Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Apr 2025 19:25:29 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c976df712c0f - stable/13 - OpenSSH: Fix logic error in DisableForwarding option
Message-ID:  <202504141925.53EJPTcY030977@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=c976df712c0f64d43970be7036301ce7cf558a78

commit c976df712c0f64d43970be7036301ce7cf558a78
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-04-09 14:54:46 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-04-14 19:25:13 +0000

    OpenSSH: Fix logic error in DisableForwarding option
    
    This option was documented as disabling X11 and agent forwarding but it
    failed to do so.  Spotted by Tim Rice.
    
    Obtained from:  OpenBSD d31ec64016fc
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 3620d70511dc8bf45752028dac0af6f157ec6146)
    (cherry picked from commit fcda475ccfcabe6f70e6ef25ccd507ac4b92c1ee)
---
 crypto/openssh/session.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 591f1e329a8d..03a20f9d9648 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -2194,7 +2194,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
@@ -2589,7 +2590,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202504141925.53EJPTcY030977>