always run \fIforced_command\fR.
 The -c command line option overrides this.
diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
index 4f0c943..7ddf680 100644
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -166,6 +166,18 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
 			ses.authstate.pubkey_options->no_pty_flag = 1;
 			goto next_option;
 		}
+		if (match_option(options_buf, "restrict") == DROPBEAR_SUCCESS) {
+			dropbear_log(LOG_WARNING, "Restrict option set");
+			ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
+#if DROPBEAR_SVR_AGENTFWD
+			ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
+#endif
+#if DROPBEAR_X11FWD
+			ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
+#endif
+			ses.authstate.pubkey_options->no_pty_flag = 1;
+			goto next_option;
+		}
 		if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
 			int escaped = 0;
 			const unsigned char* command_start = buf_getptr(options_buf, 0);