| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
authentication cookies to avoid fallback in X11 code to fully-trusted
implicit authentication using SO_PEERCRED described at:
http://lists.x.org/archives/xorg-devel/2010-May/008636.html
After the X11ForwardTimeout has expired the client will now refuse
incoming X11 channel opens.
based on patch from Tavis Ormandy; "nice" markus@
|
| |
|
|
|
|
|
| |
after authentication is successful to mitigate "phishing" attacks by
servers with trusted keys that accept authentication silently and
automatically before presenting fake password/passphrase prompts;
"nice!" markus@
|
| |
|
|
|
|
| |
use with
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
feedback and ok djm@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Prevents misordering of replies if new requests arrive while waiting.
Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.
motivated by and with feedback from markus@
|
| |
|
|
| |
is not a tty; ok dtucker@ markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.
avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.
implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.
add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).
feedback Salvador Fandino, dtucker@
channel changes ok markus@
|
| |
|
|
|
|
| |
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.
For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.
Based on a diff by halex@
ok halex@ djm@ deraadt@
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
| |
supports it.
ok markus@
|
| | |
|
| | |
|
| |
|
|
|
| |
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
rather than 0, which it will now treat as valid (needed for future work)
adjust current consumers of a2port() to check its return value is <= 0,
which in turn required some things to be converted from u_short => int
make use of int vs. u_short consistent in some other places too
feedback & ok markus@
|
| | |
|
| | |
|
| |
|
|
|
| |
Useful for daemonised ssh connection (ssh -f). Patch originally from
and ok'd by markus@
|
| |
|
|
| |
fixes interop problems with broken ssh v2 implementations; ok djm@
|
| |
|
|
|
|
| |
enabled, delay the fork until after replies for any -R forwards have
been seen. Allows for robust detection of -R forward failure when
using -f (similar to bz#92); ok dtucker@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
expect replies to, similar to the per-channel confirmation queue.
Use this queue to verify success or failure for remote forward
establishment in a race free way.
ok dtucker@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
client sends when it knows that it will never request another session
(i.e. when session multiplexing is disabled). This allows a server to
disallow further session requests and terminate the session.
Why would a non-multiplexing client ever issue additional session
requests? It could have been attacked with something like SSH'jack:
http://www.storm.net.nz/projects/7
feedback & ok markus
|
| | |
|
| |
|
|
|
|
|
| |
making the function names more consistent - making ssh.c and
clientloop.c a fair bit more readable.
ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
with "important" channel requests that fail, in particular command exec,
shell and subsystem requests. Previously we would optimistically assume
that the requests would always succeed, which could cause hangs if they
did not (e.g. when the server runs out of fds) or were unimplemented by
the server (bz #1384)
Also, properly report failing multiplex channel requests via the mux
client stderr (subject to LogLevel in the mux master) - better than
silently failing.
most bits ok markus@ (as part of a larger diff)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
|
| |
|
|
|
| |
server runs out of fds on us midway. Report and patch from
gregory_shively AT fanniemae.com
|
| | |
|
| | |
|
| |
|
|
|
| |
inside tilde_expand_filename(); save the data we need carefully
ok djm
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
SSH banner exchange (previously it just covered the TCP connection).
This allows callers of ssh(1) to better detect and deal with stuck servers
that accept a TCP connection but don't progress the protocol, and also makes
ConnectTimeout useful for connections via a ProxyCommand;
feedback and "looks ok" markus@
|
| |
|
|
|
| |
when it encounters problems, and use this to make session multiplexing
masters survive slaves failing to pass all stdio FDs; ok markus@
|
| |
|
|
|
|
| |
tunnel device is opened. Also, make failures to open a tunnel device
fatal when ExitOnForwardFailure is active.
Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
|
| |
|
|
|
| |
writes an entire int of data *and* closes the client_fd; fixes mux
regression spotted by dtucker, ok dtucker@
|
| | |
|
| |
|
|
| |
reported by alexandre.nunes AT gmail.com; ok dtucker@
|
| |
|
|
|
|
| |
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
and is useful for hosts with /home on Kerberised NFS; bz #1312
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
|
| |
|
|
|
| |
full exit status by ensuring that the slave reads a full int. bz#1261
reported by frekko AT gmail.com; ok markus@ dtucker@
|
| | |
|
| | |
|
| |
|
|
|
| |
ok djm, sort of ok stevesk
makes the pain stop in one easy step
|
| | |
|
djm
markus
jmc
dtucker
guenther
reyk
andreas
stevesk
deraadt