ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-07 13:21:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add "restrict" authorized_keys option

Browse Source
This commit is contained in:
Matt Johnston 2021-05-01 20:47:15 +08:00
parent a8d6dac2c5
commit 846d38fe43
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dropbear.8
View File

@ -134,6 +134,10 @@ Don't allow X11 forwarding for this connection
Disable PTY allocation. Note that a user can still obtain most of the Disable PTY allocation. Note that a user can still obtain most of the
same functionality with other means even if no-pty is set. same functionality with other means even if no-pty is set.
.TP
.B restrict
Applies all the no- restrictions listed above.
.TP .TP
.B command=\fR"\fIforced_command\fR" .B command=\fR"\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR. Disregard the command provided by the user and always run \fIforced_command\fR.

12
svr-authpubkeyoptions.c
View File

@ -166,6 +166,18 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
ses.authstate.pubkey_options->no_pty_flag = 1; ses.authstate.pubkey_options->no_pty_flag = 1;
goto next_option; goto next_option;
} }
if (match_option(options_buf, "restrict") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Restrict option set");
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
#if DROPBEAR_SVR_AGENTFWD
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
#endif
#if DROPBEAR_X11FWD
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
#endif
ses.authstate.pubkey_options->no_pty_flag = 1;
goto next_option;
}
if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) { if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
int escaped = 0; int escaped = 0;
const unsigned char* command_start = buf_getptr(options_buf, 0); const unsigned char* command_start = buf_getptr(options_buf, 0);