Commit Graph

148 Commits

Author SHA1 Message Date
djm@openbsd.org 0cb50eefdd
upstream: stricter handling of channel window limits
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
2023-12-19 01:52:55 +11:00
djm@openbsd.org 050c335c8d
upstream: when deciding whether to enable keystroke timing
obfuscation, only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
2023-11-16 09:53:42 +11:00
djm@openbsd.org ccf7d913db
upstream: make channel_output_poll() return a flag indicating
whether channel data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0
2023-09-04 10:09:53 +10:00
dlg@openbsd.org 94842bfe9b
upstream: add support for unix domain sockets to ssh -W
ok djm@ dtucker@

OpenBSD-Commit-ID: 3e6d47567b895c7c28855c7bd614e106c987a6d8
2023-07-07 08:20:25 +10:00
millert@openbsd.org b53a809a54
upstream: Store timeouts as int, not u_int as they are limited to
INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type
promotion.  OK djm@

OpenBSD-Commit-ID: 48081e9ad35705c5f1705711704a4c2ff94e87b7
2023-06-20 10:07:06 +10:00
dtucker@openbsd.org 6c165c3624
upstream: Use time_t for x11 timeout.
Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety.  From Coverity CIDs 405197 and 405028, ok djm@

OpenBSD-Commit-ID: 356685bfa1fc3d81bd95722d3fc47101cc1a4972
2023-03-04 14:43:21 +11:00
djm@openbsd.org 35253af01d
upstream: when restoring non-blocking mode to stdio fds, restore
exactly the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
2023-01-18 13:21:00 +11:00
djm@openbsd.org 2d1ff2b943
upstream: Implement channel inactivity timeouts
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
2023-01-06 16:23:16 +11:00
djm@openbsd.org 0e34348d0b
upstream: Add channel_set_xtype()
This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

OpenBSD-Commit-ID: 42564aa92345045b4a74300528f960416a15d4ca
2023-01-06 16:21:40 +11:00
djm@openbsd.org c60438158a
upstream: Add channel_force_close()
This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

OpenBSD-Commit-ID: 23052707a42bdc62fda2508636e624afd466324b
2023-01-06 16:21:39 +11:00
djm@openbsd.org d478cdc7ad
upstream: replace manual poll/ppoll timeout math with ptimeout API
feedback markus / ok markus dtucker

OpenBSD-Commit-ID: c5ec4f2d52684cdb788cd9cbc1bcf89464014be2
2023-01-06 16:21:39 +11:00
djm@openbsd.org 0e44db4d9c upstream: channel_new no longer frees remote_name. So update the
comment accordingly.  As remote_name is not modified, it can be const as
well. From Martin Vahlensieck

OpenBSD-Commit-ID: e4e10dc8dc9f40c166ea5a8e991942bedc75a76a
2022-05-05 11:34:52 +10:00
djm@openbsd.org d6556de1db upstream: fix poll() spin when a channel's output fd closes without
data in the channel buffer. Introduce more exact packing of channel fds into
the pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

OpenBSD-Commit-ID: 06740737849c9047785622ad5d472cb6a3907d10
2022-03-31 08:16:38 +11:00
djm@openbsd.org b30d32159d upstream: add a ssh_packet_process_read() function that reads from
a fd directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

OpenBSD-Commit-ID: df4112125bf79d8e38e79a77113e1b373078e632
2022-01-25 12:18:35 +11:00
djm@openbsd.org 17877bc81d upstream: convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@ has been in snaps for a few months

OpenBSD-Commit-ID: a77e16a667d5b194dcdb3b76308b8bba7fa7239c
2022-01-07 09:21:38 +11:00
djm@openbsd.org 5c79952dfe upstream: prepare for conversion of ssh, sshd mainloop from
select() to poll() by moving FD_SET construction out of channel handlers into
separate functions. ok markus

OpenBSD-Commit-ID: 937fbf2a4de12b19fb9d5168424e206124807027
2022-01-07 09:11:58 +11:00
djm@openbsd.org 7be4ac8136 upstream: restore blocking status on stdio fds before close
ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
>         ssh -Fnone -oLogLevel=verbose ::1 hostname
>         cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

OpenBSD-Commit-ID: 8cc67346f05aa85a598bddf2383fcfcc3aae61ce
2021-05-19 11:52:14 +10:00
djm@openbsd.org 31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
djm@openbsd.org 34afde5c73 upstream: whitespace (tab after space)
OpenBSD-Commit-ID: 0e2b3f7674e985d3f7c27ff5028e690ba1c2efd4
2021-04-03 17:20:00 +11:00
djm@openbsd.org 107eb3eeaf upstream: cap channel input buffer size at 16MB; avoids high memory use
when peer advertises a large window but is slow to consume the data we send
(e.g. because of a slow network)

reported by Pierre-Yves David

fix with & ok markus@

OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216
2020-09-20 16:16:46 +10:00
djm@openbsd.org 6d755706a0 upstream: some language improvements; ok markus
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
2020-07-15 15:07:42 +10:00
djm@openbsd.org 065064fcf4 upstream: add a comment describing the ranges of channel IDs that
we use; requested by markus@

OpenBSD-Commit-ID: 83a1f09810ffa3a96a55fbe32675b34ba739e56b
2020-01-26 10:15:13 +11:00
djm@openbsd.org f1dd179e12 upstream: include a little more information about the status and
disposition of channel's extended (stderr) fd; makes debugging some things a
bit easier. No behaviour change.

OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
2018-10-04 10:44:49 +10:00
djm@openbsd.org 115063a664 upstream: Add a PermitListen directive to control which server-side
addresses may be listened on when the client requests remote forwarding (ssh
-R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
2018-06-07 04:27:20 +10:00
markus@openbsd.org 609d7a66ce upstream commit
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-22 09:14:53 +10:00
djm@openbsd.org 9f53229c2a upstream commit
Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
2017-09-12 17:37:03 +10:00
djm@openbsd.org dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org 71e5a536ec upstream commit
pass packet state down to some of the channels function
(more to come...); ok markus@

Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
2017-09-04 09:38:57 +10:00
markus@openbsd.org 2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
markus@openbsd.org 6cf711752c upstream commit
remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@

Upstream-ID: e2e225b6ac67b84dd024f38819afff2554fafe42
2017-05-27 15:35:52 +10:00
markus@openbsd.org 364f0d5ede upstream commit
remove channel_input_close_confirmation (ssh1 only); ok
djm@

Upstream-ID: 8e7c8c38f322d255bb0294a5c0ebef53fdf576f1
2017-05-27 15:35:52 +10:00
djm@openbsd.org 930e8d2827 upstream commit
obliterate ssh1.h and some dead code that used it

ok markus@

Upstream-ID: 1ca9159a9fb95618f9d51e069ac8e1131a087343
2017-05-01 10:05:06 +10:00
djm@openbsd.org 97f4d3083b upstream commit
remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01 09:42:37 +10:00
dtucker@openbsd.org 858252fb1d upstream commit
Return true reason for port forwarding failures where
feasible rather than always "administratively prohibited".  bz#2674, ok djm@

Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
2017-02-03 14:23:24 +11:00
dtucker@openbsd.org 246aa842a4 upstream commit
Remove channel_input_port_forward_request(); the only caller
was the recently-removed SSH1 server code so it's now dead code.  ok markus@

Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
2016-10-19 07:16:01 +11:00
markus@openbsd.org 8d05784785 upstream commit
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client   and server on different machines. feedback
& ok djm@

Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-10-01 02:45:10 +10:00
djm@openbsd.org 1bf477d3cd upstream commit
better refuse ForwardX11Trusted=no connections attempted
 after ForwardX11Timeout expires; reported by Jann Horn

Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
2015-07-01 12:29:43 +10:00
djm@openbsd.org c28a3436fa upstream commit
moar whitespace at eol

Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
2015-05-08 16:46:01 +10:00
markus@openbsd.org 3fdc88a0de upstream commit
move dispatch to struct ssh; ok djm@
2015-01-20 09:14:16 +11:00
Damien Miller 7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller 4b3ed647d5 - markus@cvs.openbsd.org 2014/06/27 16:41:56
[channels.c channels.h clientloop.c ssh.c]
     fix remote fwding with same listen port but different listen address
     with gerhard@, ok djm@
2014-07-02 15:29:40 +10:00
Damien Miller c192a4c4f6 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
blocking connecting socket will clear any stored errno that might
   otherwise have been retrievable via getsockopt(). A hack to limit writes
   to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
   it in an #ifdef. Diagnosis and patch from Ivo Raisr.
2013-08-01 14:29:20 +10:00
Damien Miller 36187093ea - dtucker@cvs.openbsd.org 2013/06/07 15:37:52
[channels.c channels.h clientloop.c]
     Add an "ABANDONED" channel state and use for mux sessions that are
     disconnected via the ~. escape sequence.  Channels in this state will
     be able to close if the server responds, but do not count as active channels.
     This means that if you ~. all of the mux clients when using ControlPersist
     on a broken network, the backgrounded mux master will exit when the
     Control Persist time expires rather than hanging around indefinitely.
     bz#1917, also reported and tested by tedu@.  ok djm@ markus@.
2013-06-10 13:07:11 +10:00
Darren Tucker 5d12b8f05d - dtucker@cvs.openbsd.org 2013/06/02 21:01:51
[channels.h]
     typo in comment
2013-06-06 08:09:10 +10:00
Damien Miller a6508753db - djm@cvs.openbsd.org 2012/04/11 13:16:19
[channels.c channels.h clientloop.c serverloop.c]
     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
     while; ok deraadt@ markus@
2012-04-22 11:21:10 +10:00
Damien Miller c6081482b2 - dtucker@cvs.openbsd.org 2012/03/29 23:54:36
[channels.c channels.h servconf.c]
     Add PermitOpen none option based on patch from Loganaden Velvindron
     (bz #1949).  ok djm@
2012-04-22 11:18:53 +10:00
Darren Tucker 68afb8c5f2 - markus@cvs.openbsd.org 2011/09/23 07:45:05
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
     unbreak remote portforwarding with dynamic allocated listen ports:
     1) send the actual listen port in the open message (instead of 0).
        this allows multiple forwardings with a dynamic listen port
     2) update the matching permit-open entry, so we can identify where
        to connect to
     report: den at skbkontur.ru and P. Szczygielski
     feedback and ok djm@
2011-10-02 18:59:03 +11:00
Darren Tucker 1338b9e067 - dtucker@cvs.openbsd.org 2011/09/23 00:22:04
[channels.c auth-options.c servconf.c channels.h sshd.8]
     Add wildcard support to PermitOpen, allowing things like "PermitOpen
     localhost:*".  bz #1857, ok djm markus.
2011-10-02 18:57:35 +11:00
Damien Miller ff773644e6 - markus@cvs.openbsd.org 2011/09/10 22:26:34
[channels.c channels.h clientloop.c ssh.1]
     support cancellation of local/dynamic forwardings from ~C commandline;
     ok & feedback djm@
2011-09-22 21:39:48 +10:00
Damien Miller f6dff7cd2f - djm@cvs.openbsd.org 2011/09/09 22:46:44
[channels.c channels.h clientloop.h mux.c ssh.c]
     support for cancelling local and remote port forwards via the multiplex
     socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
     the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00