From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 8 Jun 2021 18:55:42 +0000 (+0100)
Subject: ssh: Make ssh_restrictions configurable
X-Git-Tag: otter-0.7.0~4
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=8f670505155a0a6be1a1538336d91eddbf2f2557;p=otter.git

ssh: Make ssh_restrictions configurable

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/src/config.rs b/src/config.rs
index 53c2b04b..d200f370 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -44,6 +44,7 @@ pub struct ServerConfigSpec {
   /// for auth keys, split on spaces
   pub ssh_proxy_command: Option<String>,
   pub ssh_proxy_user: Option<String>,
+  pub ssh_restrictions: Option<String>,
   pub authorized_keys: Option<String>,
   pub authorized_keys_include: Option<String>,
   pub debug_js_inject_file: Option<String>,
@@ -78,6 +79,7 @@ pub struct ServerConfig {
   pub sendmail: String,
   pub ssh_proxy_bin: String,
   pub ssh_proxy_uid: Uid,
+  pub ssh_restrictions: String,
   pub authorized_keys: String,
   pub authorized_keys_include: String,
   pub debug_js_inject: Arc<String>,
@@ -134,7 +136,7 @@ impl ServerConfigSpec {
       template_dir, specs_dir, nwtemplate_dir, wasm_dir, libexec_dir, usvg_bin,
       log, bundled_sources, shapelibs, sendmail,
       debug_js_inject_file, check_bundled_sources, fake_rng,
-      ssh_proxy_command, ssh_proxy_user, authorized_keys,
+      ssh_proxy_command, ssh_proxy_user, ssh_restrictions, authorized_keys,
       authorized_keys_include,
     } = self;
 
@@ -172,6 +174,10 @@ impl ServerConfigSpec {
     let usvg_bin        = in_libexec(usvg_bin,     "usvg"              );
     let ssh_proxy_bin = in_libexec(ssh_proxy_command, DEFAULT_SSH_PROXY_CMD );
 
+    let ssh_restrictions = ssh_restrictions.unwrap_or_else(
+      || concat!("restrict,no-agent-forwarding,no-port-forwarding,",
+                 "no-pty,no-user-rc,no-X11-forwarding").into());
+
     let authorized_keys = if let Some(ak) = authorized_keys { ak } else {
       let home = home().context("for authorized_keys")?;
       // we deliberately don't create the ~/.ssh dir
@@ -285,7 +291,8 @@ impl ServerConfigSpec {
       template_dir, specs_dir, nwtemplate_dir, wasm_dir, libexec_dir,
       bundled_sources, shapelibs, sendmail, usvg_bin,
       debug_js_inject, check_bundled_sources, game_rng, prctx,
-      ssh_proxy_bin, ssh_proxy_uid, authorized_keys, authorized_keys_include,
+      ssh_proxy_bin, ssh_proxy_uid, ssh_restrictions,
+      authorized_keys, authorized_keys_include,
     };
     trace_dbg!("config resolved", &server);
     Ok(WholeServerConfig {
diff --git a/src/sshkeys.rs b/src/sshkeys.rs
index b0dc191a..a1e6525e 100644
--- a/src/sshkeys.rs
+++ b/src/sshkeys.rs
@@ -6,10 +6,6 @@ use crate::prelude::*;
 
 visible_slotmap_key!{ Id(b'k') }
 
-static RESTRICTIONS: &str =
-  concat!("restrict,no-agent-forwarding,no-port-forwarding,",
-          "no-pty,no-user-rc,no-X11-forwarding");
-
 static MAGIC_BANNER: &str = 
   "# WARNING - FILE AUTOMATICALLY GENERATED BY OTTER - DO NOT EDIT";
 
@@ -451,13 +447,15 @@ impl Global {
 
   #[throws(AuthKeysManipError)]
   fn write_keys(&self, w: &mut BufWriter<File>) {
+    let config = config();
+
     for (id, key) in &self.keys {
       let fp = match key.fp { Some(Ok(ref fp)) => fp, _ => continue };
       if key.refcount == 0 { continue }
       writeln!(w,
  r#"{},command="{} mgmtchannel-proxy --restrict-ssh {}:{}" {} {}:{}"#, 
-               RESTRICTIONS,
-               &config().ssh_proxy_bin, id, key.nonce,
+               &config.ssh_restrictions,
+               &config.ssh_proxy_bin, id, key.nonce,
                &key.data,
                key.refcount, &fp)
         .context("write new auth keys")?;