New EnableEscapeCommandline ssh_config(5) option

This option (default "no") controls whether the ~C escape is available.
Turning it off by default means we will soon be able to use a stricter
default pledge(2) in the client.

feedback deraadt@ dtucker@; tested in snaps for a while

diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index 1c2da07..d17e3aa 100644 (file)
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.383 2022/11/28 01:37:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -878,6 +878,7 @@ out:
 #define SUPPRESS_MUXCLIENT     1       /* don't show in mux client sessions */
 #define SUPPRESS_MUXMASTER     2       /* don't show in mux master sessions */
 #define SUPPRESS_SYSLOG                4       /* don't show when logging to syslog */
+#define SUPPRESS_NOCMDLINE     8       /* don't show when cmdline disabled*/
 struct escape_help_text {
        const char *cmd;
        const char *text;
@@ -888,7 +889,7 @@ static struct escape_help_text esc_txt[] = {
     {".",  "terminate connection (and any multiplexed sessions)",
        SUPPRESS_MUXCLIENT},
     {"B",  "send a BREAK to the remote system", SUPPRESS_NEVER},
-    {"C",  "open a command line", SUPPRESS_MUXCLIENT},
+    {"C",  "open a command line", SUPPRESS_MUXCLIENT|SUPPRESS_NOCMDLINE},
     {"R",  "request rekey", SUPPRESS_NEVER},
     {"V/v",  "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT},
     {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT},
@@ -912,7 +913,8 @@ print_escape_help(struct sshbuf *b, int escape_char, int mux_client,
        suppress_flags =
            (mux_client ? SUPPRESS_MUXCLIENT : 0) |
            (mux_client ? 0 : SUPPRESS_MUXMASTER) |
-           (using_stderr ? 0 : SUPPRESS_SYSLOG);
+           (using_stderr ? 0 : SUPPRESS_SYSLOG) |
+           (options.enable_escape_commandline == 0 ? SUPPRESS_NOCMDLINE : 0);
 
        for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) {
                if (esc_txt[i].flags & suppress_flags)
@@ -1106,6 +1108,12 @@ process_escapes(struct ssh *ssh, Channel *c,
                        case 'C':
                                if (c && c->ctl_chan != -1)
                                        goto noescape;
+                               if (options.enable_escape_commandline == 0) {
+                                       if ((r = sshbuf_putf(berr,
+                                           "commandline disabled\r\n")) != 0)
+                                               fatal_fr(r, "sshbuf_putf");
+                                       continue;
+                               }
                                process_cmdline(ssh);
                                continue;
 

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index ffca590..6e3f697 100644 (file)
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.369 2022/09/17 10:33:18 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.370 2022/11/28 01:37:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -161,6 +161,7 @@ typedef enum {
        oFingerprintHash, oUpdateHostkeys, oHostbasedAcceptedAlgorithms,
        oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
        oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
+       oEnableEscapeCommandline,
        oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -307,6 +308,7 @@ static struct {
        { "securitykeyprovider", oSecurityKeyProvider },
        { "knownhostscommand", oKnownHostsCommand },
        { "requiredrsasize", oRequiredRSASize },
+       { "enableescapecommandline", oEnableEscapeCommandline },
 
        { NULL, oBadOption }
 };
@@ -2163,6 +2165,10 @@ parse_pubkey_algos:
                        *charptr = xstrdup(arg);
                break;
 
+       case oEnableEscapeCommandline:
+               intptr = &options->enable_escape_commandline;
+               goto parse_flag;
+
        case oRequiredRSASize:
                intptr = &options->required_rsa_size;
                goto parse_int;
@@ -2415,6 +2421,7 @@ initialize_options(Options * options)
        options->pubkey_accepted_algos = NULL;
        options->known_hosts_command = NULL;
        options->required_rsa_size = -1;
+       options->enable_escape_commandline = -1;
 }
 
 /*
@@ -2606,6 +2613,8 @@ fill_default_options(Options * options)
                options->sk_provider = xstrdup("internal");
        if (options->required_rsa_size == -1)
                options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
+       if (options->enable_escape_commandline == -1)
+               options->enable_escape_commandline = 0;
 
        /* Expand KEX name lists */
        all_cipher = cipher_alg_list(',', 0);
@@ -3287,6 +3296,7 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
        dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);
        dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);
+       dump_cfg_fmtint(oEnableEscapeCommandline, o->enable_escape_commandline);
 
        /* Integer options */
        dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);

diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index ffb5ec4..5c19a12 100644 (file)
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.148 2022/09/17 10:33:18 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.149 2022/11/28 01:37:36 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -177,6 +177,7 @@ typedef struct {
        char   *known_hosts_command;
 
        int     required_rsa_size;      /* minimum size of RSA keys */
+       int     enable_escape_commandline;      /* ~C commandline */
 
        char    *ignored_unknown; /* Pattern list of unknown tokens to ignore */
 }       Options;

diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index e255b9b..a3d1ba1 100644 (file)
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.432 2022/09/17 10:33:18 djm Exp $
-.Dd $Mdocdate: September 17 2022 $
+.\" $OpenBSD: ssh.1,v 1.433 2022/11/28 01:37:36 djm Exp $
+.Dd $Mdocdate: November 28 2022 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -522,6 +522,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlPath
 .It ControlPersist
 .It DynamicForward
+.It EnableEscapeCommandline
 .It EscapeChar
 .It ExitOnForwardFailure
 .It FingerprintHash

diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index e6973b8..33dea78 100644 (file)
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.375 2022/11/07 10:09:28 dtucker Exp $
-.Dd $Mdocdate: November 7 2022 $
+.\" $OpenBSD: ssh_config.5,v 1.376 2022/11/28 01:37:36 djm Exp $
+.Dd $Mdocdate: November 28 2022 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -643,6 +643,12 @@ will act as a SOCKS server.
 Multiple forwardings may be specified, and
 additional forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
+.It Cm EnableEscapeCommandline
+Enables the command line option in the
+.Cm EscapeChar
+menu for interactive sessions (default
+.Ql ~C ) .
+By default, the command line is disabled.
 .It Cm EnableSSHKeysign
 Setting this option to
 .Cm yes