Hi Matt, On Mon, 15 Jun 2020 at 23:52:51 +0800, Matt Johnston wrote: > Dropbear 2020.79 is now released.
\o/ congrats! > - […] x11 forwarding are now disabled by default. I have no opinion about disabling this at compile-time, however the current implementation locks out (“Bad public key options”) users with ‘no-X11-forwarding’ in their authorized_keys(5) files. Wouldn't it make sense to move the #ifdefs to make the option a no-op instead? (Same thing for ‘no-agent-forwarding’ actually.) Attached is the patch I applied to “fix” the regression in the Debian package. Cheers -- Guilhem.
From: Guilhem Moulin <guil...@debian.org> Date: Tue, 16 Jun 2020 00:32:28 +0200 Subject: Don't choke on disabled authorized_keys(5) options As of 2020.79 X11 forwarding is disabled at build time, which could lock out users with authorized_keys(5) files containing ‘no-X11-forwarding’ options. --- svr-authpubkeyoptions.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -147,20 +147,20 @@ int svr_add_pubkey_options(buffer *optio ses.authstate.pubkey_options->no_port_forwarding_flag = 1; goto next_option; } -#if DROPBEAR_SVR_AGENTFWD if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) { +#if DROPBEAR_SVR_AGENTFWD dropbear_log(LOG_WARNING, "Agent forwarding disabled."); ses.authstate.pubkey_options->no_agent_forwarding_flag = 1; +#endif goto next_option; } -#endif -#if DROPBEAR_X11FWD if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) { +#if DROPBEAR_X11FWD dropbear_log(LOG_WARNING, "X11 forwarding disabled."); ses.authstate.pubkey_options->no_x11_forwarding_flag = 1; +#endif goto next_option; } -#endif if (match_option(options_buf, "no-pty") == DROPBEAR_SUCCESS) { dropbear_log(LOG_WARNING, "Pty allocation disabled."); ses.authstate.pubkey_options->no_pty_flag = 1;
signature.asc
Description: PGP signature