4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
on the pty slave as zero-length reads on the pty master, which sshd
interprets as the descriptor closing. Since most things don't do zero
length writes this rarely matters, but occasionally it happens, and when
it does the SSH pty session appears to hang, so we add a special case for
this condition. ok djm@
[serverloop.c ssh.c openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
compatability support for Linux, diff from reyk@
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
[serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
two changes to the new ssh tunnel support. this breaks compatibility
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).
ok djm@, man page bits by jmc@
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
[misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
[serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
[sshconnect.h sshd.8 sshd_config sshd_config.5]
Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
[clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
[ssh.c sshconnect.c sshconnect1.c sshd.c]
no need to escape single quotes in comments, no binary change
[channels.c channels.h clientloop.c serverloop.c session.c]
fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
[channels.c channels.h clientloop.c serverloop.c ssh.1]
bz #756: add support for the cancel-tcpip-forward request for the server and
the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
ok markus@
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/12/09 15:28:43
[serverloop.c]
make ClientKeepAlive work for ssh -N, too (no login shell requested).
1) send a bogus channel request if we find a channel
2) send a bogus global request if we don't have a channel
ok + test beck@
[auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
[auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
[session.c]
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@
[clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
[readconf.h serverloop.c sshconnect2.c]
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_
(a) after 2^31 packets, because after 2^32 packets
the sequence number for packets wraps
(b) after 2^(blocksize_in_bits/4) blocks
(see: draft-ietf-secsh-newmodes-00.txt)
(a) and (b) are _enabled_ by default, and only disabled for known
openssh versions, that don't support rekeying properly.
* client option 'RekeyLimit'
* do not reply to requests during rekeying
- markus@cvs.openbsd.org 2003/04/01 10:22:21
[clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
[readconf.h serverloop.c sshconnect2.c]
backout rekeying changes (for 3.6.1)
[auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
session.h servconf.h serverloop.c session.c sshd.c]
integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@
applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =) Later project!
[auth1.c serverloop.c session.c session.h]
don't use channel_input_channel_request and callback
use new server_input_channel_req() instead:
server_input_channel_req does generic request parsing on server side
session_input_channel_req handles just session specific things now
ok djm@
[auth2.c auth2-chall.c channels.c channels.h clientloop.c dispatch.c]
[dispatch.h kex.c kex.h packet.c packet.h serverloop.c ssh.c]
[sshconnect2.c]
Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@
[serverloop.c]
fix race between SIGCHLD and select with an additional pipe. writing
to the pipe on SIGCHLD wakes up select(). using pselect() is not
portable and siglongjmp() ugly. W. R. Stevens suggests similar solution.
initial idea by pmenage@ensim.com; ok deraadt@, djm@
- markus@cvs.openbsd.org 2001/10/10 22:18:47
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c session.h]
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?
[channels.c channels.h clientloop.c nchan.c serverloop.c]
keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.
[channels.c channels.h clientloop.c packet.c serverloop.c]
move from channel_stop_listening to channel_free_all,
call channel_free_all before calling waitpid() in serverloop.
fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
pain will be over.]
- markus@cvs.openbsd.org 2001/05/31 10:30:17
[auth-options.c auth2.c channels.c channels.h clientloop.c nchan.c
packet.c serverloop.c session.c ssh.c]
undo the .c file split, just merge the header and keep the cvs
history
[channels.c serverloop.c]
adds correct error reporting to async connect()s
fixes the server-discards-data-before-connected-bug found by
onoe@sm.sony.co.jp
[channels.c channels.h servconf.c servconf.h serverloop.c sshd.8]
Add options ClientAliveInterval and ClientAliveCountMax to sshd.
This gives the ability to do a "keepalive" via the encrypted channel
which can't be spoofed (unlike TCP keepalives). Useful for when you want
to use ssh connections to authenticate people for something, and know
relatively quickly when they are no longer authenticated. Disabled
by default (of course). ok markus@
[serverloop.c]
keep the ssh session even if there is no active channel.
this is more in line with the protocol spec and makes
ssh -N -L 1234:server:110 host
more useful.
based on discussion with <mats@mindbright.se> long time ago
and recent mail from <res@shore.net>
[channels.c channels.h clientloop.c kex.c kex.h serverloop.c
sshconnect2.c sshd.c]
more robust rekeying
don't send channel data after rekeying is started.
[clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT
[auth-options.c channels.c channels.h serverloop.c session.c]
implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de
[channels.c channels.h serverloop.c ssh.c]
do not disconnect if local port forwarding fails, e.g. if port is already in
use
- markus@cvs.openbsd.org 2001/02/01 14:58:09
[channels.c]
use ipaddr in channel messages, ietf-secsh wants this
- markus@cvs.openbsd.org 2001/01/31 12:26:20
[channels.c]
ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE messages;
bug report from edmundo@rano.org
Darren Tucker
Damien Miller
Tim Rice
Ben Lindstrom
Kevin Steves