Репозитории ALT
S: | 9.4p1-alt1 |
5.1: | 5.3p1-alt1 |
4.1: | 5.0p1-alt3 |
4.0: | 5.0p1-alt3 |
+updates: | 4.7p1-alt1 |
3.0: | 3.6.1p2-alt6 |
Группа :: Сети/Удалённый доступ
Пакет: openssh
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: openssh-3.6.1p1-alt-trans_inter.patch
Скачать
Скачать
diff -uprk.orig openssh-3.6.1p1.orig/clientloop.c openssh-3.6.1p1/clientloop.c
--- openssh-3.6.1p1.orig/clientloop.c 2003-04-01 15:43:39 +0400
+++ openssh-3.6.1p1/clientloop.c 2003-04-11 19:50:52 +0400
@@ -319,8 +319,10 @@ client_check_window_change(void)
static void
client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
- int *maxfdp, int *nallocp, int rekeying)
+ int *maxfdp, int *nallocp, int rekeying, int trans_inter)
{
+ int select_return;
+
/* Add any selections by the channel mechanism. */
channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
@@ -362,13 +364,38 @@ client_wait_until_can_do_something(fd_se
/*
* Wait for something to happen. This will suspend the process until
* some selected descriptor can be read, written, or has some other
- * event pending. Note: if you want to implement SSH_MSG_IGNORE
- * messages to fool traffic analysis, this might be the place to do
- * it: just have a random timeout for the select, and send a random
- * SSH_MSG_IGNORE packet when the timeout expires.
+ * event pending.
+ * Implemented timeout SSH_MSG_IGNORE packets to keep a minimum
+ * frequency of traffic present on a connection. This can be used to
+ * prevent a firewall (ip_masq f.e.) from timing out and causing a new
+ * port to be allocated which effectively kills the connection.
+ * To fool traffic analysis, the timeout on the SSH_MSG_IGNORE
+ * packets set randomly instead of periodically.
*/
- if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
+ if( trans_inter > 0 ) {
+ struct timeval timeout;
+ timeout.tv_sec = trans_inter *
+ (1 + (arc4random() / (double) UINT_MAX - 0.5));
+ timeout.tv_usec = 1000000 * (arc4random() / (double) UINT_MAX);
+ select_return = select((*maxfdp)+1, *readsetp, *writesetp,
+ NULL, &timeout);
+ if( !select_return ) {
+ int len = 1 + (arc4random() & 63);
+ int data[len];
+ int i;
+
+ for (i = 0; i < len; ++i)
+ data[i] = arc4random();
+ packet_start(SSH_MSG_IGNORE);
+ packet_put_string((char *)data, sizeof(data));
+ packet_send();
+ }
+ } else
+ select_return = select((*maxfdp)+1, *readsetp, *writesetp,
+ NULL, NULL);
+
+ if( select_return < 0 ) {
char buf[100];
/*
@@ -960,7 +987,7 @@ client_loop(int have_pty, int escape_cha
*/
max_fd2 = max_fd;
client_wait_until_can_do_something(&readset, &writeset,
- &max_fd2, &nalloc, rekeying);
+ &max_fd2, &nalloc, rekeying, options.trans_inter);
if (quit_pending)
break;
diff -uprk.orig openssh-3.6.1p1.orig/readconf.c openssh-3.6.1p1/readconf.c
--- openssh-3.6.1p1.orig/readconf.c 2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/readconf.c 2003-04-11 19:50:52 +0400
@@ -81,6 +81,7 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003
RhostsRSAAuthentication yes
StrictHostKeyChecking yes
KeepAlives no
+ TransmitInterlude 0
IdentityFile ~/.ssh/identity
Port 22
EscapeChar ~
@@ -107,7 +108,7 @@ typedef enum {
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
+ oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oSshVersion,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@@ -179,6 +180,7 @@ static struct {
{ "compression", oCompression },
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
+ { "transmitinterlude", oTransmitInterlude },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
{ "loglevel", oLogLevel },
{ "dynamicforward", oDynamicForward },
@@ -416,6 +418,10 @@ parse_flag:
intptr = &options->no_host_authentication_for_localhost;
goto parse_flag;
+ case oTransmitInterlude:
+ intptr = &options->trans_inter;
+ goto parse_int;
+
case oNumberOfPasswordPrompts:
intptr = &options->number_of_password_prompts;
goto parse_int;
@@ -772,6 +778,7 @@ initialize_options(Options * options)
options->strict_host_key_checking = -1;
options->compression = -1;
options->keepalives = -1;
+ options->trans_inter = -1;
options->compression_level = -1;
options->port = -1;
options->connection_attempts = -1;
@@ -861,6 +868,8 @@ fill_default_options(Options * options)
options->compression = 0;
if (options->keepalives == -1)
options->keepalives = 1;
+ if (options->trans_inter == -1)
+ options->trans_inter = 0;
if (options->compression_level == -1)
options->compression_level = 6;
if (options->port == -1)
diff -uprk.orig openssh-3.6.1p1.orig/readconf.h openssh-3.6.1p1/readconf.h
--- openssh-3.6.1p1.orig/readconf.h 2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/readconf.h 2003-04-11 19:50:52 +0400
@@ -61,6 +61,7 @@ typedef struct {
int compression_level; /* Compression level 1 (fast) to 9
* (best). */
int keepalives; /* Set SO_KEEPALIVE. */
+ int trans_inter; /* Guarantee transmit every n seconds. */
LogLevel log_level; /* Level for logging. */
int port; /* Port to connect. */
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config openssh-3.6.1p1/ssh_config
--- openssh-3.6.1p1.orig/ssh_config 2002-07-04 04:19:41 +0400
+++ openssh-3.6.1p1/ssh_config 2003-04-11 19:50:52 +0400
@@ -26,6 +26,7 @@
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
+# TransmitInterlude 0
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config.5 openssh-3.6.1p1/ssh_config.5
--- openssh-3.6.1p1.orig/ssh_config.5 2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/ssh_config.5 2003-04-11 19:50:52 +0400
@@ -370,6 +370,22 @@ This is important in scripts, and many u
.Pp
To disable keepalives, the value should be set to
.Dq no .
+.It Cm TransmitInterlude
+Specifies a maximum time to allow between transmitting packets,
+in seconds. If this amount of time passes and the client has
+no data to send, it will send an ignore packet to the server.
+One example where this is useful is when using ssh from behind
+a Linux ip_masquerade firewall. If packets aren't sent through
+such a firewall periodically, the firewall may forget about the
+connection. Then when a packet finally is sent, the firewall
+will assign a new port, which will cause the remote server to
+disconnect the session. This option defaults to
+.Dq 0 ,
+which means not sending periodic packets. A setting of a few
+hundred seconds should be about right if this is needed. You
+should probably try setting KeepAlive to
+.Dq yes
+in your conf files on both the server and the client first.
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication will be used.
The argument to this keyword must be