profiles: restore entries for ssh-related paths

This partially reverts commit d94f547 ("disable all ssh utilities in disable-common.inc", 2023-08-20). Certain files in ~/.ssh are only used by sshd (not by ssh), so always blacklist them. Also, ssh itself does not need write access to the configuration files, so make them read-only by default. For details, see commit 2ec3f3a ("disable-common.inc: add missing openssh paths", 2021-01-09) / PR #3885. Cc: @netblue30
netblue30 · Aug 21, 2023 · 5ba5ed0 · 5ba5ed0
1 parent 75cefd5
commit 5ba5ed0
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
@@ -319,9 +319,13 @@ read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
-# Remote access - ${HOME}/.ssh directory blacklisted in top secret section below
+# Remote access (used only by sshd; should always be blacklisted)
 blacklist ${HOME}/.rhosts
 blacklist ${HOME}/.shosts
+blacklist ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/rc
 blacklist /etc/hosts.equiv
 
 # Initialization files that allow arbitrary command execution
@@ -354,6 +358,8 @@ read-only ${HOME}/.nanorc
 read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
 read-only ${HOME}/.viminfo