Hi,
I was reviewing the chacha20 patchset and then a user asked for supporting the
global request "no-more-sess...@openssh.com".
On receipt of such a message, the server will refuse to open future
channels of type "session" and instead immediately abort the connection.
So I've implemented it. However I don't have the time to test it right now.
I'm posting it here, if someone is interested in it. OpenSSH is normally
sending it.
Review much appreciated!
Thanks,
Andreas
>From 0189ab3e6549b902791b95f5e15b5c9e481e3f7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:45:15 +0200
Subject: [PATCH 1/3] include: Use hex values for flags
This is easier to understand.
Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
include/libssh/session.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/libssh/session.h b/include/libssh/session.h
index 1a069017..de5fb7c7 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -64,10 +64,10 @@ enum ssh_pending_call_e {
};
/* libssh calls may block an undefined amount of time */
-#define SSH_SESSION_FLAG_BLOCKING 1
+#define SSH_SESSION_FLAG_BLOCKING 0x0001
/* Client successfully authenticated */
-#define SSH_SESSION_FLAG_AUTHENTICATED 2
+#define SSH_SESSION_FLAG_AUTHENTICATED 0x0002
/* codes to use with ssh_handle_packets*() */
/* Infinite timeout */
--
2.17.1
>From 65d09da5f8b9a175a9845f594938efdeaf5f6646 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:45:51 +0200
Subject: [PATCH 2/3] include: Add SSH_SESSION_FLAG_NO_MORE flag
Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
include/libssh/session.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/libssh/session.h b/include/libssh/session.h
index de5fb7c7..8cedc6cf 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -69,6 +69,9 @@ enum ssh_pending_call_e {
/* Client successfully authenticated */
#define SSH_SESSION_FLAG_AUTHENTICATED 0x0002
+/* Do not accept new session chanels (no-more-sessi...@openssh.com) */
+#define SSH_SESSION_FLAG_NO_MORE_SESSIONS 0x0004
+
/* codes to use with ssh_handle_packets*() */
/* Infinite timeout */
#define SSH_TIMEOUT_INFINITE -1
--
2.17.1
>From 8e423738905bf458d60245da713dd41205bd134d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <a...@cryptomilk.org>
Date: Tue, 12 Jun 2018 21:53:03 +0200
Subject: [PATCH 3/3] messages: Handle "no-more-sessi...@openssh.com" global
request
On receipt of such a message, the server will refuse to open future
channels of type "session" and instead immediately abort the connection.
Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
---
include/libssh/libssh.h | 3 ++-
src/messages.c | 23 ++++++++++++++++++++---
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index 03241493..dbf73657 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -209,7 +209,8 @@ enum ssh_global_requests_e {
SSH_GLOBAL_REQUEST_UNKNOWN=0,
SSH_GLOBAL_REQUEST_TCPIP_FORWARD,
SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD,
- SSH_GLOBAL_REQUEST_KEEPALIVE
+ SSH_GLOBAL_REQUEST_KEEPALIVE,
+ SSH_GLOBAL_REQUEST_NO_MORE_SESSIONS
};
enum ssh_publickey_state_e {
diff --git a/src/messages.c b/src/messages.c
index af885314..a88d94f2 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -1077,9 +1077,15 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open){
}
if (strcmp(type_c,"session") == 0) {
- msg->channel_request_open.type = SSH_CHANNEL_SESSION;
- SAFE_FREE(type_c);
- goto end;
+ if (session->flags & SSH_SESSION_FLAG_NO_MORE_SESSIONS) {
+ ssh_set_error(session, SSH_FATAL, "No more sessions allowed!");
+ session->session_state = SSH_SESSION_STATE_ERROR;
+ goto error;
+ }
+
+ msg->channel_request_open.type = SSH_CHANNEL_SESSION;
+ SAFE_FREE(type_c);
+ goto end;
}
if (strcmp(type_c,"direct-tcpip") == 0) {
@@ -1452,6 +1458,17 @@ SSH_PACKET_CALLBACK(ssh_packet_global_request){
} else {
ssh_message_global_request_reply_success(msg, 0);
}
+ } else if (strcmp(request, "no-more-sessi...@openssh.com") == 0) {
+ msg->global_request.type = SSH_GLOBAL_REQUEST_NO_MORE_SESSIONS;
+ msg->global_request.want_reply = want_reply;
+
+ SSH_LOG(SSH_LOG_PROTOCOL, "Received no-more-sessi...@openssh.com %d",
want_reply);
+
+ if (want_reply) {
+ ssh_message_global_request_reply_success(msg, 0);
+ }
+
+ session->flags |= SSH_SESSION_FLAG_NO_MORE_SESSIONS;
} else {
SSH_LOG(SSH_LOG_PROTOCOL, "UNKNOWN SSH_MSG_GLOBAL_REQUEST %s %d",
request, want_reply);
rc = SSH_PACKET_NOT_USED;
--
2.17.1