| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
internal-sftp accidentally introduced in r1.253 by removing the code
that opens and dup /dev/null to stderr and modifying the channels code
to read stderr but discard it instead; ok markus@
|
| |
|
|
| |
forwards per direction; ok markus@ stevesk@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Prevents misordering of replies if new requests arrive while waiting.
Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.
motivated by and with feedback from markus@
|
| |
|
|
|
|
| |
least) validate that they are well-formed;
reported by imorgan AT nas.nasa.gov
ok dtucker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.
avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.
implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.
add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).
feedback Salvador Fandino, dtucker@
channel changes ok markus@
|
| |
|
|
|
|
| |
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.
For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
| |
|
|
|
|
| |
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@
|
| |
|
|
| |
child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
| |
from other files. No functional changes.
ok markus@ djm@
|
| |
|
|
|
| |
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@
|
| |
|
|
| |
it was missing some tweaks suggested by stevesk@
|
| |
|
|
| |
there and fixing bz#1380 in the process; ok markus@
|
| |
|
|
| |
"looks ok" markus@
|
| |
|
|
|
| |
fixes client hangs when connecting to a server that has MaxSessions=0
set spotted by imorgan AT nas.nasa.gov; ok markus@
|
| |
|
|
|
| |
for that config option. suggested by markus@; ok markus@ djm@
dtucker@
|
| | |
|
| |
|
|
| |
permitopen's; ok and input dtucker@
|
| | |
|
| | |
|
| |
|
|
| |
address argument. from visibilis AT yahoo.com in bz#1485; ok markus@
|
| |
|
|
| |
reported by dkrause@
|
| | |
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
|
| |
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus
|
| |
|
|
| |
small memory leak per session; plug it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
its own escape state and hook the escape filters up to muxed
channels. bz #1331
Mux slaves do not currently support the ~^Z and ~& escapes.
NB. this change cranks the mux protocol version, so a new ssh
mux client will not be able to connect to a running old ssh
mux master.
ok dtucker@
|
| |
|
|
|
|
| |
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm
|
| |
|
|
|
|
| |
for channels with both in- and output closed, since the channel
will go away before we call select();
report, lots of debugging help and ok djm@
|
| |
|
|
|
|
|
|
|
| |
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.
Reported by stig AT venaas.com in bz#343
great feedback and ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
|
| |
|
|
| |
~10% speedup for localhost-scp; ok djm@
|
| |
|
|
| |
CVE-2008-1483; ok djm@
|
| |
|
|
|
|
|
|
|
| |
added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of
this for -L port forwards that causes the client to listen on both v4
and v6 addresses when connected to a server with this quirk, despite
having set 0.0.0.0 as a bind_address.
report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@
|
| |
|
|
|
| |
code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417.
ok markus@ stevesk@
|
| |
|
|
| |
window updates for every single packet. ok markus@
|
| |
|
|
| |
until 50% of the window is consumed. ok djm dtucker
|
| | |
|
| |
|
|
|
|
| |
forwarding bind_address being a hostname, so send them an address for cases
where they are not explicitly specified (wildcard or localhost bind).
reported by daveroth AT acm.org; ok dtucker@ deraadt@
|
| |
|
|
|
| |
spotted by the Stanford SATURN tool, via Isil Dillig;
ok markus@ deraadt@
|
| |
|
|
|
| |
ok djm, sort of ok stevesk
makes the pain stop in one easy step
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.
If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
|
djm
dtucker
markus
reyk
andreas
stevesk
deraadt