-/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
#include "match.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "srclimit.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
+ if (options.refuse_connection) {
+ logit("administratively prohibited connection for "
+ "%s%s from %.128s port %d",
+ authctxt->valid ? "" : "invalid user ",
+ authctxt->user, ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh));
+ cleanup_exit(EXIT_CONFIG_REFUSED);
+ }
+
/* Send active options to unpriv */
mm_encode_server_options(m);
-/* $OpenBSD: servconf.c,v 1.414 2024/09/15 00:58:01 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->num_channel_timeouts = 0;
options->unused_connection_timeout = -1;
options->sshd_session_path = NULL;
+ options->refuse_connection = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
options->unused_connection_timeout = 0;
if (options->sshd_session_path == NULL)
options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
+ if (options->refuse_connection == -1)
+ options->refuse_connection = 0;
assemble_algorithms(options);
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
- sSshdSessionPath,
+ sSshdSessionPath, sRefuseConnection,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ { "refuseconnection", sRefuseConnection, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
charptr = &options->sshd_session_path;
goto parse_filename;
+ case sRefuseConnection:
+ intptr = &options->refuse_connection;
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
M_CP_INTOPT(log_level);
M_CP_INTOPT(required_rsa_size);
M_CP_INTOPT(unused_connection_timeout);
+ M_CP_INTOPT(refuse_connection);
/*
* The bind_mask is a mode_t that may be unsigned, so we can't use
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+ dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $
-.Dd $Mdocdate: September 9 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
+.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthOptions ,
.Cm RekeyLimit ,
+.Cm RefuseConnection ,
.Cm RevokedKeys ,
.Cm RDomain ,
.Cm SetEnv ,
Specifies whether public key authentication is allowed.
The default is
.Cm yes .
+.It Cm RefuseConnection
+Indicates that
+.Xr sshd 8
+should unconditionally terminate the connection.
+This option is only really useful in a
+.Cm Match
+block.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum