wok diff openssh/stuff/knock.u @ rev 21332
Up libltdl (2.4.6), mtp-tools (1.1.16)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Fri Apr 19 15:52:41 2019 +0200 (2019-04-19) |
| parents | fa77ea692592 |
| children |
line diff
1.1 --- a/openssh/stuff/knock.u Fri May 18 13:47:33 2018 +0200 1.2 +++ b/openssh/stuff/knock.u Fri Apr 19 15:52:41 2019 +0200 1.3 @@ -2,29 +2,29 @@ 1.4 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff 1.5 --- a/readconf.c 1.6 +++ b/readconf.c 1.7 -@@ -172,6 +172,9 @@ 1.8 +@@ -173,6 +173,9 @@ 1.9 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 1.10 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 1.11 - oPubkeyAcceptedKeyTypes, oProxyJump, 1.12 + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, 1.13 +#ifdef TCP_STEALTH 1.14 + oTCPStealthSecret, 1.15 +#endif 1.16 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 1.17 } OpCodes; 1.18 1.19 -@@ -305,6 +308,9 @@ 1.20 +@@ -309,6 +312,9 @@ 1.21 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 1.22 { "ignoreunknown", oIgnoreUnknown }, 1.23 { "proxyjump", oProxyJump }, 1.24 +#ifdef TCP_STEALTH 1.25 -+ { "tcpstealthsecret", oTCPStealthSecret }, 1.26 ++ oTCPStealthSecret, 1.27 +#endif 1.28 1.29 { NULL, oBadOption } 1.30 }; 1.31 -@@ -1669,6 +1675,23 @@ 1.32 - charptr = &options->identity_agent; 1.33 - goto parse_string; 1.34 +@@ -1722,6 +1728,23 @@ 1.35 + *charptr = xstrdup(arg); 1.36 + break; 1.37 1.38 +#ifdef TCP_STEALTH 1.39 + case oTCPStealthSecret: 1.40 @@ -46,7 +46,7 @@ 1.41 case oDeprecated: 1.42 debug("%s line %d: Deprecated option \"%s\"", 1.43 filename, linenum, keyword); 1.44 -@@ -1869,6 +1892,9 @@ 1.45 +@@ -1926,6 +1949,9 @@ 1.46 options->update_hostkeys = -1; 1.47 options->hostbased_key_types = NULL; 1.48 options->pubkey_key_types = NULL; 1.49 @@ -58,7 +58,7 @@ 1.50 /* 1.51 --- a/readconf.h 1.52 +++ b/readconf.h 1.53 -@@ -164,6 +164,10 @@ 1.54 +@@ -166,6 +166,10 @@ 1.55 char *jump_extra; 1.56 1.57 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ 1.58 @@ -71,7 +71,7 @@ 1.59 #define SSH_CANONICALISE_NO 0 1.60 --- a/servconf.c 1.61 +++ b/servconf.c 1.62 -@@ -165,6 +165,9 @@ 1.63 +@@ -180,6 +180,9 @@ 1.64 options->fingerprint_hash = -1; 1.65 options->disable_forwarding = -1; 1.66 options->expose_userauth_info = -1; 1.67 @@ -81,29 +81,29 @@ 1.68 } 1.69 1.70 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 1.71 -@@ -422,6 +425,9 @@ 1.72 +@@ -497,6 +500,9 @@ 1.73 sStreamLocalBindMask, sStreamLocalBindUnlink, 1.74 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 1.75 - sExposeAuthInfo, 1.76 + sExposeAuthInfo, sRDomain, 1.77 +#ifdef TCP_STEALTH 1.78 + sTCPStealthSecret, 1.79 +#endif 1.80 sDeprecated, sIgnore, sUnsupported 1.81 } ServerOpCodes; 1.82 1.83 -@@ -566,6 +572,9 @@ 1.84 - { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 1.85 - { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 1.86 +@@ -645,6 +651,9 @@ 1.87 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 1.88 + { "rdomain", sRDomain, SSHCFG_ALL }, 1.89 + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 1.90 +#ifdef TCP_STEALTH 1.91 + { "tcpstealthsecret", sTCPStealthSecret }, 1.92 +#endif 1.93 { NULL, sBadOption, 0 } 1.94 }; 1.95 1.96 -@@ -1883,6 +1892,23 @@ 1.97 - intptr = &options->expose_userauth_info; 1.98 - goto parse_flag; 1.99 +@@ -2149,6 +2158,23 @@ 1.100 + *charptr = xstrdup(arg); 1.101 + break; 1.102 1.103 +#ifdef TCP_STEALTH 1.104 + case sTCPStealthSecret: 1.105 @@ -127,18 +127,17 @@ 1.106 case sUnsupported: 1.107 --- a/servconf.h 1.108 +++ b/servconf.h 1.109 -@@ -198,6 +198,10 @@ 1.110 - 1.111 +@@ -210,6 +210,9 @@ 1.112 int fingerprint_hash; 1.113 int expose_userauth_info; 1.114 -+ 1.115 + u_int64_t timing_secret; 1.116 +#ifdef TCP_STEALTH 1.117 + char *tcp_stealth_secret; 1.118 +#endif 1.119 } ServerOptions; 1.120 1.121 /* Information about the incoming connection as used by Match */ 1.122 -@@ -219,6 +223,11 @@ 1.123 +@@ -232,6 +235,11 @@ 1.124 * NB. an option must appear in servconf.c:copy_set_server_options() or 1.125 * COPY_MATCH_STRING_OPTS here but never both. 1.126 */ 1.127 @@ -150,205 +149,32 @@ 1.128 #define COPY_MATCH_STRING_OPTS() do { \ 1.129 M_CP_STROPT(banner); \ 1.130 M_CP_STROPT(trusted_user_ca_keys); \ 1.131 -@@ -238,6 +247,7 @@ 1.132 - M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 1.133 +@@ -255,6 +263,7 @@ 1.134 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 1.135 - M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \ 1.136 + M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \ 1.137 + M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \ 1.138 + M_CP_STEALTHSCRT(tcp_stealth_secret); \ 1.139 } while (0) 1.140 1.141 struct connection_info *get_connection_info(int, int); 1.142 ---- a/ssh.c 1.143 -+++ b/ssh.c 1.144 -@@ -191,6 +191,14 @@ 1.145 - extern int muxserver_sock; 1.146 - extern u_int muxclient_command; 1.147 - 1.148 -+#ifdef TCP_STEALTH 1.149 -+#define OPT_STEALTH "[-z tcp_stealth_secret] " 1.150 -+#define GETOPT_STEALTH "z:" 1.151 -+#else 1.152 -+#define OPT_STEALTH "" 1.153 -+#define GETOPT_STEALTH "" 1.154 -+#endif 1.155 -+ 1.156 - /* Prints a help message to the user. This function never returns. */ 1.157 - 1.158 - static void 1.159 -@@ -203,7 +211,7 @@ 1.160 - " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" 1.161 - " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n" 1.162 - " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n" 1.163 --" [user@]hostname [command]\n" 1.164 -+" " OPT_STEALTH "[user@]hostname [command]\n" 1.165 - ); 1.166 - exit(255); 1.167 - } 1.168 -@@ -612,7 +620,7 @@ 1.169 - 1.170 - again: 1.171 - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 1.172 -- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 1.173 -+ "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 1.174 - switch (opt) { 1.175 - case '1': 1.176 - fatal("SSH protocol v.1 is no longer supported"); 1.177 -@@ -921,6 +929,14 @@ 1.178 - case 'F': 1.179 - config = optarg; 1.180 - break; 1.181 -+#ifdef TCP_STEALTH 1.182 -+ case 'z': 1.183 -+ options.tcp_stealth_secret = 1.184 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.185 -+ strncpy(options.tcp_stealth_secret, optarg, 1.186 -+ TCP_STEALTH_SECRET_SIZE); 1.187 -+ break; 1.188 -+#endif 1.189 - default: 1.190 - usage(); 1.191 - } 1.192 ---- a/sshd.c 1.193 -+++ b/sshd.c 1.194 -@@ -896,6 +896,14 @@ 1.195 - return (r < p) ? 1 : 0; 1.196 - } 1.197 - 1.198 -+#ifdef TCP_STEALTH 1.199 -+#define OPT_STEALTH " [-z tcp_stealth_secret]" 1.200 -+#define GETOPT_STEALTH "z:" 1.201 -+#else 1.202 -+#define OPT_STEALTH "" 1.203 -+#define GETOPT_STEALTH "" 1.204 -+#endif 1.205 -+ 1.206 - static void 1.207 - usage(void) 1.208 - { 1.209 -@@ -911,6 +919,7 @@ 1.210 - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 1.211 - " [-E log_file] [-f config_file] [-g login_grace_time]\n" 1.212 - " [-h host_key_file] [-o option] [-p port] [-u len]\n" 1.213 -+" " OPT_STEALTH "\n" 1.214 - ); 1.215 - exit(1); 1.216 - } 1.217 -@@ -1057,6 +1066,15 @@ 1.218 - if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 1.219 - &on, sizeof(on)) == -1) 1.220 - error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 1.221 -+#ifdef TCP_STEALTH 1.222 -+ if (options.tcp_stealth_secret != NULL) { 1.223 -+ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 1.224 -+ options.tcp_stealth_secret, 1.225 -+ TCP_STEALTH_SECRET_SIZE) == -1) 1.226 -+ error("setsockopt TCP_STEALTH: %s", 1.227 -+ strerror(errno)); 1.228 -+ } 1.229 -+#endif 1.230 - 1.231 - /* Only communicate in IPv6 over AF_INET6 sockets. */ 1.232 - if (ai->ai_family == AF_INET6) 1.233 -@@ -1404,7 +1422,7 @@ 1.234 - 1.235 - /* Parse command-line arguments. */ 1.236 - while ((opt = getopt(ac, av, 1.237 -- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.238 -+ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.239 - switch (opt) { 1.240 - case '4': 1.241 - options.address_family = AF_INET; 1.242 -@@ -1512,6 +1530,14 @@ 1.243 - exit(1); 1.244 - free(line); 1.245 - break; 1.246 -+#ifdef TCP_STEALTH 1.247 -+ case 'z': 1.248 -+ options.tcp_stealth_secret = 1.249 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.250 -+ strncpy(options.tcp_stealth_secret, optarg, 1.251 -+ TCP_STEALTH_SECRET_SIZE); 1.252 -+ break; 1.253 -+#endif 1.254 - case '?': 1.255 - default: 1.256 - usage(); 1.257 ---- a/ssh_config.5 1.258 -+++ b/ssh_config.5 1.259 -@@ -1509,6 +1509,15 @@ 1.260 - .Pp 1.261 - To disable TCP keepalive messages, the value should be set to 1.262 - .Cm no . 1.263 -+.It Cm TCPStealthSecret 1.264 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP 1.265 -+Server. Any string specified will be truncated to or padded with zeroes to 64 1.266 -+bytes. This option needs kernel support and is therefore only available if the 1.267 -+required 1.268 -+.Xr setsockopt 2 1.269 -+call is available. 1.270 -+.Pp 1.271 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.272 - .It Cm Tunnel 1.273 - Request 1.274 - .Xr tun 4 1.275 ---- a/sshd_config.5 1.276 -+++ b/sshd_config.5 1.277 -@@ -1444,6 +1444,18 @@ 1.278 - .Pp 1.279 - To disable TCP keepalive messages, the value should be set to 1.280 - .Cm no . 1.281 -+.It Cm TCPStealthSecret 1.282 -+Turns this SSH server into a stealth SSH TCP server. This configuration option 1.283 -+specifies the shared secret needed by the clients in order to be able to connect 1.284 -+to the port the SSH server is listening on. This means that port scanners will 1.285 -+receive a TCP RST and thus will not recognize this TCP port being open. Any 1.286 -+string specified will be truncated or padded with zeroes to 64 bytes. This 1.287 -+option needs kernel support and is therefore only available if the required 1.288 -+.Xr setsockopt 2 1.289 -+call is available. 1.290 -+.Pp 1.291 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.292 -+ 1.293 - .It Cm TrustedUserCAKeys 1.294 - Specifies a file containing public keys of certificate authorities that are 1.295 - trusted to sign user certificates for authentication, or 1.296 ---- a/sshd.0 1.297 -+++ b/sshd.0 1.298 -@@ -7,6 +7,7 @@ 1.299 - sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 1.300 - [-E log_file] [-f config_file] [-g login_grace_time] 1.301 - [-h host_key_file] [-o option] [-p port] [-u len] 1.302 -+ [-z tcp_stealth_secret] 1.303 +--- a/ssh.0 1.304 ++++ b/ssh.0 1.305 +@@ -9,8 +9,8 @@ 1.306 + [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] 1.307 + [-J destination] [-L address] [-l login_name] [-m mac_spec] 1.308 + [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] 1.309 +- [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination 1.310 +- [command] 1.311 ++ [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 1.312 ++ [-z tcp_stealth_secret] destination [command] 1.313 1.314 DESCRIPTION 1.315 - sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 1.316 -@@ -121,6 +122,20 @@ 1.317 - from="pattern-list" option in a key file. Configuration options 1.318 - that require DNS include using a USER@HOST pattern in AllowUsers 1.319 - or DenyUsers. 1.320 -+ -z tcp_stealth_secret 1.321 -+ Turns this SSH server into a Stealth SSH TCP Server. This option 1.322 -+ specifies the shared secret which is needed by the clients in order 1.323 -+ to be able to connect to the port the SSH server is listening on. 1.324 -+ Any string specified will be truncated or padded with zeroes to 64 1.325 -+ bytes. This option needs kernel support and is therefore only 1.326 -+ available if the required setsockopt() call is available. 1.327 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.328 -+ for details. 1.329 -+ 1.330 -+ IMPORTANT: This option should only be used for the purpose of 1.331 -+ testing as other users could easily read out the secret from the 1.332 -+ command line arguments. The TCPStealthSecret configuration option 1.333 -+ is the preferred way of specifying the TCP Stealth secret. 1.334 + ssh (SSH client) is a program for logging into a remote machine and for 1.335 +@@ -436,6 +436,20 @@ 1.336 1.337 - AUTHENTICATION 1.338 - The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 1.339 ---- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400 1.340 -+++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500 1.341 -@@ -425,6 +425,20 @@ DESCRIPTION 1.342 -y Send log information using the syslog(3) system module. By 1.343 default this information is sent to stderr. 1.344 - 1.345 ++ 1.346 + -z tcp_stealth_secret 1.347 + Specifies the shared secret which is needed to connect to a stealth 1.348 + SSH TCP server. Any string specified will be truncated to or padded 1.349 @@ -362,21 +188,20 @@ 1.350 + testing as other users could easily read out the secret from the 1.351 + command line arguments. The TCPStealthSecret configuration option 1.352 + is the preferred way of specifying the TCP Stealth secret. 1.353 -+ 1.354 + 1.355 ssh may additionally obtain configuration data from a per-user 1.356 configuration file and a system-wide configuration file. The file format 1.357 - and configuration options are described in ssh_config(5). 1.358 ---- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400 1.359 -+++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500 1.360 +--- a/ssh.1 1.361 ++++ b/ssh.1 1.362 @@ -64,6 +64,7 @@ 1.363 .Op Fl S Ar ctl_path 1.364 .Op Fl W Ar host : Ns Ar port 1.365 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun 1.366 +.Op Fl z Ar tcp_stealth_secret 1.367 - .Oo Ar user Ns @ Oc Ns Ar hostname 1.368 + .Ar destination 1.369 .Op Ar command 1.370 - .Ek 1.371 -@@ -528,6 +529,7 @@ For full details of the options listed b 1.372 + .Sh DESCRIPTION 1.373 +@@ -536,6 +537,7 @@ 1.374 .It StreamLocalBindUnlink 1.375 .It StrictHostKeyChecking 1.376 .It TCPKeepAlive 1.377 @@ -384,7 +209,7 @@ 1.378 .It Tunnel 1.379 .It TunnelDevice 1.380 .It UpdateHostKeys 1.381 -@@ -777,6 +779,21 @@ Send log information using the 1.382 +@@ -795,6 +797,21 @@ 1.383 .Xr syslog 3 1.384 system module. 1.385 By default this information is sent to stderr. 1.386 @@ -406,11 +231,61 @@ 1.387 .El 1.388 .Pp 1.389 .Nm 1.390 ---- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400 1.391 -+++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500 1.392 -@@ -919,6 +919,15 @@ DESCRIPTION 1.393 +--- a/ssh.c 1.394 ++++ b/ssh.c 1.395 +@@ -190,6 +190,14 @@ 1.396 + extern int muxserver_sock; 1.397 + extern u_int muxclient_command; 1.398 1.399 ++#ifdef TCP_STEALTH 1.400 ++#define OPT_STEALTH "[-z tcp_stealth_secret] " 1.401 ++#define GETOPT_STEALTH "z:" 1.402 ++#else 1.403 ++#define OPT_STEALTH "" 1.404 ++#define GETOPT_STEALTH "" 1.405 ++#endif 1.406 ++ 1.407 + /* Prints a help message to the user. This function never returns. */ 1.408 + 1.409 + static void 1.410 +@@ -202,7 +210,7 @@ 1.411 + " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" 1.412 + " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 1.413 + " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" 1.414 +-" [-w local_tun[:remote_tun]] destination [command]\n" 1.415 ++" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n" 1.416 + ); 1.417 + exit(255); 1.418 + } 1.419 +@@ -657,7 +665,7 @@ 1.420 + 1.421 + again: 1.422 + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 1.423 +- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 1.424 ++ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 1.425 + switch (opt) { 1.426 + case '1': 1.427 + fatal("SSH protocol v.1 is no longer supported"); 1.428 +@@ -979,6 +987,14 @@ 1.429 + case 'F': 1.430 + config = optarg; 1.431 + break; 1.432 ++#ifdef TCP_STEALTH 1.433 ++ case 'z': 1.434 ++ options.tcp_stealth_secret = 1.435 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.436 ++ strncpy(options.tcp_stealth_secret, optarg, 1.437 ++ TCP_STEALTH_SECRET_SIZE); 1.438 ++ break; 1.439 ++#endif 1.440 + default: 1.441 + usage(); 1.442 + } 1.443 +--- a/ssh_config.0 1.444 ++++ b/ssh_config.0 1.445 +@@ -945,6 +945,15 @@ 1.446 To disable TCP keepalive messages, the value should be set to no. 1.447 + See also ServerAliveInterval for protocol-level keepalives. 1.448 1.449 + TCPStealthSecret 1.450 + Specifies the shared secret which is needed to connect to a stealth 1.451 @@ -424,9 +299,27 @@ 1.452 Tunnel Request tun(4) device forwarding between the client and the 1.453 server. The argument must be yes, point-to-point (layer 3), 1.454 ethernet (layer 2), or no (the default). Specifying yes requests 1.455 ---- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400 1.456 -+++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500 1.457 -@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct 1.458 +--- a/ssh_config.5 1.459 ++++ b/ssh_config.5 1.460 +@@ -1548,6 +1548,15 @@ 1.461 + See also 1.462 + .Cm ServerAliveInterval 1.463 + for protocol-level keepalives. 1.464 ++.It Cm TCPStealthSecret 1.465 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 1.466 ++Server. Any string specified will be truncated to or padded with zeroes to 64 1.467 ++bytes. This option needs kernel support and is therefore only available if the 1.468 ++required 1.469 ++.Xr setsockopt 2 1.470 ++call is available. 1.471 ++.Pp 1.472 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.473 + .It Cm Tunnel 1.474 + Request 1.475 + .Xr tun 4 1.476 +--- a/sshconnect.c 1.477 ++++ b/sshconnect.c 1.478 +@@ -349,6 +349,18 @@ 1.479 } 1.480 fcntl(sock, F_SETFD, FD_CLOEXEC); 1.481 1.482 @@ -443,10 +336,41 @@ 1.483 +#endif 1.484 + 1.485 /* Bind the socket to an alternative local IP address */ 1.486 - if (options.bind_address == NULL && !privileged) 1.487 + if (options.bind_address == NULL && options.bind_interface == NULL) 1.488 return sock; 1.489 ---- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400 1.490 -+++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500 1.491 +--- a/sshd.0 1.492 ++++ b/sshd.0 1.493 +@@ -7,6 +7,7 @@ 1.494 + sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 1.495 + [-E log_file] [-f config_file] [-g login_grace_time] 1.496 + [-h host_key_file] [-o option] [-p port] [-u len] 1.497 ++ [-z tcp_stealth_secret] 1.498 + 1.499 + DESCRIPTION 1.500 + sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 1.501 +@@ -122,6 +123,20 @@ 1.502 + from="pattern-list" option in a key file. Configuration options 1.503 + that require DNS include using a USER@HOST pattern in AllowUsers 1.504 + or DenyUsers. 1.505 ++ -z tcp_stealth_secret 1.506 ++ Turns this SSH server into a Stealth SSH TCP Server. This option 1.507 ++ specifies the shared secret which is needed by the clients in order 1.508 ++ to be able to connect to the port the SSH server is listening on. 1.509 ++ Any string specified will be truncated or padded with zeroes to 64 1.510 ++ bytes. This option needs kernel support and is therefore only 1.511 ++ available if the required setsockopt() call is available. 1.512 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 1.513 ++ for details. 1.514 ++ 1.515 ++ IMPORTANT: This option should only be used for the purpose of 1.516 ++ testing as other users could easily read out the secret from the 1.517 ++ command line arguments. The TCPStealthSecret configuration option 1.518 ++ is the preferred way of specifying the TCP Stealth secret. 1.519 + 1.520 + AUTHENTICATION 1.521 + The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 1.522 +--- a/sshd.8 1.523 ++++ b/sshd.8 1.524 @@ -53,6 +53,7 @@ 1.525 .Op Fl o Ar option 1.526 .Op Fl p Ar port 1.527 @@ -455,7 +379,7 @@ 1.528 .Ek 1.529 .Sh DESCRIPTION 1.530 .Nm 1.531 -@@ -243,6 +244,24 @@ USER@HOST pattern in 1.532 +@@ -244,6 +245,24 @@ 1.533 .Cm AllowUsers 1.534 or 1.535 .Cm DenyUsers . 1.536 @@ -480,9 +404,75 @@ 1.537 .El 1.538 .Sh AUTHENTICATION 1.539 The OpenSSH SSH daemon supports SSH protocol 2 only. 1.540 ---- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400 1.541 -+++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500 1.542 -@@ -872,6 +872,19 @@ DESCRIPTION 1.543 +--- a/sshd.c 1.544 ++++ b/sshd.c 1.545 +@@ -911,6 +911,14 @@ 1.546 + return (r < p) ? 1 : 0; 1.547 + } 1.548 + 1.549 ++#ifdef TCP_STEALTH 1.550 ++#define OPT_STEALTH " [-z tcp_stealth_secret]" 1.551 ++#define GETOPT_STEALTH "z:" 1.552 ++#else 1.553 ++#define OPT_STEALTH "" 1.554 ++#define GETOPT_STEALTH "" 1.555 ++#endif 1.556 ++ 1.557 + static void 1.558 + usage(void) 1.559 + { 1.560 +@@ -926,6 +934,7 @@ 1.561 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 1.562 + " [-E log_file] [-f config_file] [-g login_grace_time]\n" 1.563 + " [-h host_key_file] [-o option] [-p port] [-u len]\n" 1.564 ++" " OPT_STEALTH "\n" 1.565 + ); 1.566 + exit(1); 1.567 + } 1.568 +@@ -1075,6 +1084,16 @@ 1.569 + continue; 1.570 + } 1.571 + 1.572 ++#ifdef TCP_STEALTH 1.573 ++ if (options.tcp_stealth_secret != NULL) { 1.574 ++ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 1.575 ++ options.tcp_stealth_secret, 1.576 ++ TCP_STEALTH_SECRET_SIZE) == -1) 1.577 ++ error("setsockopt TCP_STEALTH: %s", 1.578 ++ strerror(errno)); 1.579 ++ } 1.580 ++#endif 1.581 ++ 1.582 + /* Only communicate in IPv6 over AF_INET6 sockets. */ 1.583 + if (ai->ai_family == AF_INET6) 1.584 + sock_set_v6only(listen_sock); 1.585 +@@ -1515,7 +1534,7 @@ 1.586 + 1.587 + /* Parse command-line arguments. */ 1.588 + while ((opt = getopt(ac, av, 1.589 +- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.590 ++ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 1.591 + switch (opt) { 1.592 + case '4': 1.593 + options.address_family = AF_INET; 1.594 +@@ -1616,6 +1635,14 @@ 1.595 + exit(1); 1.596 + free(line); 1.597 + break; 1.598 ++#ifdef TCP_STEALTH 1.599 ++ case 'z': 1.600 ++ options.tcp_stealth_secret = 1.601 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 1.602 ++ strncpy(options.tcp_stealth_secret, optarg, 1.603 ++ TCP_STEALTH_SECRET_SIZE); 1.604 ++ break; 1.605 ++#endif 1.606 + case '?': 1.607 + default: 1.608 + usage(); 1.609 +--- a/sshd_config.0 1.610 ++++ b/sshd_config.0 1.611 +@@ -937,6 +937,19 @@ 1.612 1.613 To disable TCP keepalive messages, the value should be set to no. 1.614 1.615 @@ -502,3 +492,24 @@ 1.616 TrustedUserCAKeys 1.617 Specifies a file containing public keys of certificate 1.618 authorities that are trusted to sign user certificates for 1.619 +--- a/sshd_config.5 1.620 ++++ b/sshd_config.5 1.621 +@@ -1567,6 +1567,18 @@ 1.622 + .Pp 1.623 + To disable TCP keepalive messages, the value should be set to 1.624 + .Cm no . 1.625 ++.It Cm TCPStealthSecret 1.626 ++Turns this SSH server into a stealth SSH TCP server. This configuration option 1.627 ++specifies the shared secret needed by the clients in order to be able to connect 1.628 ++to the port the SSH server is listening on. This means that port scanners will 1.629 ++receive a TCP RST and thus will not recognize this TCP port being open. Any 1.630 ++string specified will be truncated or padded with zeroes to 64 bytes. This 1.631 ++option needs kernel support and is therefore only available if the required 1.632 ++.Xr setsockopt 2 1.633 ++call is available. 1.634 ++.Pp 1.635 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 1.636 ++ 1.637 + .It Cm TrustedUserCAKeys 1.638 + Specifies a file containing public keys of certificate authorities that are 1.639 + trusted to sign user certificates for authentication, or