diff options
author | Colin Watson <cjwatson@debian.org> | 2010-01-01 23:53:30 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-01-01 23:53:30 +0000 |
commit | df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch) | |
tree | 1aab079441dff9615274769b19f2d734ddf508dd /clientloop.c | |
parent | 6ad6994c288662fca6949f42bf91fec2aff00bca (diff) | |
parent | 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff) |
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
Diffstat (limited to 'clientloop.c')
-rw-r--r-- | clientloop.c | 55 |
1 files changed, 36 insertions, 19 deletions
diff --git a/clientloop.c b/clientloop.c index abe5609de..16a162803 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.201 2008/07/16 11:51:14 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -107,10 +107,13 @@ | |||
107 | #include "atomicio.h" | 107 | #include "atomicio.h" |
108 | #include "sshpty.h" | 108 | #include "sshpty.h" |
109 | #include "misc.h" | 109 | #include "misc.h" |
110 | #include "monitor_fdpass.h" | ||
111 | #include "match.h" | 110 | #include "match.h" |
112 | #include "msg.h" | 111 | #include "msg.h" |
113 | 112 | ||
113 | #ifdef GSSAPI | ||
114 | #include "ssh-gss.h" | ||
115 | #endif | ||
116 | |||
114 | /* import options */ | 117 | /* import options */ |
115 | extern Options options; | 118 | extern Options options; |
116 | 119 | ||
@@ -770,8 +773,8 @@ process_cmdline(void) | |||
770 | void (*handler)(int); | 773 | void (*handler)(int); |
771 | char *s, *cmd, *cancel_host; | 774 | char *s, *cmd, *cancel_host; |
772 | int delete = 0; | 775 | int delete = 0; |
773 | int local = 0; | 776 | int local = 0, remote = 0, dynamic = 0; |
774 | u_short cancel_port; | 777 | int cancel_port; |
775 | Forward fwd; | 778 | Forward fwd; |
776 | 779 | ||
777 | bzero(&fwd, sizeof(fwd)); | 780 | bzero(&fwd, sizeof(fwd)); |
@@ -795,6 +798,8 @@ process_cmdline(void) | |||
795 | "Request local forward"); | 798 | "Request local forward"); |
796 | logit(" -R[bind_address:]port:host:hostport " | 799 | logit(" -R[bind_address:]port:host:hostport " |
797 | "Request remote forward"); | 800 | "Request remote forward"); |
801 | logit(" -D[bind_address:]port " | ||
802 | "Request dynamic forward"); | ||
798 | logit(" -KR[bind_address:]port " | 803 | logit(" -KR[bind_address:]port " |
799 | "Cancel remote forward"); | 804 | "Cancel remote forward"); |
800 | if (!options.permit_local_command) | 805 | if (!options.permit_local_command) |
@@ -814,17 +819,22 @@ process_cmdline(void) | |||
814 | delete = 1; | 819 | delete = 1; |
815 | s++; | 820 | s++; |
816 | } | 821 | } |
817 | if (*s != 'L' && *s != 'R') { | 822 | if (*s == 'L') |
823 | local = 1; | ||
824 | else if (*s == 'R') | ||
825 | remote = 1; | ||
826 | else if (*s == 'D') | ||
827 | dynamic = 1; | ||
828 | else { | ||
818 | logit("Invalid command."); | 829 | logit("Invalid command."); |
819 | goto out; | 830 | goto out; |
820 | } | 831 | } |
821 | if (*s == 'L') | 832 | |
822 | local = 1; | 833 | if ((local || dynamic) && delete) { |
823 | if (local && delete) { | ||
824 | logit("Not supported."); | 834 | logit("Not supported."); |
825 | goto out; | 835 | goto out; |
826 | } | 836 | } |
827 | if ((!local || delete) && !compat20) { | 837 | if (remote && delete && !compat20) { |
828 | logit("Not supported for SSH protocol version 1."); | 838 | logit("Not supported for SSH protocol version 1."); |
829 | goto out; | 839 | goto out; |
830 | } | 840 | } |
@@ -842,17 +852,17 @@ process_cmdline(void) | |||
842 | cancel_port = a2port(cancel_host); | 852 | cancel_port = a2port(cancel_host); |
843 | cancel_host = NULL; | 853 | cancel_host = NULL; |
844 | } | 854 | } |
845 | if (cancel_port == 0) { | 855 | if (cancel_port <= 0) { |
846 | logit("Bad forwarding close port"); | 856 | logit("Bad forwarding close port"); |
847 | goto out; | 857 | goto out; |
848 | } | 858 | } |
849 | channel_request_rforward_cancel(cancel_host, cancel_port); | 859 | channel_request_rforward_cancel(cancel_host, cancel_port); |
850 | } else { | 860 | } else { |
851 | if (!parse_forward(&fwd, s)) { | 861 | if (!parse_forward(&fwd, s, dynamic, remote)) { |
852 | logit("Bad forwarding specification."); | 862 | logit("Bad forwarding specification."); |
853 | goto out; | 863 | goto out; |
854 | } | 864 | } |
855 | if (local) { | 865 | if (local || dynamic) { |
856 | if (channel_setup_local_fwd_listener(fwd.listen_host, | 866 | if (channel_setup_local_fwd_listener(fwd.listen_host, |
857 | fwd.listen_port, fwd.connect_host, | 867 | fwd.listen_port, fwd.connect_host, |
858 | fwd.connect_port, options.gateway_ports) < 0) { | 868 | fwd.connect_port, options.gateway_ports) < 0) { |
@@ -1041,7 +1051,6 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, | |||
1041 | Supported escape sequences:\r\n\ | 1051 | Supported escape sequences:\r\n\ |
1042 | %c. - terminate session\r\n\ | 1052 | %c. - terminate session\r\n\ |
1043 | %cB - send a BREAK to the remote system\r\n\ | 1053 | %cB - send a BREAK to the remote system\r\n\ |
1044 | %cC - open a command line\r\n\ | ||
1045 | %cR - Request rekey (SSH protocol 2 only)\r\n\ | 1054 | %cR - Request rekey (SSH protocol 2 only)\r\n\ |
1046 | %c# - list forwarded connections\r\n\ | 1055 | %c# - list forwarded connections\r\n\ |
1047 | %c? - this message\r\n\ | 1056 | %c? - this message\r\n\ |
@@ -1050,8 +1059,7 @@ Supported escape sequences:\r\n\ | |||
1050 | escape_char, escape_char, | 1059 | escape_char, escape_char, |
1051 | escape_char, escape_char, | 1060 | escape_char, escape_char, |
1052 | escape_char, escape_char, | 1061 | escape_char, escape_char, |
1053 | escape_char, escape_char, | 1062 | escape_char, escape_char); |
1054 | escape_char); | ||
1055 | } else { | 1063 | } else { |
1056 | snprintf(string, sizeof string, | 1064 | snprintf(string, sizeof string, |
1057 | "%c?\r\n\ | 1065 | "%c?\r\n\ |
@@ -1086,6 +1094,8 @@ Supported escape sequences:\r\n\ | |||
1086 | continue; | 1094 | continue; |
1087 | 1095 | ||
1088 | case 'C': | 1096 | case 'C': |
1097 | if (c && c->ctl_fd != -1) | ||
1098 | goto noescape; | ||
1089 | process_cmdline(); | 1099 | process_cmdline(); |
1090 | continue; | 1100 | continue; |
1091 | 1101 | ||
@@ -1428,6 +1438,13 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | |||
1428 | /* Do channel operations unless rekeying in progress. */ | 1438 | /* Do channel operations unless rekeying in progress. */ |
1429 | if (!rekeying) { | 1439 | if (!rekeying) { |
1430 | channel_after_select(readset, writeset); | 1440 | channel_after_select(readset, writeset); |
1441 | |||
1442 | if (options.gss_renewal_rekey && | ||
1443 | ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { | ||
1444 | debug("credentials updated - forcing rekey"); | ||
1445 | need_rekeying = 1; | ||
1446 | } | ||
1447 | |||
1431 | if (need_rekeying || packet_need_rekeying()) { | 1448 | if (need_rekeying || packet_need_rekeying()) { |
1432 | debug("need rekeying"); | 1449 | debug("need rekeying"); |
1433 | xxx_kex->done = 0; | 1450 | xxx_kex->done = 0; |
@@ -1639,7 +1656,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan) | |||
1639 | { | 1656 | { |
1640 | Channel *c = NULL; | 1657 | Channel *c = NULL; |
1641 | char *listen_address, *originator_address; | 1658 | char *listen_address, *originator_address; |
1642 | int listen_port, originator_port; | 1659 | u_short listen_port, originator_port; |
1643 | 1660 | ||
1644 | /* Get rest of the packet */ | 1661 | /* Get rest of the packet */ |
1645 | listen_address = packet_get_string(NULL); | 1662 | listen_address = packet_get_string(NULL); |
@@ -1665,7 +1682,7 @@ client_request_x11(const char *request_type, int rchan) | |||
1665 | { | 1682 | { |
1666 | Channel *c = NULL; | 1683 | Channel *c = NULL; |
1667 | char *originator; | 1684 | char *originator; |
1668 | int originator_port; | 1685 | u_short originator_port; |
1669 | int sock; | 1686 | int sock; |
1670 | 1687 | ||
1671 | if (!options.forward_x11) { | 1688 | if (!options.forward_x11) { |
@@ -1729,7 +1746,7 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun) | |||
1729 | return 0; | 1746 | return 0; |
1730 | 1747 | ||
1731 | if (!compat20) { | 1748 | if (!compat20) { |
1732 | error("Tunnel forwarding is not support for protocol 1"); | 1749 | error("Tunnel forwarding is not supported for protocol 1"); |
1733 | return -1; | 1750 | return -1; |
1734 | } | 1751 | } |
1735 | 1752 | ||
@@ -1853,7 +1870,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt) | |||
1853 | if (reply) { | 1870 | if (reply) { |
1854 | packet_start(success ? | 1871 | packet_start(success ? |
1855 | SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); | 1872 | SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); |
1856 | packet_put_int(id); | 1873 | packet_put_int(c->remote_id); |
1857 | packet_send(); | 1874 | packet_send(); |
1858 | } | 1875 | } |
1859 | xfree(rtype); | 1876 | xfree(rtype); |