From f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sun, 10 Jan 2021 14:29:14 -0300
Subject: ssh: deny access to the rest of /etc/ssh/*

ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1).  The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile.  Path examples from
sshd(8):

* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc

    $ pacman -Q openssh
    openssh 8.4p1-2
---
 etc/profile-m-z/ssh-agent.profile | 1 -
 etc/profile-m-z/ssh.profile       | 1 -
 2 files changed, 2 deletions(-)

(limited to 'etc')

diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 0b7caed7d..60c7b510c 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,7 +6,6 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 
 # Allow ssh (blacklisted by disable-common.inc)
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index eb7bc3ec5..3ddd96df4 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,7 +7,6 @@ include ssh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh/*
 noblacklist /tmp/ssh-*
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
-- 
cgit v1.2.3-54-g00ecf