tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2008/06/10 22:15:23 

[PROTOCOL ssh.c serverloop.c]
     Add a no-more-sessions@openssh.com global request extension that the
     client sends when it knows that it will never request another session
     (i.e. when session multiplexing is disabled). This allows a server to
     disallow further session requests and terminate the session.
     Why would a non-multiplexing client ever issue additional session
     requests? It could have been attacked with something like SSH'jack:
     http://www.storm.net.nz/projects/7
     feedback & ok markus
This commit is contained in:
Darren Tucker 2008-06-11 09:34:01 +10:00
parent c9807e825a
commit 8901fa9c88
4 changed files with 60 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog
View File

@ -41,6 +41,16 @@
- dtucker@cvs.openbsd.org 2008/06/10 18:21:24 - dtucker@cvs.openbsd.org 2008/06/10 18:21:24
[ssh_config.5] [ssh_config.5]
clarify that Host patterns are space-separated. ok deraadt clarify that Host patterns are space-separated. ok deraadt
- djm@cvs.openbsd.org 2008/06/10 22:15:23
[PROTOCOL ssh.c serverloop.c]
Add a no-more-sessions@openssh.com global request extension that the
client sends when it knows that it will never request another session
(i.e. when session multiplexing is disabled). This allows a server to
disallow further session requests and terminate the session.
Why would a non-multiplexing client ever issue additional session
requests? It could have been attacked with something like SSH'jack:
http://www.storm.net.nz/projects/7
feedback & ok markus
- (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6
since the new CIDR code in addmatch.c references it. since the new CIDR code in addmatch.c references it.
- (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6
@ -4133,4 +4143,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@ passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.4961 2008/06/10 23:33:01 dtucker Exp $ $Id: ChangeLog,v 1.4962 2008/06/10 23:34:01 dtucker Exp $

33
PROTOCOL
View File

@ -61,7 +61,30 @@ remain open after a "eow@openssh.com" has been sent and more data may
still be sent in the other direction. This message does not consume still be sent in the other direction. This message does not consume
window space and may be sent even if no window space is available. window space and may be sent even if no window space is available.
4. sftp: Reversal of arguments to SSH_FXP_SYMLINK 4. connection: disallow additional sessions extension
"no-more-sessions@openssh.com"
Most SSH connections will only ever request a single session, but a
attacker may abuse a running ssh client to surreptitiously open
additional sessions under their control. OpenSSH provides a global
request "no-more-sessions@openssh.com" to mitigate this attack.
When an OpenSSH client expects that it will never open another session
(i.e. it has been started with connection multiplexing disabled), it
will send the following global request:
byte SSH_MSG_GLOBAL_REQUEST
string "no-more-sessions@openssh.com"
char want-reply
On receipt of such a message, an OpenSSH server will refuse to open
future channels of type "session" and instead immediately abort the
connection.
Note that this is not a general defence against compromised clients
(that is impossible), but it thwarts a simple attack.
5. sftp: Reversal of arguments to SSH_FXP_SYMLINK
When OpenSSH's sftp-server was implemented, the order of the arguments When OpenSSH's sftp-server was implemented, the order of the arguments
to the SSH_FXP_SYMLINK method was inadvertendly reversed. Unfortunately, to the SSH_FXP_SYMLINK method was inadvertendly reversed. Unfortunately,
@ -74,7 +97,7 @@ SSH_FXP_SYMLINK as follows:
string targetpath string targetpath
string linkpath string linkpath
5. sftp: Server extension announcement in SSH_FXP_VERSION 6. sftp: Server extension announcement in SSH_FXP_VERSION
OpenSSH's sftp-server lists the extensions it supports using the OpenSSH's sftp-server lists the extensions it supports using the
standard extension announcement mechanism in the SSH_FXP_VERSION server standard extension announcement mechanism in the SSH_FXP_VERSION server
@ -95,7 +118,7 @@ ever changed in an incompatible way. The server MAY advertise the same
extension with multiple versions (though this is unlikely). Clients MUST extension with multiple versions (though this is unlikely). Clients MUST
check the version number before attemping to use the extension. check the version number before attemping to use the extension.
6. sftp: Extension request "posix-rename@openssh.com" 7. sftp: Extension request "posix-rename@openssh.com"
This operation provides a rename operation with POSIX semantics, which This operation provides a rename operation with POSIX semantics, which
are different to those provided by the standard SSH_FXP_RENAME in are different to those provided by the standard SSH_FXP_RENAME in
@ -112,7 +135,7 @@ rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version This extension is advertised in the SSH_FXP_VERSION hello with version
"1". "1".
7. sftp: Extension requests "statvfs@openssh.com" and 8. sftp: Extension requests "statvfs@openssh.com" and
"fstatvfs@openssh.com" "fstatvfs@openssh.com"
These requests correspond to the statvfs and fstatvfs POSIX system These requests correspond to the statvfs and fstatvfs POSIX system
@ -153,5 +176,5 @@ The values of the f_flag bitmask are as follows:
This extension is advertised in the SSH_FXP_VERSION hello with version This extension is advertised in the SSH_FXP_VERSION hello with version
"2". "2".
$OpenBSD: PROTOCOL,v 1.5 2008/06/09 13:38:46 dtucker Exp $ $OpenBSD: PROTOCOL,v 1.6 2008/06/10 22:15:23 djm Exp $

12
serverloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.151 2008/05/09 16:21:13 markus Exp $ */ /* $OpenBSD: serverloop.c,v 1.152 2008/06/10 22:15:23 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -105,6 +105,7 @@ static int connection_in; /* Connection to client (input). */
static int connection_out; /* Connection to client (output). */ static int connection_out; /* Connection to client (output). */
static int connection_closed = 0; /* Connection to client closed. */ static int connection_closed = 0; /* Connection to client closed. */
static u_int buffer_high; /* "Soft" max buffer size. */ static u_int buffer_high; /* "Soft" max buffer size. */
static int no_more_sessions = 0; /* Disallow further sessions. */
/* /*
* This SIGCHLD kludge is used to detect when the child exits. The server * This SIGCHLD kludge is used to detect when the child exits. The server
@ -1013,6 +1014,12 @@ server_request_session(void)
debug("input_session_request"); debug("input_session_request");
packet_check_eom(); packet_check_eom();
if (no_more_sessions) {
packet_disconnect("Possible attack: attempt to open a session "
"after additional sessions disabled");
}
/* /*
* A server session has no fd to read or write until a * A server session has no fd to read or write until a
* CHANNEL_REQUEST for a shell is made, so we set the type to * CHANNEL_REQUEST for a shell is made, so we set the type to
@ -1133,6 +1140,9 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
success = channel_cancel_rport_listener(cancel_address, success = channel_cancel_rport_listener(cancel_address,
cancel_port); cancel_port);
xfree(cancel_address); xfree(cancel_address);
} else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
no_more_sessions = 1;
success = 1;
} }
if (want_reply) { if (want_reply) {
packet_start(success ? packet_start(success ?

11
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.313 2008/05/09 14:26:08 djm Exp $ */ /* $OpenBSD: ssh.c,v 1.314 2008/06/10 22:15:23 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1151,6 +1151,15 @@ ssh_session2(void)
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open(); id = ssh_session2_open();
/* If we don't expect to open a new session, then disallow it */
if (options.control_master == SSHCTL_MASTER_NO) {
debug("Requesting no-more-sessions@openssh.com");
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("no-more-sessions@openssh.com");
packet_put_char(0);
packet_send();
}
/* Execute a local command */ /* Execute a local command */
if (options.local_command != NULL && if (options.local_command != NULL &&
options.permit_local_command) options.permit_local_command)