wok-current view openssh/stuff/knock.u @ rev 21931
updated sord-dev (0.8.0 -> 0.16.2)
author | Hans-G?nter Theisgen |
---|---|
date | Sun Oct 06 15:31:03 2019 +0100 (2019-10-06) |
parents | fa77ea692592 |
children |
line source
1 From https://gnunet.org/knock :
2 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
3 --- a/readconf.c
4 +++ b/readconf.c
5 @@ -173,6 +173,9 @@
6 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
7 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
8 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
9 +#ifdef TCP_STEALTH
10 + oTCPStealthSecret,
11 +#endif
12 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
13 } OpCodes;
15 @@ -309,6 +312,9 @@
16 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
17 { "ignoreunknown", oIgnoreUnknown },
18 { "proxyjump", oProxyJump },
19 +#ifdef TCP_STEALTH
20 + oTCPStealthSecret,
21 +#endif
23 { NULL, oBadOption }
24 };
25 @@ -1722,6 +1728,23 @@
26 *charptr = xstrdup(arg);
27 break;
29 +#ifdef TCP_STEALTH
30 + case oTCPStealthSecret:
31 + charptr = &options->tcp_stealth_secret;
32 +
33 + arg = strdelim(&s);
34 + if (!arg || *arg == '\0')
35 + fatal("%.200s line %d: Missing argument.",
36 + filename, linenum);
37 +
38 + if (*activep && *charptr == NULL) {
39 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
40 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
41 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
42 + }
43 +
44 + break;
45 +#endif
46 case oDeprecated:
47 debug("%s line %d: Deprecated option \"%s\"",
48 filename, linenum, keyword);
49 @@ -1926,6 +1949,9 @@
50 options->update_hostkeys = -1;
51 options->hostbased_key_types = NULL;
52 options->pubkey_key_types = NULL;
53 +#ifdef TCP_STEALTH
54 + options->tcp_stealth_secret = NULL;
55 +#endif
56 }
58 /*
59 --- a/readconf.h
60 +++ b/readconf.h
61 @@ -166,6 +166,10 @@
62 char *jump_extra;
64 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
65 +
66 +#ifdef TCP_STEALTH
67 + char *tcp_stealth_secret;
68 +#endif
69 } Options;
71 #define SSH_CANONICALISE_NO 0
72 --- a/servconf.c
73 +++ b/servconf.c
74 @@ -180,6 +180,9 @@
75 options->fingerprint_hash = -1;
76 options->disable_forwarding = -1;
77 options->expose_userauth_info = -1;
78 +#ifdef TCP_STEALTH
79 + options->tcp_stealth_secret = NULL;
80 +#endif
81 }
83 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
84 @@ -497,6 +500,9 @@
85 sStreamLocalBindMask, sStreamLocalBindUnlink,
86 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
87 sExposeAuthInfo, sRDomain,
88 +#ifdef TCP_STEALTH
89 + sTCPStealthSecret,
90 +#endif
91 sDeprecated, sIgnore, sUnsupported
92 } ServerOpCodes;
94 @@ -645,6 +651,9 @@
95 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
96 { "rdomain", sRDomain, SSHCFG_ALL },
97 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
98 +#ifdef TCP_STEALTH
99 + { "tcpstealthsecret", sTCPStealthSecret },
100 +#endif
101 { NULL, sBadOption, 0 }
102 };
104 @@ -2149,6 +2158,23 @@
105 *charptr = xstrdup(arg);
106 break;
108 +#ifdef TCP_STEALTH
109 + case sTCPStealthSecret:
110 + charptr = &options->tcp_stealth_secret;
111 +
112 + arg = strdelim(&cp);
113 + if (!arg || *arg == '\0')
114 + fatal("%s line %d: Missing argument.",
115 + filename, linenum);
116 +
117 + if (*activep && *charptr == NULL) {
118 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
119 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
120 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
121 + }
122 +
123 + break;
124 +#endif
125 case sDeprecated:
126 case sIgnore:
127 case sUnsupported:
128 --- a/servconf.h
129 +++ b/servconf.h
130 @@ -210,6 +210,9 @@
131 int fingerprint_hash;
132 int expose_userauth_info;
133 u_int64_t timing_secret;
134 +#ifdef TCP_STEALTH
135 + char *tcp_stealth_secret;
136 +#endif
137 } ServerOptions;
139 /* Information about the incoming connection as used by Match */
140 @@ -232,6 +235,11 @@
141 * NB. an option must appear in servconf.c:copy_set_server_options() or
142 * COPY_MATCH_STRING_OPTS here but never both.
143 */
144 +#ifdef TCP_STEALTH
145 +#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X);
146 +#else
147 +#define M_CP_STEALTHSCRT(X)
148 +#endif
149 #define COPY_MATCH_STRING_OPTS() do { \
150 M_CP_STROPT(banner); \
151 M_CP_STROPT(trusted_user_ca_keys); \
152 @@ -255,6 +263,7 @@
153 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
154 M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
155 M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
156 + M_CP_STEALTHSCRT(tcp_stealth_secret); \
157 } while (0)
159 struct connection_info *get_connection_info(int, int);
160 --- a/ssh.0
161 +++ b/ssh.0
162 @@ -9,8 +9,8 @@
163 [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
164 [-J destination] [-L address] [-l login_name] [-m mac_spec]
165 [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
166 - [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
167 - [command]
168 + [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
169 + [-z tcp_stealth_secret] destination [command]
171 DESCRIPTION
172 ssh (SSH client) is a program for logging into a remote machine and for
173 @@ -436,6 +436,20 @@
175 -y Send log information using the syslog(3) system module. By
176 default this information is sent to stderr.
177 +
178 + -z tcp_stealth_secret
179 + Specifies the shared secret which is needed to connect to a stealth
180 + SSH TCP server. Any string specified will be truncated to or padded
181 + with zeroes to 64 bytes. This option needs kernel support and is
182 + therefore only available if the required setsockopt() call is
183 + available.
184 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
185 + for details.
186 +
187 + IMPORTANT: This option should only be used for the purpose of
188 + testing as other users could easily read out the secret from the
189 + command line arguments. The TCPStealthSecret configuration option
190 + is the preferred way of specifying the TCP Stealth secret.
192 ssh may additionally obtain configuration data from a per-user
193 configuration file and a system-wide configuration file. The file format
194 --- a/ssh.1
195 +++ b/ssh.1
196 @@ -64,6 +64,7 @@
197 .Op Fl S Ar ctl_path
198 .Op Fl W Ar host : Ns Ar port
199 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
200 +.Op Fl z Ar tcp_stealth_secret
201 .Ar destination
202 .Op Ar command
203 .Sh DESCRIPTION
204 @@ -536,6 +537,7 @@
205 .It StreamLocalBindUnlink
206 .It StrictHostKeyChecking
207 .It TCPKeepAlive
208 +.It TCPStealthSecret
209 .It Tunnel
210 .It TunnelDevice
211 .It UpdateHostKeys
212 @@ -795,6 +797,21 @@
213 .Xr syslog 3
214 system module.
215 By default this information is sent to stderr.
216 +.It Fl z Ar tcp_stealth_secret
217 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
218 +server. Any string specified will be truncated to or padded with zeroes to 64
219 +bytes. This option needs kernel support and is therefore only available if the
220 +required
221 +.Xr setsockopt 2
222 +call is available.
223 +.Pp
224 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
225 +.Pp
226 +.Cm IMPORTANT:
227 +This option should only be used for the purpose of testing as other users could
228 +easily read out the secret from the command line arguments. The
229 +.Cm TCPStealthSecret
230 +configuration option is the preferred way of specifying the TCP Stealth secret.
231 .El
232 .Pp
233 .Nm
234 --- a/ssh.c
235 +++ b/ssh.c
236 @@ -190,6 +190,14 @@
237 extern int muxserver_sock;
238 extern u_int muxclient_command;
240 +#ifdef TCP_STEALTH
241 +#define OPT_STEALTH "[-z tcp_stealth_secret] "
242 +#define GETOPT_STEALTH "z:"
243 +#else
244 +#define OPT_STEALTH ""
245 +#define GETOPT_STEALTH ""
246 +#endif
247 +
248 /* Prints a help message to the user. This function never returns. */
250 static void
251 @@ -202,7 +210,7 @@
252 " [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
253 " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
254 " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
255 -" [-w local_tun[:remote_tun]] destination [command]\n"
256 +" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n"
257 );
258 exit(255);
259 }
260 @@ -657,7 +665,7 @@
262 again:
263 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
264 - "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
265 + "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
266 switch (opt) {
267 case '1':
268 fatal("SSH protocol v.1 is no longer supported");
269 @@ -979,6 +987,14 @@
270 case 'F':
271 config = optarg;
272 break;
273 +#ifdef TCP_STEALTH
274 + case 'z':
275 + options.tcp_stealth_secret =
276 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
277 + strncpy(options.tcp_stealth_secret, optarg,
278 + TCP_STEALTH_SECRET_SIZE);
279 + break;
280 +#endif
281 default:
282 usage();
283 }
284 --- a/ssh_config.0
285 +++ b/ssh_config.0
286 @@ -945,6 +945,15 @@
287 To disable TCP keepalive messages, the value should be set to no.
288 See also ServerAliveInterval for protocol-level keepalives.
290 + TCPStealthSecret
291 + Specifies the shared secret which is needed to connect to a stealth
292 + SSH TCP Server. Any string specified will be truncated to or padded
293 + with zeroes to 64 bytes. This option needs kernel support and is
294 + therefore only available if the required setsockopt() call is
295 + available.
296 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
297 + for details.
298 +
299 Tunnel Request tun(4) device forwarding between the client and the
300 server. The argument must be yes, point-to-point (layer 3),
301 ethernet (layer 2), or no (the default). Specifying yes requests
302 --- a/ssh_config.5
303 +++ b/ssh_config.5
304 @@ -1548,6 +1548,15 @@
305 See also
306 .Cm ServerAliveInterval
307 for protocol-level keepalives.
308 +.It Cm TCPStealthSecret
309 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
310 +Server. Any string specified will be truncated to or padded with zeroes to 64
311 +bytes. This option needs kernel support and is therefore only available if the
312 +required
313 +.Xr setsockopt 2
314 +call is available.
315 +.Pp
316 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
317 .It Cm Tunnel
318 Request
319 .Xr tun 4
320 --- a/sshconnect.c
321 +++ b/sshconnect.c
322 @@ -349,6 +349,18 @@
323 }
324 fcntl(sock, F_SETFD, FD_CLOEXEC);
326 +#ifdef TCP_STEALTH
327 + if (options.tcp_stealth_secret) {
328 + if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
329 + options.tcp_stealth_secret,
330 + TCP_STEALTH_SECRET_SIZE) == -1) {
331 + error("setsockopt TCP_STEALTH: %s", strerror(errno));
332 + close(sock);
333 + return -1;
334 + }
335 + }
336 +#endif
337 +
338 /* Bind the socket to an alternative local IP address */
339 if (options.bind_address == NULL && options.bind_interface == NULL)
340 return sock;
341 --- a/sshd.0
342 +++ b/sshd.0
343 @@ -7,6 +7,7 @@
344 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
345 [-E log_file] [-f config_file] [-g login_grace_time]
346 [-h host_key_file] [-o option] [-p port] [-u len]
347 + [-z tcp_stealth_secret]
349 DESCRIPTION
350 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
351 @@ -122,6 +123,20 @@
352 from="pattern-list" option in a key file. Configuration options
353 that require DNS include using a USER@HOST pattern in AllowUsers
354 or DenyUsers.
355 + -z tcp_stealth_secret
356 + Turns this SSH server into a Stealth SSH TCP Server. This option
357 + specifies the shared secret which is needed by the clients in order
358 + to be able to connect to the port the SSH server is listening on.
359 + Any string specified will be truncated or padded with zeroes to 64
360 + bytes. This option needs kernel support and is therefore only
361 + available if the required setsockopt() call is available.
362 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
363 + for details.
364 +
365 + IMPORTANT: This option should only be used for the purpose of
366 + testing as other users could easily read out the secret from the
367 + command line arguments. The TCPStealthSecret configuration option
368 + is the preferred way of specifying the TCP Stealth secret.
370 AUTHENTICATION
371 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
372 --- a/sshd.8
373 +++ b/sshd.8
374 @@ -53,6 +53,7 @@
375 .Op Fl o Ar option
376 .Op Fl p Ar port
377 .Op Fl u Ar len
378 +.Op Fl z Ar tcp_stealth_secret
379 .Ek
380 .Sh DESCRIPTION
381 .Nm
382 @@ -244,6 +245,24 @@
383 .Cm AllowUsers
384 or
385 .Cm DenyUsers .
386 +.It Fl z Ar tcp_stealth_secret
387 +Turns this SSH server into a stealth SSH TCP server. This option specifies the
388 +shared secret which is needed by the clients in order to be able to connect to
389 +the port the SSH server is listening on. Any string specified will be truncated
390 +or padded with zeroes to 64 bytes. This option needs kernel support and is
391 +therefore only available if the required
392 +.Xr setsockopt 2
393 +call is available.
394 +.Pp
395 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
396 +
397 +.Cm IMPORTANT:
398 +This option should only be used for the purpose of
399 +testing as other users could easily read out the secret from the
400 +command line arguments. The
401 +.Cm TCPStealthSecret
402 +configuration option
403 +is the preferred way of specifying the TCP Stealth secret.
404 .El
405 .Sh AUTHENTICATION
406 The OpenSSH SSH daemon supports SSH protocol 2 only.
407 --- a/sshd.c
408 +++ b/sshd.c
409 @@ -911,6 +911,14 @@
410 return (r < p) ? 1 : 0;
411 }
413 +#ifdef TCP_STEALTH
414 +#define OPT_STEALTH " [-z tcp_stealth_secret]"
415 +#define GETOPT_STEALTH "z:"
416 +#else
417 +#define OPT_STEALTH ""
418 +#define GETOPT_STEALTH ""
419 +#endif
420 +
421 static void
422 usage(void)
423 {
424 @@ -926,6 +934,7 @@
425 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
426 " [-E log_file] [-f config_file] [-g login_grace_time]\n"
427 " [-h host_key_file] [-o option] [-p port] [-u len]\n"
428 +" " OPT_STEALTH "\n"
429 );
430 exit(1);
431 }
432 @@ -1075,6 +1084,16 @@
433 continue;
434 }
436 +#ifdef TCP_STEALTH
437 + if (options.tcp_stealth_secret != NULL) {
438 + if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
439 + options.tcp_stealth_secret,
440 + TCP_STEALTH_SECRET_SIZE) == -1)
441 + error("setsockopt TCP_STEALTH: %s",
442 + strerror(errno));
443 + }
444 +#endif
445 +
446 /* Only communicate in IPv6 over AF_INET6 sockets. */
447 if (ai->ai_family == AF_INET6)
448 sock_set_v6only(listen_sock);
449 @@ -1515,7 +1534,7 @@
451 /* Parse command-line arguments. */
452 while ((opt = getopt(ac, av,
453 - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
454 + GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
455 switch (opt) {
456 case '4':
457 options.address_family = AF_INET;
458 @@ -1616,6 +1635,14 @@
459 exit(1);
460 free(line);
461 break;
462 +#ifdef TCP_STEALTH
463 + case 'z':
464 + options.tcp_stealth_secret =
465 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
466 + strncpy(options.tcp_stealth_secret, optarg,
467 + TCP_STEALTH_SECRET_SIZE);
468 + break;
469 +#endif
470 case '?':
471 default:
472 usage();
473 --- a/sshd_config.0
474 +++ b/sshd_config.0
475 @@ -937,6 +937,19 @@
477 To disable TCP keepalive messages, the value should be set to no.
479 + TCPStealthSecret
480 + Turns this SSH server into a stealth SSH TCP server. This
481 + configuration option specifies the shared secret needed by the
482 + clients in order to be able to connect to the port the SSH server
483 + is listening on. This means that port scanners will receive a
484 + TCP RST and thus will not recognize this TCP port being open.
485 +
486 + Any string specified will be truncated or padded with zeroes to 64
487 + bytes. This option needs kernel support and is therefore only
488 + available if the required setsockopt() call is available.
489 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
490 + for details.
491 +
492 TrustedUserCAKeys
493 Specifies a file containing public keys of certificate
494 authorities that are trusted to sign user certificates for
495 --- a/sshd_config.5
496 +++ b/sshd_config.5
497 @@ -1567,6 +1567,18 @@
498 .Pp
499 To disable TCP keepalive messages, the value should be set to
500 .Cm no .
501 +.It Cm TCPStealthSecret
502 +Turns this SSH server into a stealth SSH TCP server. This configuration option
503 +specifies the shared secret needed by the clients in order to be able to connect
504 +to the port the SSH server is listening on. This means that port scanners will
505 +receive a TCP RST and thus will not recognize this TCP port being open. Any
506 +string specified will be truncated or padded with zeroes to 64 bytes. This
507 +option needs kernel support and is therefore only available if the required
508 +.Xr setsockopt 2
509 +call is available.
510 +.Pp
511 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
512 +
513 .It Cm TrustedUserCAKeys
514 Specifies a file containing public keys of certificate authorities that are
515 trusted to sign user certificates for authentication, or