[PATCH] Implement "no-more-session@openssh.com" in the server

Andreas Schneider Tue, 12 Jun 2018 13:05:19 -0700

Hi,

I was reviewing the chacha20 patchset and then a user asked for supporting the 
global request "no-more-sess...@openssh.com".


    On receipt of such a message, the server will refuse to open future
    channels of type "session" and instead immediately abort the connection.

So I've implemented it. However I don't have the time to test it right now.


I'm posting it here, if someone is interested in it. OpenSSH is normally 
sending it.

Review much appreciated!


Thanks,


        Andreas

>From 0189ab3e6549b902791b95f5e15b5c9e481e3f7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:45:15 +0200
Subject: [PATCH 1/3] include: Use hex values for flags

This is easier to understand.

Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
 include/libssh/session.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/libssh/session.h b/include/libssh/session.h
index 1a069017..de5fb7c7 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -64,10 +64,10 @@ enum ssh_pending_call_e {
 };
 
 /* libssh calls may block an undefined amount of time */
-#define SSH_SESSION_FLAG_BLOCKING 1
+#define SSH_SESSION_FLAG_BLOCKING 0x0001
 
 /* Client successfully authenticated */
-#define SSH_SESSION_FLAG_AUTHENTICATED 2
+#define SSH_SESSION_FLAG_AUTHENTICATED 0x0002
 
 /* codes to use with ssh_handle_packets*() */
 /* Infinite timeout */
-- 
2.17.1


>From 65d09da5f8b9a175a9845f594938efdeaf5f6646 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:45:51 +0200
Subject: [PATCH 2/3] include: Add SSH_SESSION_FLAG_NO_MORE flag

Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
 include/libssh/session.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/libssh/session.h b/include/libssh/session.h
index de5fb7c7..8cedc6cf 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -69,6 +69,9 @@ enum ssh_pending_call_e {
 /* Client successfully authenticated */
 #define SSH_SESSION_FLAG_AUTHENTICATED 0x0002
 
+/* Do not accept new session chanels (no-more-sessi...@openssh.com) */
+#define SSH_SESSION_FLAG_NO_MORE_SESSIONS 0x0004
+
 /* codes to use with ssh_handle_packets*() */
 /* Infinite timeout */
 #define SSH_TIMEOUT_INFINITE -1
-- 
2.17.1


>From 8e423738905bf458d60245da713dd41205bd134d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:53:03 +0200
Subject: [PATCH 3/3] messages: Handle "no-more-sessi...@openssh.com" global
 request

On receipt of such a message, the server will refuse to open future
channels of type "session" and instead immediately abort the connection.

Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
 include/libssh/libssh.h |  3 ++-
 src/messages.c          | 23 ++++++++++++++++++++---
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index 03241493..dbf73657 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -209,7 +209,8 @@ enum ssh_global_requests_e {
        SSH_GLOBAL_REQUEST_UNKNOWN=0,
        SSH_GLOBAL_REQUEST_TCPIP_FORWARD,
        SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD,
-       SSH_GLOBAL_REQUEST_KEEPALIVE
+       SSH_GLOBAL_REQUEST_KEEPALIVE,
+       SSH_GLOBAL_REQUEST_NO_MORE_SESSIONS
 };
 
 enum ssh_publickey_state_e {
diff --git a/src/messages.c b/src/messages.c
index af885314..a88d94f2 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -1077,9 +1077,15 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open){
   }
   
   if (strcmp(type_c,"session") == 0) {
-    msg->channel_request_open.type = SSH_CHANNEL_SESSION;
-    SAFE_FREE(type_c);
-    goto end;
+      if (session->flags & SSH_SESSION_FLAG_NO_MORE_SESSIONS) {
+          ssh_set_error(session, SSH_FATAL, "No more sessions allowed!");
+          session->session_state = SSH_SESSION_STATE_ERROR;
+          goto error;
+      }
+
+      msg->channel_request_open.type = SSH_CHANNEL_SESSION;
+      SAFE_FREE(type_c);
+      goto end;
   }
 
   if (strcmp(type_c,"direct-tcpip") == 0) {
@@ -1452,6 +1458,17 @@ SSH_PACKET_CALLBACK(ssh_packet_global_request){
         } else {
             ssh_message_global_request_reply_success(msg, 0);
         }
+    } else if (strcmp(request, "no-more-sessi...@openssh.com") == 0) {
+        msg->global_request.type = SSH_GLOBAL_REQUEST_NO_MORE_SESSIONS;
+        msg->global_request.want_reply = want_reply;
+
+        SSH_LOG(SSH_LOG_PROTOCOL, "Received no-more-sessi...@openssh.com %d", 
want_reply);
+
+        if (want_reply) {
+            ssh_message_global_request_reply_success(msg, 0);
+        }
+
+        session->flags |= SSH_SESSION_FLAG_NO_MORE_SESSIONS;
     } else {
         SSH_LOG(SSH_LOG_PROTOCOL, "UNKNOWN SSH_MSG_GLOBAL_REQUEST %s %d", 
request, want_reply);
         rc = SSH_PACKET_NOT_USED;
-- 
2.17.1

[PATCH] Implement "no-more-session@openssh.com" in the server

Reply via email to