7 files changed, 162 insertions, 12 deletions

diff --git a/ChangeLog b/ChangeLog
index 918c843bb..80140019f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,15 @@
  - Sync with OpenBSD glob.c, strlcat.c and vis.c changes
  - Cygwin sftp/sftp-server binary mode patch from Corinna Vinschen 
    <vinschen@redhat.com>
+ - OpenBSD CVS Sync
+   - beck@cvs.openbsd.org 2001/04/13 22:46:54
+     [channels.c channels.h servconf.c servconf.h serverloop.c sshd.8]
+     Add options ClientAliveInterval and ClientAliveCountMax to sshd.
+     This gives the ability to do a "keepalive" via the encrypted channel
+     which can't be spoofed (unlike TCP keepalives). Useful for when you want
+     to use ssh connections to authenticate people for something, and know
+     relatively quickly when they are no longer authenticated. Disabled
+     by default (of course). ok markus@
 
 20010413
  - OpenBSD CVS Sync                                                           
@@ -5054,4 +5063,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1109 2001/04/13 14:28:42 djm Exp $
+$Id: ChangeLog,v 1.1110 2001/04/13 23:28:01 mouring Exp $
diff --git a/channels.c b/channels.c
index a1aa937ae..f4f2c4942 100644
--- a/channels.c
+++ b/channels.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.106 2001/04/11 13:56:13 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.107 2001/04/13 22:46:52 beck Exp $");
 
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@@ -1843,6 +1843,41 @@ channel_still_open()
         return 0;
 }
 
+/* Returns the id of an open channel suitable for keepaliving */
+
+int
+channel_find_open()
+{
+        u_int i;
+        for (i = 0; i < channels_alloc; i++)
+                switch (channels[i].type) {
+                case SSH_CHANNEL_CLOSED:
+                        continue;
+                case SSH_CHANNEL_LARVAL:
+                case SSH_CHANNEL_DYNAMIC:
+                case SSH_CHANNEL_AUTH_SOCKET:
+                case SSH_CHANNEL_CONNECTING:    /* XXX ??? */
+                case SSH_CHANNEL_FREE:
+                case SSH_CHANNEL_X11_LISTENER:
+                case SSH_CHANNEL_PORT_LISTENER:
+                case SSH_CHANNEL_RPORT_LISTENER:
+                case SSH_CHANNEL_OPENING:
+                case SSH_CHANNEL_OPEN:
+                case SSH_CHANNEL_X11_OPEN:
+                        return i;
+                case SSH_CHANNEL_INPUT_DRAINING:
+                case SSH_CHANNEL_OUTPUT_DRAINING:
+                        if (!compat13)
+                                fatal("cannot happen: OUT_DRAIN");
+                        return i;
+                default:
+                        fatal("channel_find_open: bad channel type %d", channels[i].type);
+                        /* NOTREACHED */
+                }
+        return -1;
+}
+
+
 /*
  * Returns a message describing the currently open forwarded connections,
  * suitable for sending to the client.  The message contains crlf pairs for
diff --git a/channels.h b/channels.h
index 23e6ece83..bf70a8f21 100644
--- a/channels.h
+++ b/channels.h
@@ -32,7 +32,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: channels.h,v 1.30 2001/04/07 08:55:17 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.31 2001/04/13 22:46:53 beck Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -307,4 +307,6 @@ int	channel_connect_to(const char *host, u_short host_port);
 int     channel_connect_by_listen_adress(u_short listen_port);
 int     x11_connect_display(void);
 
+int     channel_find_open(void);
+
 #endif
diff --git a/servconf.c b/servconf.c
index f3d5068c0..f978c632b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.76 2001/04/12 20:09:37 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.77 2001/04/13 22:46:53 beck Exp $");
 
 #ifdef KRB4
 #include <krb.h>
@@ -99,6 +99,8 @@ initialize_server_options(ServerOptions *options)
         options->max_startups = -1;
         options->banner = NULL;
         options->reverse_mapping_check = -1;
+        options->client_alive_interval = -1;
+        options->client_alive_count_max = -1;
 }
 
 void
@@ -201,6 +203,10 @@ fill_default_server_options(ServerOptions *options)
                 options->max_startups_begin = options->max_startups;
         if (options->reverse_mapping_check == -1)
                 options->reverse_mapping_check = 0;
+        if (options->client_alive_interval == -1)
+                options->client_alive_interval = 0;  
+        if (options->client_alive_count_max == -1)
+                options->client_alive_count_max = 3;
 }
 
 /* Keyword tokens. */
@@ -225,7 +231,8 @@ typedef enum {
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
         sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
         sBanner, sReverseMappingCheck, sHostbasedAuthentication,
-        sHostbasedUsesNameFromPacketOnly
+        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
+        sClientAliveCountMax
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -289,6 +296,8 @@ static struct {
         { "maxstartups", sMaxStartups },
         { "banner", sBanner },
         { "reversemappingcheck", sReverseMappingCheck },
+        { "clientaliveinterval", sClientAliveInterval },
+        { "clientalivecountmax", sClientAliveCountMax },
         { NULL, 0 }
 };
 
@@ -792,7 +801,12 @@ parse_flag:
                 case sBanner:
                         charptr = &options->banner;
                         goto parse_filename;
-
+                case sClientAliveInterval:
+                        intptr = &options->client_alive_interval;
+                        goto parse_int;
+                case sClientAliveCountMax:
+                        intptr = &options->client_alive_count_max;
+                        goto parse_int;
                 default:
                         fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
                                 filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 9b3a60f08..4c02c0f52 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.40 2001/04/12 19:15:25 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.41 2001/04/13 22:46:53 beck Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -115,6 +115,15 @@ typedef struct {
         int     max_startups;
         char   *banner;                 /* SSH-2 banner message */
         int     reverse_mapping_check;  /* cross-check ip and dns */
+        int     client_alive_interval;  /*
+                                         * poke the client this often to 
+                                         * see if it's still there 
+                                         */
+        int     client_alive_count_max; /*
+                                         *If the client is unresponsive
+                                         * for this many intervals, above
+                                         * diconnect the session 
+                                         */
 
 }       ServerOptions;
 /*
diff --git a/serverloop.c b/serverloop.c
index d6b360d9a..5a5b1e37f 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.60 2001/04/05 23:39:20 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.61 2001/04/13 22:46:54 beck Exp $");
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -91,6 +91,8 @@ static volatile int child_wait_status;	/* Status from wait(). */
 
 void    server_init_dispatch(void);
 
+int client_alive_timeouts = 0;
+
 void
 sigchld_handler(int sig)
 {
@@ -190,6 +192,21 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
 {
         struct timeval tv, *tvp;
         int ret;
+        int client_alive_scheduled = 0;
+
+        /*
+         * if using client_alive, set the max timeout accordingly, 
+         * and indicate that this particular timeout was for client
+         * alive by setting the client_alive_scheduled flag.
+         *
+         * this could be randomized somewhat to make traffic
+         * analysis more difficult, but we're not doing it yet.  
+         */
+        if (max_time_milliseconds == 0 && options.client_alive_interval) {
+                client_alive_scheduled = 1;
+                max_time_milliseconds = options.client_alive_interval * 1000;
+        } else 
+                client_alive_scheduled = 0;
 
         /* When select fails we restart from here. */
 retry_select:
@@ -239,7 +256,7 @@ retry_select:
          * from it, then read as much as is available and exit.
          */
         if (child_terminated && packet_not_very_much_data_to_write())
-                if (max_time_milliseconds == 0)
+                if (max_time_milliseconds == 0 || client_alive_scheduled)
                         max_time_milliseconds = 100;
 
         if (max_time_milliseconds == 0)
@@ -255,12 +272,36 @@ retry_select:
         /* Wait for something to happen, or the timeout to expire. */
         ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
 
-        if (ret < 0) {
+        if (ret == -1) {
                 if (errno != EINTR)
                         error("select: %.100s", strerror(errno));
                 else
                         goto retry_select;
         }
+        if (ret == 0 && client_alive_scheduled) {
+                /* timeout, check to see how many we have had */
+                client_alive_timeouts++;
+
+                if (client_alive_timeouts > options.client_alive_count_max ) {
+                        packet_disconnect(
+                                "Timeout, your session not responding.");
+                } else {
+                        /*
+                         * send a bogus channel request with "wantreply" 
+                         * we should get back a failure
+                         */
+                        int id;
+                        
+                        id = channel_find_open();
+                        if (id != -1) {
+                                channel_request_start(id,
+                                  "keepalive@openssh.com", 1);
+                                packet_send();
+                        } else 
+                                packet_disconnect(
+                                        "No open channels after timeout!");
+                }
+        } 
 }
 
 /*
@@ -701,6 +742,19 @@ server_loop2(void)
 }
 
 void
+server_input_channel_failure(int type, int plen, void *ctxt)
+{
+        debug("Got CHANNEL_FAILURE for keepalive");
+        /* 
+         * reset timeout, since we got a sane answer from the client.
+         * even if this was generated by something other than
+         * the bogus CHANNEL_REQUEST we send for keepalives.
+         */
+        client_alive_timeouts = 0; 
+}
+
+
+void
 server_input_stdin_data(int type, int plen, void *ctxt)
 {
         char *data;
@@ -912,7 +966,8 @@ server_init_dispatch_20(void)
         dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
         dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
         dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
-
+        /* client_alive */
+        dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_channel_failure);
         /* rekeying */
         dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
@@ -949,3 +1004,4 @@ server_init_dispatch(void)
         else
                 server_init_dispatch_15();
 }
+
diff --git a/sshd.8 b/sshd.8
index da95eaef7..887cc3ba3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.114 2001/04/11 16:25:31 lebel Exp $
+.\" $OpenBSD: sshd.8,v 1.115 2001/04/13 22:46:54 beck Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -363,6 +363,31 @@ Specifies whether
 should check for new mail for interactive logins.
 The default is
 .Dq no .
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client, 
+.Nm
+will send a message through the encrypted
+channel to request a response from the client. This may only be
+used on a server supporting only protocol version 2. The default
+is 0, indicating that these messages will not be sent to the client.
+.It Cm ClientAliveCountMax
+Sets the number of client alive messages (see above) which may be
+sent without
+.Nm
+receiving any messages back from the client. If this threshold is
+reached while client alive messages are being sent, 
+.Nm
+will disconnect the client, terminating the session. It is important
+to note that the use of client alive messages is very different from 
+Keepalive (below). The client alive messages are sent through the
+encrypted channel and therefore will not be spoofable. The TCP keepalive
+option enable by Keepalive is spoofable. You want to use the client
+alive mechanism when you are basing something important on
+clients having an active connection to the server.
+ The default is value is 3. If you set ClientAliveInterval
+(above) to 15, and leave this value at the default, unresponsive ssh clients
+will be disconnected after approximately 45 seconds. 
 .It Cm DenyGroups
 This keyword can be followed by a number of group names, separated
 by spaces.