Add a sshd_config "RefuseConnection" option
authordjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:09:40 +0000 (01:09 +0000)
committerdjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:09:40 +0000 (01:09 +0000)
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)

ok markus@

usr.bin/ssh/monitor.c
usr.bin/ssh/servconf.c
usr.bin/ssh/servconf.h
usr.bin/ssh/srclimit.h
usr.bin/ssh/sshd_config.5

index be2981e..6d34e72 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -81,6 +81,7 @@
 #include "match.h"
 #include "ssherr.h"
 #include "sk-api.h"
+#include "srclimit.h"
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -723,6 +724,15 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
        ssh_packet_set_log_preamble(ssh, "%suser %s",
            authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
 
+       if (options.refuse_connection) {
+               logit("administratively prohibited connection for "
+                   "%s%s from %.128s port %d",
+                   authctxt->valid ? "" : "invalid user ",
+                   authctxt->user, ssh_remote_ipaddr(ssh),
+                   ssh_remote_port(ssh));
+               cleanup_exit(EXIT_CONFIG_REFUSED);
+       }
+
        /* Send active options to unpriv */
        mm_encode_server_options(m);
 
index 1ee0abb..e9dc374 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.414 2024/09/15 00:58:01 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -190,6 +190,7 @@ initialize_server_options(ServerOptions *options)
        options->num_channel_timeouts = 0;
        options->unused_connection_timeout = -1;
        options->sshd_session_path = NULL;
+       options->refuse_connection = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -457,6 +458,8 @@ fill_default_server_options(ServerOptions *options)
                options->unused_connection_timeout = 0;
        if (options->sshd_session_path == NULL)
                options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
+       if (options->refuse_connection == -1)
+               options->refuse_connection = 0;
 
        assemble_algorithms(options);
 
@@ -536,7 +539,7 @@ typedef enum {
        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
        sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
        sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
-       sSshdSessionPath,
+       sSshdSessionPath, sRefuseConnection,
        sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
@@ -686,6 +689,7 @@ static struct {
        { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
        { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
        { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+       { "refuseconnection", sRefuseConnection, SSHCFG_ALL },
        { NULL, sBadOption, 0 }
 };
 
@@ -2575,6 +2579,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                charptr = &options->sshd_session_path;
                goto parse_filename;
 
+       case sRefuseConnection:
+               intptr = &options->refuse_connection;
+               multistate_ptr = multistate_flag;
+               goto parse_multistate;
+
        case sDeprecated:
        case sIgnore:
        case sUnsupported:
@@ -2790,6 +2799,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
        M_CP_INTOPT(log_level);
        M_CP_INTOPT(required_rsa_size);
        M_CP_INTOPT(unused_connection_timeout);
+       M_CP_INTOPT(refuse_connection);
 
        /*
         * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -3112,6 +3122,7 @@ dump_config(ServerOptions *o)
        dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
        dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
        dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+       dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
 
        /* string arguments */
        dump_cfg_string(sPidFile, o->pid_file);
index 442dacd..69dfccf 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -245,6 +245,8 @@ typedef struct {
        int     unused_connection_timeout;
 
        char   *sshd_session_path;
+
+       int     refuse_connection;
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
index 74a6f2b..1316451 100644 (file)
@@ -32,6 +32,7 @@ void  srclimit_done(int);
 #define EXIT_LOGIN_GRACE       3       /* login grace period exceeded */
 #define EXIT_CHILD_CRASH       4       /* preauth child crashed */
 #define EXIT_AUTH_ATTEMPTED    5       /* at least one auth attempt made */
+#define EXIT_CONFIG_REFUSED    6       /* sshd_config RefuseConnection */
 
 void   srclimit_penalise(struct xaddr *, int);
 int    srclimit_penalty_check_allow(int, const char **);
index 41675a1..42131f6 100644 (file)
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $
-.Dd $Mdocdate: September 9 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
+.Dd $Mdocdate: September 15 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1325,6 +1325,7 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm PubkeyAuthOptions ,
 .Cm RekeyLimit ,
+.Cm RefuseConnection ,
 .Cm RevokedKeys ,
 .Cm RDomain ,
 .Cm SetEnv ,
@@ -1754,6 +1755,13 @@ options have any effect for other, non-FIDO, public key types.
 Specifies whether public key authentication is allowed.
 The default is
 .Cm yes .
+.It Cm RefuseConnection
+Indicates that
+.Xr sshd 8
+should unconditionally terminate the connection.
+This option is only really useful in a
+.Cm Match
+block.
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum