Hi there,
i had the problem that it wasn't possible to prevent the client from not
opening a channel.
This is necessary for me because i have written a custom shell which is
doing some cleanup work after the connection is closed, which is not
possible in case the shell isn't started at all.
I have found some people with the same Problem on the internet, so i
patched in a channelgracetime.
I have asked on the openssh irc why there isn't such a feature and
nobody had a real answer.
If you know some reason why this is evil, and generally bad, please let
me know.
Also as far as i'm concerned i haven't broken anything but if you see
something really wrong please tell me.
Greetings David Helwig
--- openssh-6.4p1/sshd.c 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.4p1.x/sshd.c 2014-06-30 15:06:26.000000000 +0200
@@ -378,6 +378,24 @@
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
+static void
+grace_channel_alarm_handler(int sig)
+{
+ if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
+ kill(pmonitor->m_pid, SIGALRM);
+ /*
+ * Try to kill any processes that we have spawned, E.g. authorized
+ * keys command helpers.
+ */
+ if (getpgid(0) == getpid()) {
+ signal(SIGTERM, SIG_IGN);
+ killpg(0, SIGTERM);
+ }
+
+ /* Log error and exit. */
+ sigdie("Timeout before channel open for %s", get_remote_ipaddr());
+}
+
/*
* Signal handler for the key regeneration alarm. Note that this
* alarm only occurs in the daemon waiting for connections, and it does not
--- openssh-6.4p1/sshd.c 2014-06-30 15:06:26.000000000 +0200
+++ openssh-6.4p1.x/sshd.c 2014-07-07 13:33:17.000000000 +0200
@@ -2151,6 +2151,14 @@
destroy_sensitive_data();
}
+ /* Install channel open grace time alarm handler if required */
+ if( options.channel_grace_time != -1 ) {
+ alarm(options.channel_grace_time);
+
+ signal(SIGALRM, grace_channel_alarm_handler);
+ debug("Installed channel open alarm handler in pid %d", getpid());
+ }
+
packet_set_timeout(options.client_alive_interval,
options.client_alive_count_max);
--- openssh-6.4p1/channels.c 2013-11-08 02:28:04.000000000 +0100
+++ openssh-6.4p1.x/channels.c 2014-06-30 15:03:18.000000000 +0200
@@ -61,6 +61,7 @@
#include <termios.h>
#include <unistd.h>
#include <stdarg.h>
+#include <signal.h>
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -1831,6 +1832,13 @@
return;
channel_handle_efd(c, readset, writeset);
channel_check_window(c);
+
+ /* Now we have a fully functional channel -- reset/drop
+ * channel open alarm
+ */
+
+ alarm(0);
+ signal(SIGALRM, SIG_DFL);
}
static u_int
diff -Nur openssh-6.4p1/servconf.c openssh-6.4p1.x/servconf.c
--- openssh-6.4p1/servconf.c 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.4p1.x/servconf.c 2014-06-30 15:33:08.000000000 +0200
@@ -83,6 +83,7 @@
options->pid_file = NULL;
options->server_key_bits = -1;
options->login_grace_time = -1;
+ options->channel_grace_time = -1;
options->key_regeneration_time = -1;
options->permit_root_login = PERMIT_NOT_SET;
options->ignore_rhosts = -1;
@@ -319,7 +322,7 @@
/* Portable-specific options */
sUsePAM,
/* Standard Options */
- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sChannelGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@@ -374,6 +377,7 @@
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
+ { "channelgracetime", sChannelGraceTime, SSHCFG_GLOBAL },
{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
@@ -907,6 +911,10 @@
*intptr = value;
break;
+ case sChannelGraceTime:
+ intptr = &options->channel_grace_time;
+ goto parse_time;
+
case sKeyRegenerationTime:
intptr = &options->key_regeneration_time;
goto parse_time;
@@ -1956,6 +1964,7 @@
#endif
dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
+ dump_cfg_int(sChannelGraceTime, o->channel_grace_time);
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
diff -Nur openssh-6.4p1/servconf.h openssh-6.4p1.x/servconf.h
--- openssh-6.4p1/servconf.h 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.4p1.x/servconf.h 2014-06-30 15:33:08.000000000 +0200
@@ -70,6 +70,7 @@
int server_key_bits;/* Size of the server key. */
int login_grace_time; /* Disconnect if no auth in this time
* (sec). */
+ int channel_grace_time; /* Disconnect if no channel is opened in this time */
int key_regeneration_time; /* Server key lifetime (seconds). */
int permit_root_login; /* PERMIT_*, see above */
int ignore_rhosts; /* Ignore .rhosts and .shosts. */
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev