diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-10 14:29:14 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1 (patch) | |
tree | fc67cd9073f5f3ef7b7ba3944fb1c75e93dcb260 /etc/profile-m-z/ssh.profile | |
parent | allow-ssh.inc: allow /etc/ssh/ssh_config (diff) | |
download | firejail-f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1.tar.gz firejail-f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1.tar.zst firejail-f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1.zip |
ssh: deny access to the rest of /etc/ssh/*
ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1). The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile. Path examples from
sshd(8):
* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc
$ pacman -Q openssh
openssh 8.4p1-2
Diffstat (limited to 'etc/profile-m-z/ssh.profile')
-rw-r--r-- | etc/profile-m-z/ssh.profile | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index eb7bc3ec5..3ddd96df4 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -7,7 +7,6 @@ include ssh.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist /etc/ssh/* | ||
11 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
12 | # nc can be used as ProxyCommand, e.g. when using tor | 11 | # nc can be used as ProxyCommand, e.g. when using tor |
13 | noblacklist ${PATH}/nc | 12 | noblacklist ${PATH}/nc |