From 846d38fe4319c517683ac3df1796b3bc0180be14 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sat, 1 May 2021 20:47:15 +0800 Subject: Add "restrict" authorized_keys option --- dropbear.8 | 4 ++++ svr-authpubkeyoptions.c | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/dropbear.8 b/dropbear.8 index 75b62b1..0348e26 100644 --- a/dropbear.8 +++ b/dropbear.8 @@ -134,6 +134,10 @@ Don't allow X11 forwarding for this connection Disable PTY allocation. Note that a user can still obtain most of the same functionality with other means even if no-pty is set. +.TP +.B restrict +Applies all the no- restrictions listed above. + .TP .B command=\fR"\fIforced_command\fR" Disregard the command provided by the user and always run \fIforced_command\fR. diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c index 4f0c943..7ddf680 100644 --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -166,6 +166,18 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena ses.authstate.pubkey_options->no_pty_flag = 1; goto next_option; } + if (match_option(options_buf, "restrict") == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Restrict option set"); + ses.authstate.pubkey_options->no_port_forwarding_flag = 1; +#if DROPBEAR_SVR_AGENTFWD + ses.authstate.pubkey_options->no_agent_forwarding_flag = 1; +#endif +#if DROPBEAR_X11FWD + ses.authstate.pubkey_options->no_x11_forwarding_flag = 1; +#endif + ses.authstate.pubkey_options->no_pty_flag = 1; + goto next_option; + } if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) { int escaped = 0; const unsigned char* command_start = buf_getptr(options_buf, 0); -- cgit v1.2.3