From 5ba5ed07640eae8f94e8bcdaff1573a5161339e3 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 21 Aug 2023 10:21:11 -0300 Subject: profiles: restore entries for ssh-related paths This partially reverts commit d94f54736 ("disable all ssh utilities in disable-common.inc", 2023-08-20). Certain files in ~/.ssh are only used by sshd (not by ssh), so always blacklist them. Also, ssh itself does not need write access to the configuration files, so make them read-only by default. For details, see commit 2ec3f3a96 ("disable-common.inc: add missing openssh paths", 2021-01-09) / PR #3885. Cc: @netblue30 --- etc/inc/disable-common.inc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'etc/inc') diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index faed10008..010cb05b6 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -319,9 +319,13 @@ read-only ${HOME}/.zshenv read-only ${HOME}/.zshrc read-only ${HOME}/.zshrc.local -# Remote access - ${HOME}/.ssh directory blacklisted in top secret section below +# Remote access (used only by sshd; should always be blacklisted) blacklist ${HOME}/.rhosts blacklist ${HOME}/.shosts +blacklist ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.ssh/authorized_keys2 +blacklist ${HOME}/.ssh/environment +blacklist ${HOME}/.ssh/rc blacklist /etc/hosts.equiv # Initialization files that allow arbitrary command execution @@ -354,6 +358,8 @@ read-only ${HOME}/.nanorc read-only ${HOME}/.npmrc read-only ${HOME}/.pythonrc.py read-only ${HOME}/.reportbugrc +read-only ${HOME}/.ssh/config +read-only ${HOME}/.ssh/config.d read-only ${HOME}/.tmux.conf read-only ${HOME}/.vim read-only ${HOME}/.viminfo -- cgit v1.2.3-70-g09d2