Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

fix memory leak in mux proxy mode when requesting forwarding.

found by RASU JSC, reported by Maks Mishin in GHPR#467

add a "global" ChannelTimeout type to ssh(1) and sshd(8) that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in addition
to the existing per-channel timeouts added a few releases ago.

This supports use-cases like having a session + x11 forwarding channel
open where one may be idle for an extended period but the other is
actively used. The global timeout would allow closing both channels when
both have been idle for too long.

ok dtucker@

stricter handling of channel window limits

This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

when deciding whether to enable keystroke timing obfuscation,
only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

make channel_output_poll() return a flag indicating whether channel
data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

add support for unix domain sockets to ssh -W

ok djm@ dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

Expliticly ignore return code from fcntl(.. FD_CLOEXEC) since there's
not much we can do anyway. From Coverity CID 291857, ok djm@

refactor to be more readable top to bottom. Prompted by Coverity CID
405048 which was a false-positive fd leak; ok dtucker@

Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety. From Coverity CIDs 405197 and 405028, ok djm@

when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Add channel_set_xtype()

This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

tweak channel ctype names

These are now used by sshd_config:ChannelTimeouts to specify timeouts by
channel type, so force them all to use a similar format without whitespace.

ok dtucker markus

Add channel_force_close()

This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

replace manual poll/ppoll timeout math with ptimeout API

feedback markus / ok markus dtucker

In channel_request_remote_forwarding the parameters for permission_set_add
are leaked as they are also duplicated in the call.
Found by CodeChecker.
ok djm

better debugging for connect_next()

channel_new no longer frees remote_name. So update the comment
accordingly. As remote_name is not modified, it can be const
as well. From Martin Vahlensieck

make sure stdout is non-blocking; ok djm@

Try to continue running local I/O for channels in state OPEN during
SSH transport rekeying. The most visible benefit is that it should make
~-escapes work in the client (e.g. to exit) if the connection happened
to have stalled during a rekey event. Based work by and ok dtucker@

clear io_want/io_ready flags at start of poll() cycle;
avoids plausible spin during rekeying if channel io_want flags are
reused across cycles. ok markus@ deraadt@

fix poll() spin when a channel's output fd closes without data in the
channel buffer. Introduce more exact packing of channel fds into the
pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

improve DEBUG_CHANNEL_POLL debugging message

check for EINTR/EAGAIN failures in the rfd fast-path;
caught by dtucker's minix3 vm :) ok dtucker@

Use sshbuf_read() to read directly into the channel input buffer
rather than into a stack buffer that needs to be copied again;
Improves performance by about 1% on cipher-speed.sh
feedback dtucker@ ok markus@

convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@
has been in snaps for a few months

prepare for conversion of ssh, sshd mainloop from select() to poll()
by moving FD_SET construction out of channel handlers into separate
functions. ok markus

spelling
ok dtucker@

put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT
OK mfriedl@

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

ssh: add PermitRemoteOpen for remote dynamic forwarding with SOCKS
ok djm@, dtucker@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

cap channel input buffer size at 16MB; avoids high memory use when
peer advertises a large window but is slow to consume the data we
send (e.g. because of a slow network)

reported by Pierre-Yves David

fix with & ok markus@

put back the mux_ctx memleak fix, but only for channels of type
SSH_CHANNEL_MUX_LISTENER; Specifically SSH_CHANNEL_MUX_PROXY channels
should not have this structure freed.

revert r1.399 - the lifetime of c->mux_ctx is more complex; simply freeing
it here causes other problems

fix memory leak of mux_ctx; patch from Sergiy Lozovsky via bz3189
ok dtucker

We've standardized on memset over bzero, replace a couple that had slipped
in. ok deraadt markus djm.

fix uninitialized pointers for forward_cancel; ok djm

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

the GatewayPorts vs -R listen address selection logic is still
confusing people, so add another comment explaining the special
handling of "localhost"; bz#3258

Remove some set but never used variables. ok daraadt@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Typo and spelling fixes in comments and error messages. Patch from
knweiss at gmail.com via -portable.

For PermitOpen violations add the remote host and port to
be able to find out from where the request was comming.

Add the same logging for PermitListen violations which where not
logged at all.

Pointed out by Robert Kisteleki (robert AT ripe.net)

input markus
OK deraadt

Free channel objects on exit path. Patch from markus at blueflash.cc,
ok deraadt

convert channels.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

no need to allocate channels_pre/channels_post in channel_init_channels()
as we do it anyway in channel_handler_init() that we call at the end of
the function. Fix from Markus Schmidt via bz#2938

factor out channel status formatting from channel_open_message() so
we can use it in other debug messages

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

avoid expensive channel_open_message() calls; ok djm@

remove legacy key emulation layer; ok djm@

fix NULL dereference in open_listen_match_tcpip()

Add a PermitListen directive to control which server-side addresses
may be listened on when the client requests remote forwarding (ssh -R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

The file descriptors for socket, stdin, stdout and stderr aren't
necessarily distinct, so check if they are the same to avoid closing
the same fd several times.

ok djm

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

include the addr:port in bind/listen failure messages

Add optional rdomain qualifier to sshd_config's ListenAddress option
to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

fix inverted test on channel open failure path that "upgraded" a
transient failure into a fatal error; reported by sthen and also seen
by benno@; ok sthen@

write the correct buffer when tunnel forwarding; doesn't matter
on OpenBSD (they are the same) but does matter on portable where
we use an output filter to translate os-specific tun/tap headers

fix tunnel forwarding problem introduced in refactor; reported by
stsp@ ok markus@

Add 'reverse' dynamic forwarding which combines dynamic forwarding
(-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Use explicit_bzero() instead of bzero() before free() to prevent
the compiler from optimizing away the bzero() call. OK djm@

unused variable

fix tun/tap forwarding case in previous

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

pass packet state down to some of the channels function (more
to come...); ok markus@

These shutdown() SHUT_RDWR are not needed before close()
ok djm markus claudio

fix possible OOB strlen() in SOCKS4A hostname parsing; ok markus@

protocol handlers all get struct ssh passed; ok djm@

remove ssh1 references; ok djm@

remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@

remove channel_input_close_confirmation (ssh1 only); ok djm@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

Return true reason for port forwarding failures where feasible rather
than always "administratively prohibited". bz#2674, ok djm@

Remove channel_input_port_forward_request(); the only caller was the
recently-removed SSH1 server code so it's now dead code. ok markus@

fix some -Wpointer-sign warnings in the new mux proxy; ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

Replace two more arc4random() loops with arc4random_buf().

tweaks and ok dtucker
ok deraadt

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

Allow wildcard for PermitOpen hosts as well as ports. bz#2582, patch from
openssh at mzpqnxow.com and jjelen at redhat.com. ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

Only check errno if read() has returned an error. EOF is not an error.
This fixes a problem where the mux master would sporadically fail to
notice that the client had exited.
ok mikeb@ djm@

fix some signed/unsigned integer type mismatches in format
strings; reported by Nicholas Lemonias

better refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires; reported by Jann Horn

fatal() when a remote window update causes the window value to
overflow. Reported by Georg Wicherski, ok markus@

Fix math error in remote window calculations that causes eventual stalls
for datagram channels. Reported by Georg Wicherski, ok markus@

For "ssh -L 12345:/tmp/sock" don't fail with "No forward host name."
(we have a path, not a host name). Based on a diff from Jared Yanovich.
OK djm@

Use xcalloc for permitted_adm_opens instead of xmalloc to ensure it's zeroed.
Fixes post-auth crash with permitopen=none. bz#2355, ok djm@

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

move dispatch to struct ssh; ok djm@

explicitly include sys/param.h in files that use the howmany() macro;
from portable

fix a few -Wpointer-sign warnings from clang

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

fix remote-forward cancel regression; ok markus@

allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
GatewayPorts=no; allows client to choose address family;
bz#2222 ok markus@

fix remote fwding with same listen port but different listen address
with gerhard@, ok djm@

buffer_get_string_ptr's return should be const to remind
callers that futzing with it will futz with the actual buffer
contents

don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@

avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

bz#2147: fix multiple remote forwardings with dynamically assigned
listen ports. In the s->c message to open the channel we were sending
zero (the magic number to request a dynamic port) instead of the actual
listen port. The client therefore had no way of discriminating between
them.

Diagnosis and fix by ronf AT timeheart.net

use calloc for all structure allocations; from markus@

bz#1297 - tell the client (via packet_send_debug) when their preferred
listen address has been overridden by the server's GatewayPorts;
ok dtucker@

avoid unaligned access in code that reused a buffer to send a
struct in_addr in a reply; simpler just use use buffer_put_int();
from portable; spotted by and ok dtucker@

branches: 1.324.2;
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@

Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.

Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.

bye, bye xfree(); ok markus@

handle ECONNABORTED for accept(); ok deraadt some time ago...

branches: 1.319.2;
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@

fix function proto/source mismatch

don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@

Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949). ok djm@

unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@

Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.

support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@

support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@

hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@

remove a debug() that pollutes stderr on client connecting to a server
in debug mode (channel_close_fds is called transitively from the session
code post-fork); bz#1719, ok dtucker

Fix a trio of bugs in the local/remote window calculation for datagram
data channels (i.e. TunnelForward):

Calculate local_consumed correctly in channel_handle_wfd() by measuring
the delta to buffer_len(c->output) from when we start to when we finish.
The proximal problem here is that the output_filter we use in portable
modified the length of the dequeued datagram (to futz with the headers
for !OpenBSD).

In channel_output_poll(), don't enqueue datagrams that won't fit in the
peer's advertised packet size (highly unlikely to ever occur) or which
won't fit in the peer's remaining window (more likely).

In channel_input_data(), account for the 4-byte string header in
datagram packets that we accept from the peer and enqueue in c->output.

report, analysis and testing 2/3 cases from wierbows AT us.ibm.com;
"looks good" markus@

s/timing_safe_cmp/timingsafe_bcmp/g

implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@

bz#1750: fix requirement for /dev/null inside ChrootDirectory for
internal-sftp accidentally introduced in r1.253 by removing the code
that opens and dup /dev/null to stderr and modifying the channels code
to read stderr but discard it instead; ok markus@

bz#1327: remove hardcoded limit of 100 permitopen clauses and port
forwards per direction; ok markus@ stevesk@

Pause the mux channel while waiting for reply from aynch callbacks.
Prevents misordering of replies if new requests arrive while waiting.

Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.

motivated by and with feedback from markus@

fake local addr:port when stdio fowarding as some servers (Tectia at
least) validate that they are well-formed;
reported by imorgan AT nas.nasa.gov
ok dtucker

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@

Remove RoutingDomain from ssh since it's now not needed. It can be replaced
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.

For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3

ok deraadt@ markus@ stevesk@ reyk@

fix race condition in x11/agent channel allocation: don't read after
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@

Set close-on-exec on various descriptors so they don't get leaked to
child processes. bz #1643, patch from jchadima at redhat, ok deraadt.

Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

Put the globals in packet.c into a struct and don't access it directly
from other files. No functional changes.
ok markus@ djm@

support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@

oops! I committed the wrong version of the Channel->path diff,
it was missing some tweaks suggested by stevesk@

make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@

support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482;
"looks ok" markus@

call channel destroy callbacks on receipt of open failure messages.
fixes client hangs when connecting to a server that has MaxSessions=0
set spotted by imorgan AT nas.nasa.gov; ok markus@

channel_print_adm_permitted_opens() should deal with all the printing
for that config option. suggested by markus@; ok markus@ djm@
dtucker@

s/remote_id/id/ to be more consistent with other code; ok djm@

for sshd -T print 'permitopen any' vs. 'permitopen' for case of no
permitopen's; ok and input dtucker@

fix some typos in log messages; ok djm@

this loop index should be automatic, not static

use struct sockaddr_storage instead of struct sockaddr for accept(2)
address argument. from visibilis AT yahoo.com in bz#1485; ok markus@

unbreak; move clearing of cctx struct to before first use
reported by dkrause@

missing bzero; from mickey; ok djm@

Rename the isatty argument to is_tty so we don't shadow isatty(3).
ok markus@

don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus

The multiplexing escape char handler commit last night introduced a
small memory leak per session; plug it.

Enable ~ escapes for multiplex slave sessions; give each channel
its own escape state and hook the escape filters up to muxed
channels. bz #1331

Mux slaves do not currently support the ~^Z and ~& escapes.

NB. this change cranks the mux protocol version, so a new ssh
mux client will not be able to connect to a running old ssh
mux master.

ok dtucker@

Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm

error-fd race: don't enable the error fd in the select bitmask
for channels with both in- and output closed, since the channel
will go away before we call select();
report, lots of debugging help and ok djm@

Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.

Reported by stig AT venaas.com in bz#343

great feedback and ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

avoid extra malloc/copy/free when receiving data over the net;
~10% speedup for localhost-scp; ok djm@

avoid possible hijacking of x11-forwarded connections (back out 1.183)
CVE-2008-1483; ok djm@

branches: 1.272.2;
When we added support for specified bind addresses for port forwards, we
added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of
this for -L port forwards that causes the client to listen on both v4
and v6 addresses when connected to a server with this quirk, despite
having set 0.0.0.0 as a bind_address.

report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@

Add a small helper function to consistently handle the EAI_SYSTEM error
code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417.
ok markus@ stevesk@

branches: 1.270.2;
Correct test for window updates every three packets; prevents sending
window updates for every single packet. ok markus@

send 'window adjust' messages every tree packets and do not wait
until 50% of the window is consumed. ok djm dtucker

branches: 1.268.2;
spaces

bz #1019: some ssh.com versions apparently can't cope with the remote port
forwarding bind_address being a hostname, so send them an address for cases
where they are not explicitly specified (wildcard or localhost bind).
reported by daveroth AT acm.org; ok dtucker@ deraadt@

normalise some inconsistent (but harmless) NULL pointer checks
spotted by the Stanford SATURN tool, via Isil Dillig;
ok markus@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

clean extra spaces

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/time.h> out of includes.h

move #include <string.h> out of includes.h

more ARGSUSED (lint) for dispatch table-driven functions; ok djm@

Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@

Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.

If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.

Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.

Feedback & ok djm@, man page corrections & ok jmc@.

move #include <unistd.h> out of includes.h

move #include <netdb.h> out of includes.h; ok djm@

move #include <errno.h> out of includes.h; ok markus@

add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc

fix misparsing of SOCKS 5 packets that could result in a crash;
reported by mk@ ok markus@

move #include <arpa/inet.h> out of includes.h; old ok djm@

Fix condition where we could exit with a fatal error when an input
buffer became too large and the remote end had advertised a big window.
The problem was a mismatch in the backoff math between the channels code
and the buffer code, so make a buffer_check_alloc() function that the
channels code can use to propsectivly check whether an incremental
allocation will succeed. bz #1131, debugged with the assistance of
cove AT wildpackets.com; ok dtucker@ deraadt@

ARGSUSED for dispatch table-driven functions

do not accept unreasonable X ports numbers; ok djm

delete cast not required

remove (char *) casts to a function that accepts void * for the arg

use strtonum() instead of atoi() [limit X screens to 400, sorry]

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

spacing

x11_fake_data is only ever used as u_char *

annoying spacing fixes getting in the way of real diffs

sprinkle u_int throughout pty subsystem, ok markus

spacing

RCSID() can die

branches: 1.235.2;
move #include <sys/un.h> out of includes.h; ok djm@

move #include <sys/ioctl.h> out of includes.h; ok markus@

move #include <termios.h> out of includes.h; ok markus@

mark channel as write failed or dead instead of read failed on error
of the channel output filter.

ok markus@

add channel output filter interface.

ok djm@, suggested by markus@

use 'break-in' for consistency; ok deraadt@ ok and input jmc@

make sure protocol messages for internal channels are ignored.
allow adjust messages for non-open channels; with and ok djm@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

free()->xfree(); ok djm@

bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
bind() failure when a previous connection's listeners are in TIME_WAIT,
reported by plattner AT inf.ethz.ch; ok dtucker@

fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@

enforce chanid != NULL; ok djm

branches: 1.223.2;
knf says that a 2nd level indent is four (not three or five) spaces

Fix a number of X11 forwarding channel leaks:
1. Refuse multiple X11 forwarding requests on the same session
2. Clean up all listeners after a single_connection X11 forward, not just
the one that made the single connection
3. Destroy X11 listeners when the session owning them goes away
testing and ok dtucker@

spacing

don't forget to set x11_saved_display

implement support for X11 and agent forwarding over multiplex slave
connections. Because of protocol limitations, the slave connections inherit
the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
their own.

ok dtucker@ "put it in" deraadt@

don't free() if getaddrinfo() fails; report mpech@

make this -Wsign-compare clean; ok avsm@ markus@

don't exit if getpeername fails for forwarded ports; bugzilla #1054; ok djm

move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd easier
later; ok deraadt@

branches: 1.214.2;
limit input buffer size for channels; bugzilla #896; with and ok dtucker@

spacing

bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote forwards
to bind to client-specified ports.

ok markus@

fix some window size change bugs for multiplexed connections: windows sizes
were not being updated if they had changed after ~^Z suspends and SIGWINCH
was not being processed unless the first connection had requested a tty;
ok markus

branches: 1.210.2;
typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus

some signed/unsigned int comparison cleanups; markus@ ok

spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

clientloop.c

set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@

implement session multiplexing in the client (the server has supported this
since 2.0); ok markus@

missing freeaddrinfo; Andrey Matveev

bz #756: add support for the cancel-tcpip-forward request for the server and
the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
ok markus@

improve some code lint did not like; djm millert ok

branches: 1.200.2;
fake consumption for half closed channels since the peer is waiting for
window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@
reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo'

use SSH_LISTEN_BACKLOG (=128) in listen(2).

unexpand and delete whitespace at EOL; ok markus@

move client only agent code to clientloop.c

do not call channel_free_all on fatal; ok deraadt

branches: 1.195.2;
more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU

be less chatty; debug -> debug2, cleanup; ok henning@

(re)add socks5 suppport to -D; ok djm@
now ssh(1) can act both as a socks 4 and socks 5 server and
dynamically forward ports.

deny dynamic forwarding with -R for v1, too; ok djm@

int -> u_int; ok djm@, deraadt@, mouring@

make channel_new() strdup the 'remote_name' (not the caller); ok theo

avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.187.2;
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

hush socket() errors, except last. Fixes mindrot bug #408; ok markus@

move big output buffer messages to debug2

cleanup debug messages, more useful information for the client user.

branches: 1.183.2;
don't quit while creating X11 listening socket.

http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
got from portable. markus ok

remove use of SO_LINGER, it should not be needed. error check
SO_REUSEADDR. fixup comments. ok markus@

signed vs unsigned from -pedantic; ok henning@

blah blah minor nothing as i read and re-read and re-read...

limit # of channels to 10000

move channel counter to u_int

tcode is u_int

display, screen, row, col, xpixel, ypixel are u_int; markus ok

move creation of agent socket to session.c; no need for uidswapping
in channel.c.

use tab not spaces (|unexpand)

request reply (success/failure) for -R style fwd in protocol v2,
depends on ordered replies.
fixes http://bugzilla.mindrot.org/show_bug.cgi?id=215; ok provos@

branches: 1.172.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

off by one; thanks to joost@pine.nl

remove unneeded casts in [gs]etsockopt(); ok markus@

disable Nagle in connect_to() and channel_post_port_listener() (port
forwarding endpoints). the intention is to preserve the on-the-wire
appearance to applications at either end; the applications can then
enable TCP_NODELAY according to their requirements. ok markus@

increase the SSH v2 window size to 4 packets. comsumes a little
bit more memory for slow receivers but increases througput.

channel_new never returns NULL, mouring@; ok djm@

merge channel_request() into channel_request_start()

generic callbacks are not really used, remove and
add a callback for msg of type SSH2_MSG_CHANNEL_OPEN_CONFIRMATION
ok djm@

remove unused channel_input_channel_request

add X11UseLocalhost; ok markus@

add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning).
no nagle changes just yet; ok djm@ markus@

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

wrapper for channel_setup_fwd_listener

remove function pointers for events, remove chan_init*; ok provos@

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

merge channel_pre_open_15/channel_pre_open_20; ok provos@

fix hanging x11 channels for rejected cookies (e.g. XAUTHORITY=/dev/null xbiff)
bug #36, based on patch from djast@cs.toronto.edu

remove unneeded casts and some char->u_char cleanup; ok markus@

remove plen from the dispatch fn. it's no longer used.

packet_read* no longer return the packet length, since it's not used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

get rid of packet_integrity_check, use packet_done() instead.

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

setup x11 listen socket for just one connect if the client requests so.
(v2 only, but the openssh client does not support this feature).

basic KNF done while i was looking for something else

use only one path to X11 UNIX domain socket vs. an array of paths
to try. report from djast@cs.toronto.edu. ok markus@

disable nagle for X11 fake server and client TCPs. from netbsd.
ok markus@

strncpy->strlcpy. remaining strncpy's are necessary. ok markus@

shutdown(sock, SHUT_RDWR) not needed here; ok markus@

minor KNF

make it compile with more strict prototype checking

sshd X11 fake server will now listen on localhost by default:
$ echo $DISPLAY
localhost:12.0
$ netstat -an|grep 6012
tcp 0 0 127.0.0.1.6012 *.* LISTEN
tcp6 0 0 ::1.6012 *.* LISTEN
sshd_config gatewayports=yes can be used to revert back to the old
behavior. will control this with another option later. ok markus@

branches: 1.140.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

simplify session close: no more delayed session_close, no more blocking wait() calls.

better debug

avoid possible FD_ISSET overflow for channels established
during channnel_after_select() (used for dynamic channels).

comment out bogus conditions for selecting on connection_in

remove ugliness; vp@drexel.edu via angelos

don't send fake dummy packets on CR (\r)
bugreport from yyua@cs.sfu.ca via solar@@openwall.com

try to fix agent-forwarding-backconnection-bug, as seen on HPUX, for example;
with Lutz.Jaenicke@aet.TU-Cottbus.DE,

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

improve cleanup/exit logic in ssh2:
stop listening to channels, detach channel users (e.g. sessions).
wait for children (i.e. dying sessions), send exit messages,
cleanup all channels.

adress -> address; ok markus@

use socklen_t for getsockopt arg #5; ok markus@

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

move from channel_stop_listening to channel_free_all,
call channel_free_all before calling waitpid() in serverloop.
fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE

use xxx_put_cstring()

don't delete the auth socket in channel_stop_listening()
auth_sock_cleanup_proc() will take care of this.

switch uid when cleaning up tmp files and sockets; reported by zen-parse@gmx.net on bugtraq

use fatal_register_cleanup instead of atexit, sync with x11 authdir handling

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

cleanup, typo

undo broken channel fix and try a different one. there
should be still some select errors...

typo in error message

more select() error fixes (don't set rfd/wfd to -1).

fix -R for protocol 2, noticed by greg@nest.cx.
bug was introduced with experimental dynamic forwarding.

adds correct error reporting to async connect()s
fixes the server-discards-data-before-connected-bug found by onoe@sm.sony.co.jp

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

channel_new() reallocs channels[], we cannot use Channel *c after calling
channel_new(), XXX fix this in the future...

typo in debug() string

more ssh.com-2.0.x bug-compat; from per@appgate.com

branches: 1.109.2;
undo socks5 and https support since they are not really used and
only bloat ssh. remove -D from usage(), since '-D' is experimental.

remove some channels that are not appropriate for keepalive.

Add options ClientAliveInterval and ClientAliveCountMax to sshd.
This gives the ability to do a "keepalive" via the encrypted channel
which can't be spoofed (unlike TCP keepalives). Useful for when you want
to use ssh connections to authenticate people for something, and know
relatively quickly when they are no longer authenticated. Disabled
by default (of course). ok markus@

https-connect and socks5 support. i feel so bad.

debug cleanup

cleanup socks4 handling

allow the ssh client act as a SOCKS4 proxy (dynamic local portforwarding).
work by Dan Kaminsky <dankamin@cisco.com> and me. thanks to Dan for this
great patch: use 'ssh -D 1080 host' and make netscape use localhost:1080 as
a socks proxy.

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

fix whitespace: unexpand + trailing spaces.

more robust rekeying
don't send channel data after rekeying is started.

implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de

log functions should not be passed strings that end in newline as they
get passed on to syslog() and when logging to stderr, do_log() appends
its own newline.

debug1->2

typo

use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message
use random content in ignore messages.

unify debug messages

make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

remove debug

genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.

nuke sprintf, ok deraadt@

unexpand and remove end-of-line whitespace; ok markus@

use ipaddr in channel messages, ietf-secsh wants this

do not disconnect if local port forwarding fails, e.g. if port is already in use

ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE messages; bug report from edmundo@rano.org

add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS

fix select overflow; ok deraadt@ and stevesk@

missing freeaddrinfo(); ok markus@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com

missing xfree; from vaughan99@yahoo.com

remove->unlink; stevesk@pobox.com

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

remove() -> unlink() for consistency

async connects for -R/-L; ok deraadt@

debug -> warn if server tries to do -R style fwd w/o client requesting this; ok niels@

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.72.2;
deny agent/x11 forwarding unless requested; thanks to jwl@pobox.com

enable non-blocking IO on channels, and tty's (except for the client ttys).

debug -> debug2 cleanup

add context to dispatch_run

cleanup window and packet sizes for ssh2 flow control; ok niels

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

more ~ support for ssh2

support for ~. in ssh2

make ssh-add accept dsa keys (the agent does not)

correct check for bad channel ids; from Wei Dai <weidai@eskimo.com>

OpenBSD tag

a real nix

everyone says "nix it"

don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org

enable nonblocking IO for sshd w/ proto 1, too; split out common code

branches: 1.57.2;
bug compat w/ ssh-2.0.13 x11, split out bugs

GatewayPorts for sshd, ok deraadt@

set O_NONBLOCK

unbreak, ok niels@

EINTR

init all fds, close all fds.

support for x11-fwding, client+server

fix pr 1196, listen_port and port_to_connect interchanged

whitespace cleanup

check payload for (illegal) extra data

repair x11-fwd

no adjust after close

close efd on eof

channel layer support for ssh2

typo

missing close

replace big switch() with function tables (prepare for ssh2)

allow bigger packets

-pedantic: signed vs. unsigned, void*-arithm, etc

do not connect() if request has been denied.

discard data for channel if state != CHAN_OUTPUT_OPEN, fixes lockup

listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE)

ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features:
sshd allows multiple ListenAddress and Port options. note that libwrap is
not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and
fujiwara@rcac.tdi.co.jp)

use packet_get_maxsize for channels. consistence.

type conflict for 'extern Type *options' in channels.c; dot@dotat.at

display great hatred towards strcpy

ports are u_short

fix type

fix packet_integrity_check() for !have_hostname_in_open.
report from mrwizard@psu.edu via djm@ibs.com.au

set SO_REUSEADDR and SO_LINGER for forwarded ports.
chip@valinux.com via damien@ibs.com.au

KNF, final part 3

much more KNF

KNF part 1

syslog changes:
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE

SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@
[hope this time my ISP stays alive during commit]

make this compile, bad markus

SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

replace assert() with error, fatal or packet_disconnect

remove broken x11 fix and document istate/ostate

more usefull debug messages and simplify channel alloc code

re-implement the proto-1.5 channel close protocol, see nchan.ms.

snprintf

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

fix old connect() race security-bug for ssh-agent and agent-forwarding
by removing the connect() junk, with the following restrictions:
1) change the version to "OpenSSH-1.1":
agent-forwarding will work only between OpenSSH-1.1 client and
OpenSSH-1.1 server
2) renamed the environment variable of OpenSSH-1.1 to
"SSH_AUTH_SOCKET", since useing OpenSSH-1.0 ssh-add against the new
ssh-agent does not work

move auth-sockets to private dir
delete minfd residua

nuke genminfd/AUTH_FD

use SHUT_* symbols

even smaller

IPPORT_RESERVED

do not bother with dinosaur pacification

numerous sprintf, strncpy, strcpy cleanups

update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages

GatewayPorts and ssh -g; markus.friedl@informatik.uni-erlangen.de

X11DisplayOffset; aaron

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

fix memory leak in mux proxy mode when requesting forwarding.

found by RASU JSC, reported by Maks Mishin in GHPR#467

add a "global" ChannelTimeout type to ssh(1) and sshd(8) that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in addition
to the existing per-channel timeouts added a few releases ago.

This supports use-cases like having a session + x11 forwarding channel
open where one may be idle for an extended period but the other is
actively used. The global timeout would allow closing both channels when
both have been idle for too long.

ok dtucker@

stricter handling of channel window limits

This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

when deciding whether to enable keystroke timing obfuscation,
only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

make channel_output_poll() return a flag indicating whether channel
data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

add support for unix domain sockets to ssh -W

ok djm@ dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

Expliticly ignore return code from fcntl(.. FD_CLOEXEC) since there's
not much we can do anyway. From Coverity CID 291857, ok djm@

refactor to be more readable top to bottom. Prompted by Coverity CID
405048 which was a false-positive fd leak; ok dtucker@

Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety. From Coverity CIDs 405197 and 405028, ok djm@

when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Add channel_set_xtype()

This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

tweak channel ctype names

These are now used by sshd_config:ChannelTimeouts to specify timeouts by
channel type, so force them all to use a similar format without whitespace.

ok dtucker markus

Add channel_force_close()

This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

replace manual poll/ppoll timeout math with ptimeout API

feedback markus / ok markus dtucker

In channel_request_remote_forwarding the parameters for permission_set_add
are leaked as they are also duplicated in the call.
Found by CodeChecker.
ok djm

better debugging for connect_next()

channel_new no longer frees remote_name. So update the comment
accordingly. As remote_name is not modified, it can be const
as well. From Martin Vahlensieck

make sure stdout is non-blocking; ok djm@

Try to continue running local I/O for channels in state OPEN during
SSH transport rekeying. The most visible benefit is that it should make
~-escapes work in the client (e.g. to exit) if the connection happened
to have stalled during a rekey event. Based work by and ok dtucker@

clear io_want/io_ready flags at start of poll() cycle;
avoids plausible spin during rekeying if channel io_want flags are
reused across cycles. ok markus@ deraadt@

fix poll() spin when a channel's output fd closes without data in the
channel buffer. Introduce more exact packing of channel fds into the
pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

improve DEBUG_CHANNEL_POLL debugging message

check for EINTR/EAGAIN failures in the rfd fast-path;
caught by dtucker's minix3 vm :) ok dtucker@