profiles: restore entries for ssh-related paths

This partially reverts commit d94f54736 ("disable all ssh utilities in
disable-common.inc", 2023-08-20).

Certain files in ~/.ssh are only used by sshd (not by ssh), so always
blacklist them.

Also, ssh itself does not need write access to the configuration files,
so make them read-only by default.

For details, see commit 2ec3f3a96 ("disable-common.inc: add missing
openssh paths", 2021-01-09) / PR #3885.

Cc: @netblue30

1 files changed, 7 insertions, 1 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index faed10008..010cb05b6 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -319,9 +319,13 @@ read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
-# Remote access - ${HOME}/.ssh directory blacklisted in top secret section below
+# Remote access (used only by sshd; should always be blacklisted)
 blacklist ${HOME}/.rhosts
 blacklist ${HOME}/.shosts
+blacklist ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/rc
 blacklist /etc/hosts.equiv
 
 # Initialization files that allow arbitrary command execution
@@ -354,6 +358,8 @@ read-only ${HOME}/.nanorc
 read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
 read-only ${HOME}/.viminfo