* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /clientloop.c
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 36 insertions, 19 deletions
diff --git a/clientloop.c b/clientloop.c
index abe5609de..16a162803 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.201 2008/07/16 11:51:14 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -107,10 +107,13 @@
 #include "atomicio.h"
 #include "sshpty.h"
 #include "misc.h"
-#include "monitor_fdpass.h"
 #include "match.h"
 #include "msg.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 /* import options */
 extern Options options;
@@ -770,8 +773,8 @@ process_cmdline(void)
        void (*handler)(int);
        char *s, *cmd, *cancel_host;
        int delete = 0;
-        int local = 0;
+        int local = 0, remote = 0, dynamic = 0;
-        u_short cancel_port;
+        int cancel_port;
        Forward fwd;
        bzero(&fwd, sizeof(fwd));
@@ -795,6 +798,8 @@ process_cmdline(void)
                    "Request local forward");
                logit("      -R[bind_address:]port:host:hostport    "
                    "Request remote forward");
+                logit("      -D[bind_address:]port                  "
+                    "Request dynamic forward");
                logit("      -KR[bind_address:]port                 "
                    "Cancel remote forward");
                if (!options.permit_local_command)
@@ -814,17 +819,22 @@ process_cmdline(void)
                delete = 1;
                s++;
        }
-        if (*s != 'L' && *s != 'R') {
+        if (*s == 'L')
+                local = 1;
+        else if (*s == 'R')
+                remote = 1;
+        else if (*s == 'D')
+                dynamic = 1;
+        else {
                logit("Invalid command.");
                goto out;
        }
-        if (*s == 'L')
-                local = 1;
+        if ((local || dynamic) && delete) {
-        if (local && delete) {
                logit("Not supported.");
                goto out;
        }
-        if ((!local || delete) && !compat20) {
+        if (remote && delete && !compat20) {
                logit("Not supported for SSH protocol version 1.");
                goto out;
        }
@@ -842,17 +852,17 @@ process_cmdline(void)
                        cancel_port = a2port(cancel_host);
                        cancel_host = NULL;
                }
-                if (cancel_port == 0) {
+                if (cancel_port <= 0) {
                        logit("Bad forwarding close port");
                        goto out;
                }
                channel_request_rforward_cancel(cancel_host, cancel_port);
        } else {
-                if (!parse_forward(&fwd, s)) {
+                if (!parse_forward(&fwd, s, dynamic, remote)) {
                        logit("Bad forwarding specification.");
                        goto out;
                }
-                if (local) {
+                if (local || dynamic) {
                        if (channel_setup_local_fwd_listener(fwd.listen_host,
                            fwd.listen_port, fwd.connect_host,
                            fwd.connect_port, options.gateway_ports) < 0) {
@@ -1041,7 +1051,6 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
 Supported escape sequences:\r\n\
  %c.  - terminate session\r\n\
  %cB  - send a BREAK to the remote system\r\n\
-  %cC  - open a command line\r\n\
  %cR  - Request rekey (SSH protocol 2 only)\r\n\
  %c#  - list forwarded connections\r\n\
  %c?  - this message\r\n\
@@ -1050,8 +1059,7 @@ Supported escape sequences:\r\n\
                                            escape_char, escape_char,
                                            escape_char, escape_char,
                                            escape_char, escape_char,
-                                            escape_char, escape_char,
+                                            escape_char, escape_char);
-                                            escape_char);
                                } else {
                                        snprintf(string, sizeof string,
 "%c?\r\n\
@@ -1086,6 +1094,8 @@ Supported escape sequences:\r\n\
                                continue;
                        case 'C':
+                                if (c && c->ctl_fd != -1)
+                                        goto noescape;
                                process_cmdline();
                                continue;
@@ -1428,6 +1438,13 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
+                        if (options.gss_renewal_rekey &&
+                            ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
+                                debug("credentials updated - forcing rekey");
+                                need_rekeying = 1;
+                        }
                        if (need_rekeying || packet_need_rekeying()) {
                                debug("need rekeying");
                                xxx_kex->done = 0;
@@ -1639,7 +1656,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
 {
        Channel *c = NULL;
        char *listen_address, *originator_address;
-        int listen_port, originator_port;
+        u_short listen_port, originator_port;
        /* Get rest of the packet */
        listen_address = packet_get_string(NULL);
@@ -1665,7 +1682,7 @@ client_request_x11(const char *request_type, int rchan)
 {
        Channel *c = NULL;
        char *originator;
-        int originator_port;
+        u_short originator_port;
        int sock;
        if (!options.forward_x11) {
@@ -1729,7 +1746,7 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
                return 0;
        if (!compat20) {
-                error("Tunnel forwarding is not support for protocol 1");
+                error("Tunnel forwarding is not supported for protocol 1");
                return -1;
        }
@@ -1853,7 +1870,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
        if (reply) {
                packet_start(success ?
                    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
-                packet_put_int(id);
+                packet_put_int(c->remote_id);
                packet_send();
        }
        xfree(rtype);
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /clientloop.c
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/clientloop.c b/clientloop.c index abe5609de..16a162803 100644 --- a/clientloop.c +++ b/clientloop.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: clientloop.c,v 1.201 2008/07/16 11:51:14 djm Exp $ */	1	/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -107,10 +107,13 @@
107	#include "atomicio.h"	107	#include "atomicio.h"
108	#include "sshpty.h"	108	#include "sshpty.h"
109	#include "misc.h"	109	#include "misc.h"
110	#include "monitor_fdpass.h"
111	#include "match.h"	110	#include "match.h"
112	#include "msg.h"	111	#include "msg.h"
113		112
		113	#ifdef GSSAPI
		114	#include "ssh-gss.h"
		115	#endif
		116
114	/* import options */	117	/* import options */
115	extern Options options;	118	extern Options options;
116		119
@@ -770,8 +773,8 @@ process_cmdline(void)
770	void (*handler)(int);	773	void (*handler)(int);
771	char s, cmd, *cancel_host;	774	char s, cmd, *cancel_host;
772	int delete = 0;	775	int delete = 0;
773	int local = 0;	776	int local = 0, remote = 0, dynamic = 0;
774	u_short cancel_port;	777	int cancel_port;
775	Forward fwd;	778	Forward fwd;
776		779
777	bzero(&fwd, sizeof(fwd));	780	bzero(&fwd, sizeof(fwd));
@@ -795,6 +798,8 @@ process_cmdline(void)
795	"Request local forward");	798	"Request local forward");
796	logit(" -R[bind_address:]port:host:hostport "	799	logit(" -R[bind_address:]port:host:hostport "
797	"Request remote forward");	800	"Request remote forward");
		801	logit(" -D[bind_address:]port "
		802	"Request dynamic forward");
798	logit(" -KR[bind_address:]port "	803	logit(" -KR[bind_address:]port "
799	"Cancel remote forward");	804	"Cancel remote forward");
800	if (!options.permit_local_command)	805	if (!options.permit_local_command)
@@ -814,17 +819,22 @@ process_cmdline(void)
814	delete = 1;	819	delete = 1;
815	s++;	820	s++;
816	}	821	}
817	if (s != 'L' && s != 'R') {	822	if (*s == 'L')
		823	local = 1;
		824	else if (*s == 'R')
		825	remote = 1;
		826	else if (*s == 'D')
		827	dynamic = 1;
		828	else {
818	logit("Invalid command.");	829	logit("Invalid command.");
819	goto out;	830	goto out;
820	}	831	}
821	if (*s == 'L')	832
822	local = 1;	833	if ((local \|\| dynamic) && delete) {
823	if (local && delete) {
824	logit("Not supported.");	834	logit("Not supported.");
825	goto out;	835	goto out;
826	}	836	}
827	if ((!local \|\| delete) && !compat20) {	837	if (remote && delete && !compat20) {
828	logit("Not supported for SSH protocol version 1.");	838	logit("Not supported for SSH protocol version 1.");
829	goto out;	839	goto out;
830	}	840	}
@@ -842,17 +852,17 @@ process_cmdline(void)
842	cancel_port = a2port(cancel_host);	852	cancel_port = a2port(cancel_host);
843	cancel_host = NULL;	853	cancel_host = NULL;
844	}	854	}
845	if (cancel_port == 0) {	855	if (cancel_port <= 0) {
846	logit("Bad forwarding close port");	856	logit("Bad forwarding close port");
847	goto out;	857	goto out;
848	}	858	}
849	channel_request_rforward_cancel(cancel_host, cancel_port);	859	channel_request_rforward_cancel(cancel_host, cancel_port);
850	} else {	860	} else {
851	if (!parse_forward(&fwd, s)) {	861	if (!parse_forward(&fwd, s, dynamic, remote)) {
852	logit("Bad forwarding specification.");	862	logit("Bad forwarding specification.");
853	goto out;	863	goto out;
854	}	864	}
855	if (local) {	865	if (local \|\| dynamic) {
856	if (channel_setup_local_fwd_listener(fwd.listen_host,	866	if (channel_setup_local_fwd_listener(fwd.listen_host,
857	fwd.listen_port, fwd.connect_host,	867	fwd.listen_port, fwd.connect_host,
858	fwd.connect_port, options.gateway_ports) < 0) {	868	fwd.connect_port, options.gateway_ports) < 0) {
@@ -1041,7 +1051,6 @@ process_escapes(Channel c, Buffer bin, Buffer bout, Buffer berr,
1041	Supported escape sequences:\r\n\	1051	Supported escape sequences:\r\n\
1042	%c. - terminate session\r\n\	1052	%c. - terminate session\r\n\
1043	%cB - send a BREAK to the remote system\r\n\	1053	%cB - send a BREAK to the remote system\r\n\
1044	%cC - open a command line\r\n\
1045	%cR - Request rekey (SSH protocol 2 only)\r\n\	1054	%cR - Request rekey (SSH protocol 2 only)\r\n\
1046	%c# - list forwarded connections\r\n\	1055	%c# - list forwarded connections\r\n\
1047	%c? - this message\r\n\	1056	%c? - this message\r\n\
@@ -1050,8 +1059,7 @@ Supported escape sequences:\r\n\
1050	escape_char, escape_char,	1059	escape_char, escape_char,
1051	escape_char, escape_char,	1060	escape_char, escape_char,
1052	escape_char, escape_char,	1061	escape_char, escape_char,
1053	escape_char, escape_char,	1062	escape_char, escape_char);
1054	escape_char);
1055	} else {	1063	} else {
1056	snprintf(string, sizeof string,	1064	snprintf(string, sizeof string,
1057	"%c?\r\n\	1065	"%c?\r\n\
@@ -1086,6 +1094,8 @@ Supported escape sequences:\r\n\
1086	continue;	1094	continue;
1087		1095
1088	case 'C':	1096	case 'C':
		1097	if (c && c->ctl_fd != -1)
		1098	goto noescape;
1089	process_cmdline();	1099	process_cmdline();
1090	continue;	1100	continue;
1091		1101
@@ -1428,6 +1438,13 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
1428	/* Do channel operations unless rekeying in progress. */	1438	/* Do channel operations unless rekeying in progress. */
1429	if (!rekeying) {	1439	if (!rekeying) {
1430	channel_after_select(readset, writeset);	1440	channel_after_select(readset, writeset);
		1441
		1442	if (options.gss_renewal_rekey &&
		1443	ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
		1444	debug("credentials updated - forcing rekey");
		1445	need_rekeying = 1;
		1446	}
		1447
1431	if (need_rekeying \|\| packet_need_rekeying()) {	1448	if (need_rekeying \|\| packet_need_rekeying()) {
1432	debug("need rekeying");	1449	debug("need rekeying");
1433	xxx_kex->done = 0;	1450	xxx_kex->done = 0;
@@ -1639,7 +1656,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
1639	{	1656	{
1640	Channel *c = NULL;	1657	Channel *c = NULL;
1641	char listen_address, originator_address;	1658	char listen_address, originator_address;
1642	int listen_port, originator_port;	1659	u_short listen_port, originator_port;
1643		1660
1644	/* Get rest of the packet */	1661	/* Get rest of the packet */
1645	listen_address = packet_get_string(NULL);	1662	listen_address = packet_get_string(NULL);
@@ -1665,7 +1682,7 @@ client_request_x11(const char *request_type, int rchan)
1665	{	1682	{
1666	Channel *c = NULL;	1683	Channel *c = NULL;
1667	char *originator;	1684	char *originator;
1668	int originator_port;	1685	u_short originator_port;
1669	int sock;	1686	int sock;
1670		1687
1671	if (!options.forward_x11) {	1688	if (!options.forward_x11) {
@@ -1729,7 +1746,7 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
1729	return 0;	1746	return 0;
1730		1747
1731	if (!compat20) {	1748	if (!compat20) {
1732	error("Tunnel forwarding is not support for protocol 1");	1749	error("Tunnel forwarding is not supported for protocol 1");
1733	return -1;	1750	return -1;
1734	}	1751	}
1735		1752
@@ -1853,7 +1870,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
1853	if (reply) {	1870	if (reply) {
1854	packet_start(success ?	1871	packet_start(success ?
1855	SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);	1872	SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
1856	packet_put_int(id);	1873	packet_put_int(c->remote_id);
1857	packet_send();	1874	packet_send();
1858	}	1875	}
1859	xfree(rtype);	1876	xfree(rtype);