- markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] [sshconnect2.c sshd.c sshd_config sshd_config.5] add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
This commit is contained in:
parent
47655ee03a
commit
9786e6e2a0
11
ChangeLog
11
ChangeLog
|
@ -6,6 +6,15 @@
|
|||
[auth-passwd.c]
|
||||
auth_usercheck(3) can return NULL, so check for that. Report from
|
||||
mpech@. ok markus@
|
||||
- markus@cvs.openbsd.org 2005/07/25 11:59:40
|
||||
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
|
||||
[sshconnect2.c sshd.c sshd_config sshd_config.5]
|
||||
add a new compression method that delays compression until the user
|
||||
has been authenticated successfully and set compression to 'delayed'
|
||||
for sshd.
|
||||
this breaks older openssh clients (< 3.5) if they insist on
|
||||
compression, so you have to re-enable compression in sshd_config.
|
||||
ok djm@
|
||||
|
||||
20050725
|
||||
- (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
|
||||
|
@ -2870,4 +2879,4 @@
|
|||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.3856 2005/07/26 11:54:11 djm Exp $
|
||||
$Id: ChangeLog,v 1.3857 2005/07/26 11:54:56 djm Exp $
|
||||
|
|
10
kex.c
10
kex.c
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kex.c,v 1.63 2005/07/17 07:17:55 djm Exp $");
|
||||
RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
|
@ -275,10 +275,12 @@ choose_comp(Comp *comp, char *client, char *server)
|
|||
char *name = match_list(client, server, NULL);
|
||||
if (name == NULL)
|
||||
fatal("no matching comp found: client %s server %s", client, server);
|
||||
if (strcmp(name, "zlib") == 0) {
|
||||
comp->type = 1;
|
||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||
comp->type = COMP_DELAYED;
|
||||
} else if (strcmp(name, "zlib") == 0) {
|
||||
comp->type = COMP_ZLIB;
|
||||
} else if (strcmp(name, "none") == 0) {
|
||||
comp->type = 0;
|
||||
comp->type = COMP_NONE;
|
||||
} else {
|
||||
fatal("unsupported comp %s", name);
|
||||
}
|
||||
|
|
6
kex.h
6
kex.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kex.h,v 1.36 2005/06/17 02:44:32 djm Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -35,6 +35,10 @@
|
|||
#define KEX_DH14 "diffie-hellman-group14-sha1"
|
||||
#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
|
||||
|
||||
#define COMP_NONE 0
|
||||
#define COMP_ZLIB 1
|
||||
#define COMP_DELAYED 2
|
||||
|
||||
enum kex_init_proposals {
|
||||
PROPOSAL_KEX_ALGS,
|
||||
PROPOSAL_SERVER_HOST_KEY_ALGS,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: myproposal.h,v 1.17 2005/05/23 23:32:46 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
@ -36,7 +36,7 @@
|
|||
"hmac-md5,hmac-sha1,hmac-ripemd160," \
|
||||
"hmac-ripemd160@openssh.com," \
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
|
||||
|
||||
|
|
56
packet.c
56
packet.c
|
@ -37,7 +37,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: packet.c,v 1.117 2005/06/17 02:44:32 djm Exp $");
|
||||
RCSID("$OpenBSD: packet.c,v 1.118 2005/07/25 11:59:39 markus Exp $");
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
|
@ -116,6 +116,12 @@ static int initialized = 0;
|
|||
/* Set to true if the connection is interactive. */
|
||||
static int interactive_mode = 0;
|
||||
|
||||
/* Set to true if we are the server side. */
|
||||
static int server_side = 0;
|
||||
|
||||
/* Set to true if we are authenticated. */
|
||||
static int after_authentication = 0;
|
||||
|
||||
/* Session key information for Encryption and MAC */
|
||||
Newkeys *newkeys[MODE_MAX];
|
||||
static struct packet_state {
|
||||
|
@ -624,7 +630,9 @@ set_newkeys(int mode)
|
|||
/* Deleting the keys does not gain extra security */
|
||||
/* memset(enc->iv, 0, enc->block_size);
|
||||
memset(enc->key, 0, enc->key_len); */
|
||||
if (comp->type != 0 && comp->enabled == 0) {
|
||||
if ((comp->type == COMP_ZLIB ||
|
||||
(comp->type == COMP_DELAYED && after_authentication)) &&
|
||||
comp->enabled == 0) {
|
||||
packet_init_compression();
|
||||
if (mode == MODE_OUT)
|
||||
buffer_compress_init_send(6);
|
||||
|
@ -644,6 +652,34 @@ set_newkeys(int mode)
|
|||
*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
|
||||
}
|
||||
|
||||
/*
|
||||
* Delayed compression for SSH2 is enabled after authentication:
|
||||
* This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
|
||||
* and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
|
||||
*/
|
||||
static void
|
||||
packet_enable_delayed_compress(void)
|
||||
{
|
||||
Comp *comp = NULL;
|
||||
int mode;
|
||||
|
||||
/*
|
||||
* Remember that we are past the authentication step, so rekeying
|
||||
* with COMP_DELAYED will turn on compression immediately.
|
||||
*/
|
||||
after_authentication = 1;
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
comp = &newkeys[mode]->comp;
|
||||
if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
|
||||
if (mode == MODE_OUT)
|
||||
buffer_compress_init_send(6);
|
||||
else
|
||||
buffer_compress_init_recv();
|
||||
comp->enabled = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
|
||||
*/
|
||||
|
@ -757,6 +793,8 @@ packet_send2_wrapped(void)
|
|||
|
||||
if (type == SSH2_MSG_NEWKEYS)
|
||||
set_newkeys(MODE_OUT);
|
||||
else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
|
||||
packet_enable_delayed_compress();
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1099,6 +1137,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
|
|||
packet_disconnect("Invalid ssh2 packet type: %d", type);
|
||||
if (type == SSH2_MSG_NEWKEYS)
|
||||
set_newkeys(MODE_IN);
|
||||
else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
|
||||
packet_enable_delayed_compress();
|
||||
#ifdef PACKET_DEBUG
|
||||
fprintf(stderr, "read/plain[%d]:\r\n", type);
|
||||
buffer_dump(&incoming_packet);
|
||||
|
@ -1524,3 +1564,15 @@ packet_set_rekey_limit(u_int32_t bytes)
|
|||
{
|
||||
rekey_limit = bytes;
|
||||
}
|
||||
|
||||
void
|
||||
packet_set_server(void)
|
||||
{
|
||||
server_side = 1;
|
||||
}
|
||||
|
||||
void
|
||||
packet_set_authenticated(void)
|
||||
{
|
||||
after_authentication = 1;
|
||||
}
|
||||
|
|
4
packet.h
4
packet.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: packet.h,v 1.42 2005/06/17 02:44:33 djm Exp $ */
|
||||
/* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -30,6 +30,8 @@ u_int packet_get_protocol_flags(void);
|
|||
void packet_start_compression(int);
|
||||
void packet_set_interactive(int);
|
||||
int packet_is_interactive(void);
|
||||
void packet_set_server(void);
|
||||
void packet_set_authenticated(void);
|
||||
|
||||
void packet_start(u_char);
|
||||
void packet_put_char(int ch);
|
||||
|
|
22
servconf.c
22
servconf.c
|
@ -10,7 +10,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.142 2005/06/17 02:44:33 djm Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.143 2005/07/25 11:59:40 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
|
@ -201,7 +201,7 @@ fill_default_server_options(ServerOptions *options)
|
|||
if (options->use_login == -1)
|
||||
options->use_login = 0;
|
||||
if (options->compression == -1)
|
||||
options->compression = 1;
|
||||
options->compression = COMP_DELAYED;
|
||||
if (options->allow_tcp_forwarding == -1)
|
||||
options->allow_tcp_forwarding = 1;
|
||||
if (options->gateway_ports == -1)
|
||||
|
@ -725,7 +725,23 @@ parse_flag:
|
|||
|
||||
case sCompression:
|
||||
intptr = &options->compression;
|
||||
goto parse_flag;
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: missing yes/no/delayed "
|
||||
"argument.", filename, linenum);
|
||||
value = 0; /* silence compiler */
|
||||
if (strcmp(arg, "delayed") == 0)
|
||||
value = COMP_DELAYED;
|
||||
else if (strcmp(arg, "yes") == 0)
|
||||
value = COMP_ZLIB;
|
||||
else if (strcmp(arg, "no") == 0)
|
||||
value = COMP_NONE;
|
||||
else
|
||||
fatal("%s line %d: Bad yes/no/delayed "
|
||||
"argument: %s", filename, linenum, arg);
|
||||
if (*intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
case sGatewayPorts:
|
||||
intptr = &options->gateway_ports;
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.185 2005/07/17 07:17:55 djm Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
|
@ -56,6 +56,7 @@ RCSID("$OpenBSD: session.c,v 1.185 2005/07/17 07:17:55 djm Exp $");
|
|||
#include "serverloop.h"
|
||||
#include "canohost.h"
|
||||
#include "session.h"
|
||||
#include "kex.h"
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
#if defined(KRB5) && defined(USE_AFS)
|
||||
|
@ -272,7 +273,7 @@ do_authenticated1(Authctxt *authctxt)
|
|||
compression_level);
|
||||
break;
|
||||
}
|
||||
if (!options.compression) {
|
||||
if (options.compression == COMP_NONE) {
|
||||
debug2("compression disabled");
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.140 2005/07/17 07:17:55 djm Exp $");
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $");
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
|
@ -101,10 +101,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
|
|||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
|
||||
if (options.compression) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
|
||||
} else {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
|
||||
}
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
|
|
15
sshd.c
15
sshd.c
|
@ -42,7 +42,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.311 2005/06/17 02:44:33 djm Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
|
@ -671,6 +671,12 @@ privsep_postauth(Authctxt *authctxt)
|
|||
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
|
||||
/*
|
||||
* Tell the packet layer that authentication was successful, since
|
||||
* this information is not part of the key state.
|
||||
*/
|
||||
packet_set_authenticated();
|
||||
}
|
||||
|
||||
static char *
|
||||
|
@ -1621,6 +1627,7 @@ main(int ac, char **av)
|
|||
* not have a key.
|
||||
*/
|
||||
packet_set_connection(sock_in, sock_out);
|
||||
packet_set_server();
|
||||
|
||||
/* Set SO_KEEPALIVE if requested. */
|
||||
if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
|
||||
|
@ -1988,10 +1995,14 @@ do_ssh2_kex(void)
|
|||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
}
|
||||
if (!options.compression) {
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
|
||||
} else if (options.compression == COMP_DELAYED) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
|
||||
}
|
||||
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||
|
||||
/* start key exchange */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sshd_config,v 1.71 2005/05/19 02:40:52 djm Exp $
|
||||
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
@ -90,7 +90,7 @@
|
|||
#UseLogin no
|
||||
#UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS yes
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.43 2005/05/23 23:32:46 djm Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
|
@ -217,13 +217,15 @@ The default
|
|||
is 0, indicating that these messages will not be sent to the client.
|
||||
This option applies to protocol version 2 only.
|
||||
.It Cm Compression
|
||||
Specifies whether compression is allowed.
|
||||
Specifies whether compression is allowed, or delayed until
|
||||
the user has authenticated successfully.
|
||||
The argument must be
|
||||
.Dq yes
|
||||
.Dq yes ,
|
||||
.Dq delayed ,
|
||||
or
|
||||
.Dq no .
|
||||
The default is
|
||||
.Dq yes .
|
||||
.Dq delayed .
|
||||
.It Cm DenyGroups
|
||||
This keyword can be followed by a list of group name patterns, separated
|
||||
by spaces.
|
||||
|
|
Loading…
Reference in New Issue