remove unused struct fwd_perm_list, no decl with complete type
ok djm@

remove prototypes with no matching function; ok djm@

stricter handling of channel window limits

This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

when deciding whether to enable keystroke timing obfuscation,
only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

make channel_output_poll() return a flag indicating whether channel
data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

add support for unix domain sockets to ssh -W

ok djm@ dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety. From Coverity CIDs 405197 and 405028, ok djm@

when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Add channel_set_xtype()

This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

Add channel_force_close()

This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

replace manual poll/ppoll timeout math with ptimeout API

feedback markus / ok markus dtucker

channel_new no longer frees remote_name. So update the comment
accordingly. As remote_name is not modified, it can be const
as well. From Martin Vahlensieck

fix poll() spin when a channel's output fd closes without data in the
channel buffer. Introduce more exact packing of channel fds into the
pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@
has been in snaps for a few months

prepare for conversion of ssh, sshd mainloop from select() to poll()
by moving FD_SET construction out of channel handlers into separate
functions. ok markus

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

whitespace (tab after space)

cap channel input buffer size at 16MB; avoids high memory use when
peer advertises a large window but is slow to consume the data we
send (e.g. because of a slow network)

reported by Pierre-Yves David

fix with & ok markus@

some language improvements; ok markus

add a comment describing the ranges of channel IDs that we use;
requested by markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Add a PermitListen directive to control which server-side addresses
may be listened on when the client requests remote forwarding (ssh -R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

Add 'reverse' dynamic forwarding which combines dynamic forwarding
(-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

pass packet state down to some of the channels function (more
to come...); ok markus@

protocol handlers all get struct ssh passed; ok djm@

remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@

remove channel_input_close_confirmation (ssh1 only); ok djm@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

Return true reason for port forwarding failures where feasible rather
than always "administratively prohibited". bz#2674, ok djm@

Remove channel_input_port_forward_request(); the only caller was the
recently-removed SSH1 server code so it's now dead code. ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

better refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires; reported by Jann Horn

moar whitespace at eol

move dispatch to struct ssh; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

fix remote fwding with same listen port but different listen address
with gerhard@, ok djm@

Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.

typo in comment

don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@

Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949). ok djm@

unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@

Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.

support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@

support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@

hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@

Pause the mux channel while waiting for reply from aynch callbacks.
Prevents misordering of replies if new requests arrive while waiting.

Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.

motivated by and with feedback from markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@

Remove RoutingDomain from ssh since it's now not needed. It can be replaced
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.

For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3

ok deraadt@ markus@ stevesk@ reyk@

fix race condition in x11/agent channel allocation: don't read after
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@

Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@

make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@

don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus

The multiplexing escape char handler commit last night introduced a
small memory leak per session; plug it.

Enable ~ escapes for multiplex slave sessions; give each channel
its own escape state and hook the escape filters up to muxed
channels. bz #1331

Mux slaves do not currently support the ~^Z and ~& escapes.

NB. this change cranks the mux protocol version, so a new ssh
mux client will not be able to connect to a running old ssh
mux master.

ok dtucker@

Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.

Reported by stig AT venaas.com in bz#343

great feedback and ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

increase default channel windows; ok djm

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@

Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.

If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.

Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.

Feedback & ok djm@, man page corrections & ok jmc@.

add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc

standardise spacing in $OpenBSD$ tags; requested by deraadt@

branches: 1.83.2;
add channel output filter interface.

ok djm@, suggested by markus@

make sure protocol messages for internal channels are ignored.
allow adjust messages for non-open channels; with and ok djm@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@

branches: 1.79.2;
Fix a number of X11 forwarding channel leaks:
1. Refuse multiple X11 forwarding requests on the same session
2. Clean up all listeners after a single_connection X11 forward, not just
the one that made the single connection
3. Destroy X11 listeners when the session owning them goes away
testing and ok dtucker@

race when efd gets closed while there is still buffered data:
change CHANNEL_EFD_OUTPUT_ACTIVE()
1) c->efd must always be valid AND
2a) no EOF has been seen OR
2b) there is buffered data
report, initial fix and testing Chuck Cranor

move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd easier
later; ok deraadt@

branches: 1.76.2;
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote forwards
to bind to client-specified ports.

ok markus@

fix some window size change bugs for multiplexed connections: windows sizes
were not being updated if they had changed after ~^Z suspends and SIGWINCH
was not being processed unless the first connection had requested a tty;
ok markus

branches: 1.74.2;
some signed/unsigned int comparison cleanups; markus@ ok

implement session multiplexing in the client (the server has supported this
since 2.0); ok markus@

bz #756: add support for the cancel-tcpip-forward request for the server and
the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
ok markus@

branches: 1.71.2;
move client only agent code to clientloop.c

branches: 1.70.4; 1.70.6;
move channel counter to u_int

display, screen, row, col, xpixel, ypixel are u_int; markus ok

move creation of agent socket to session.c; no need for uidswapping
in channel.c.

branches: 1.67.2;
CHANNEL_EFD_OUTPUT_ACTIVE is false for CHAN_CLOSE_RCVD, too

don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

$OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; add
missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c
files. ok markus@

increase the SSH v2 window size to 4 packets. comsumes a little
bit more memory for slow receivers but increases througput.

merge channel_request() into channel_request_start()

generic callbacks are not really used, remove and
add a callback for msg of type SSH2_MSG_CHANNEL_OPEN_CONFIRMATION
ok djm@

remove unused channel_input_channel_request

wrapper for channel_setup_fwd_listener

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

remove plen from the dispatch fn. it's no longer used.

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

setup x11 listen socket for just one connect if the client requests so.
(v2 only, but the openssh client does not support this feature).

sshd X11 fake server will now listen on localhost by default:
$ echo $DISPLAY
localhost:12.0
$ netstat -an|grep 6012
tcp 0 0 127.0.0.1.6012 *.* LISTEN
tcp6 0 0 ::1.6012 *.* LISTEN
sshd_config gatewayports=yes can be used to revert back to the old
behavior. will control this with another option later. ok markus@

remove dead function prototype; ok markus@

crank c->path to 256 so they can hold a full hostname; dwd@bell-labs.com

branches: 1.50.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

simplify session close: no more delayed session_close, no more blocking wait() calls.

avoid possible FD_ISSET overflow for channels established
during channnel_after_select() (used for dynamic channels).

remove ugliness; vp@drexel.edu via angelos

try to fix agent-forwarding-backconnection-bug, as seen on HPUX, for example;
with Lutz.Jaenicke@aet.TU-Cottbus.DE,

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

improve cleanup/exit logic in ssh2:
stop listening to channels, detach channel users (e.g. sessions).
wait for children (i.e. dying sessions), send exit messages,
cleanup all channels.

adress -> address; ok markus@

remove comments from .h, since they are cut&paste from the .c files
and out of sync

prototype pedant. not very creative...
- () -> (void)
- no variable names

update copyright for 2001

move from channel_stop_listening to channel_free_all,
call channel_free_all before calling waitpid() in serverloop.
fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE

bad //-style comment; thx to stevev@darkwing.uoregon.edu

switch uid when cleaning up tmp files and sockets; reported by zen-parse@gmx.net on bugtraq

use fatal_register_cleanup instead of atexit, sync with x11 authdir handling

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.31.2;
Add options ClientAliveInterval and ClientAliveCountMax to sshd.
This gives the ability to do a "keepalive" via the encrypted channel
which can't be spoofed (unlike TCP keepalives). Useful for when you want
to use ssh connections to authenticate people for something, and know
relatively quickly when they are no longer authenticated. Disabled
by default (of course). ok markus@

allow the ssh client act as a SOCKS4 proxy (dynamic local portforwarding).
work by Dan Kaminsky <dankamin@cisco.com> and me. thanks to Dan for this
great patch: use 'ssh -D 1080 host' and make netscape use localhost:1080 as
a socks proxy.

more robust rekeying
don't send channel data after rekeying is started.

implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de

genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.

do not disconnect if local port forwarding fails, e.g. if port is already in use

fix select overflow; ok deraadt@ and stevesk@

async connects for -R/-L; ok deraadt@

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.22.2;
deny agent/x11 forwarding unless requested; thanks to jwl@pobox.com

enable non-blocking IO on channels, and tty's (except for the client ttys).

add context to dispatch_run

some more Copyright fixes

cleanup window and packet sizes for ssh2 flow control; ok niels

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

more ~ support for ssh2

support for ~. in ssh2

OpenBSD tag

don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org

branches: 1.12.2;
GatewayPorts for sshd, ok deraadt@

use c-style comments

support for x11-fwding, client+server

whitespace cleanup

channel layer support for ssh2

replace big switch() with function tables (prepare for ssh2)

KNF, final part 3

much more KNF

remove broken x11 fix and document istate/ostate

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

remove prototypes with no matching function; ok djm@

stricter handling of channel window limits

This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

when deciding whether to enable keystroke timing obfuscation,
only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

make channel_output_poll() return a flag indicating whether channel
data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

add support for unix domain sockets to ssh -W

ok djm@ dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety. From Coverity CIDs 405197 and 405028, ok djm@

when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Add channel_set_xtype()

This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

Add channel_force_close()

This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

replace manual poll/ppoll timeout math with ptimeout API

feedback markus / ok markus dtucker

channel_new no longer frees remote_name. So update the comment
accordingly. As remote_name is not modified, it can be const
as well. From Martin Vahlensieck

fix poll() spin when a channel's output fd closes without data in the
channel buffer. Introduce more exact packing of channel fds into the
pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@
has been in snaps for a few months

prepare for conversion of ssh, sshd mainloop from select() to poll()
by moving FD_SET construction out of channel handlers into separate
functions. ok markus

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

whitespace (tab after space)

cap channel input buffer size at 16MB; avoids high memory use when
peer advertises a large window but is slow to consume the data we
send (e.g. because of a slow network)

reported by Pierre-Yves David

fix with & ok markus@

some language improvements; ok markus

add a comment describing the ranges of channel IDs that we use;
requested by markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Add a PermitListen directive to control which server-side addresses
may be listened on when the client requests remote forwarding (ssh -R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

Add 'reverse' dynamic forwarding which combines dynamic forwarding
(-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

pass packet state down to some of the channels function (more
to come...); ok markus@

protocol handlers all get struct ssh passed; ok djm@

remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@

remove channel_input_close_confirmation (ssh1 only); ok djm@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

Return true reason for port forwarding failures where feasible rather
than always "administratively prohibited". bz#2674, ok djm@

Remove channel_input_port_forward_request(); the only caller was the
recently-removed SSH1 server code so it's now dead code. ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

better refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires; reported by Jann Horn

moar whitespace at eol

move dispatch to struct ssh; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

fix remote fwding with same listen port but different listen address
with gerhard@, ok djm@

Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.

typo in comment

don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@

Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949). ok djm@

unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@

Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.

support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@

support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@

hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@

Pause the mux channel while waiting for reply from aynch callbacks.
Prevents misordering of replies if new requests arrive while waiting.

Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.

motivated by and with feedback from markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@

Remove RoutingDomain from ssh since it's now not needed. It can be replaced
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.

For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3

ok deraadt@ markus@ stevesk@ reyk@

fix race condition in x11/agent channel allocation: don't read after
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@

Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@

make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@

don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus

The multiplexing escape char handler commit last night introduced a
small memory leak per session; plug it.

Enable ~ escapes for multiplex slave sessions; give each channel
its own escape state and hook the escape filters up to muxed
channels. bz #1331

Mux slaves do not currently support the ~^Z and ~& escapes.

NB. this change cranks the mux protocol version, so a new ssh
mux client will not be able to connect to a running old ssh
mux master.

ok dtucker@

Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.

Reported by stig AT venaas.com in bz#343

great feedback and ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

increase default channel windows; ok djm

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@

Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.

If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.

Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.

Feedback & ok djm@, man page corrections & ok jmc@.

add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc

standardise spacing in $OpenBSD$ tags; requested by deraadt@

branches: 1.83.2;
add channel output filter interface.

ok djm@, suggested by markus@

make sure protocol messages for internal channels are ignored.
allow adjust messages for non-open channels; with and ok djm@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@

branches: 1.79.2;
Fix a number of X11 forwarding channel leaks:
1. Refuse multiple X11 forwarding requests on the same session
2. Clean up all listeners after a single_connection X11 forward, not just
the one that made the single connection
3. Destroy X11 listeners when the session owning them goes away
testing and ok dtucker@

race when efd gets closed while there is still buffered data:
change CHANNEL_EFD_OUTPUT_ACTIVE()
1) c->efd must always be valid AND
2a) no EOF has been seen OR
2b) there is buffered data
report, initial fix and testing Chuck Cranor

move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd easier
later; ok deraadt@

branches: 1.76.2;
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote forwards
to bind to client-specified ports.

ok markus@

fix some window size change bugs for multiplexed connections: windows sizes
were not being updated if they had changed after ~^Z suspends and SIGWINCH
was not being processed unless the first connection had requested a tty;
ok markus

branches: 1.74.2;
some signed/unsigned int comparison cleanups; markus@ ok

implement session multiplexing in the client (the server has supported this
since 2.0); ok markus@

bz #756: add support for the cancel-tcpip-forward request for the server and
the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
ok markus@

branches: 1.71.2;
move client only agent code to clientloop.c

branches: 1.70.4; 1.70.6;
move channel counter to u_int

display, screen, row, col, xpixel, ypixel are u_int; markus ok

move creation of agent socket to session.c; no need for uidswapping
in channel.c.

branches: 1.67.2;
CHANNEL_EFD_OUTPUT_ACTIVE is false for CHAN_CLOSE_RCVD, too

don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

$OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; add
missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c
files. ok markus@

increase the SSH v2 window size to 4 packets. comsumes a little
bit more memory for slow receivers but increases througput.

merge channel_request() into channel_request_start()

generic callbacks are not really used, remove and
add a callback for msg of type SSH2_MSG_CHANNEL_OPEN_CONFIRMATION
ok djm@

remove unused channel_input_channel_request

wrapper for channel_setup_fwd_listener

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

remove plen from the dispatch fn. it's no longer used.

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

setup x11 listen socket for just one connect if the client requests so.
(v2 only, but the openssh client does not support this feature).

sshd X11 fake server will now listen on localhost by default:
$ echo $DISPLAY
localhost:12.0
$ netstat -an|grep 6012
tcp 0 0 127.0.0.1.6012 *.* LISTEN
tcp6 0 0 ::1.6012 *.* LISTEN
sshd_config gatewayports=yes can be used to revert back to the old
behavior. will control this with another option later. ok markus@

remove dead function prototype; ok markus@

crank c->path to 256 so they can hold a full hostname; dwd@bell-labs.com

branches: 1.50.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

simplify session close: no more delayed session_close, no more blocking wait() calls.

avoid possible FD_ISSET overflow for channels established
during channnel_after_select() (used for dynamic channels).

remove ugliness; vp@drexel.edu via angelos

try to fix agent-forwarding-backconnection-bug, as seen on HPUX, for example;
with Lutz.Jaenicke@aet.TU-Cottbus.DE,

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

improve cleanup/exit logic in ssh2:
stop listening to channels, detach channel users (e.g. sessions).
wait for children (i.e. dying sessions), send exit messages,
cleanup all channels.

adress -> address; ok markus@

remove comments from .h, since they are cut&paste from the .c files
and out of sync

prototype pedant. not very creative...
- () -> (void)
- no variable names

update copyright for 2001

move from channel_stop_listening to channel_free_all,
call channel_free_all before calling waitpid() in serverloop.
fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE

bad //-style comment; thx to stevev@darkwing.uoregon.edu

switch uid when cleaning up tmp files and sockets; reported by zen-parse@gmx.net on bugtraq

use fatal_register_cleanup instead of atexit, sync with x11 authdir handling

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.31.2;
Add options ClientAliveInterval and ClientAliveCountMax to sshd.
This gives the ability to do a "keepalive" via the encrypted channel
which can't be spoofed (unlike TCP keepalives). Useful for when you want
to use ssh connections to authenticate people for something, and know
relatively quickly when they are no longer authenticated. Disabled
by default (of course). ok markus@

allow the ssh client act as a SOCKS4 proxy (dynamic local portforwarding).
work by Dan Kaminsky <dankamin@cisco.com> and me. thanks to Dan for this
great patch: use 'ssh -D 1080 host' and make netscape use localhost:1080 as
a socks proxy.

more robust rekeying
don't send channel data after rekeying is started.

implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de

genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.

do not disconnect if local port forwarding fails, e.g. if port is already in use

fix select overflow; ok deraadt@ and stevesk@

async connects for -R/-L; ok deraadt@

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.22.2;
deny agent/x11 forwarding unless requested; thanks to jwl@pobox.com

enable non-blocking IO on channels, and tty's (except for the client ttys).

add context to dispatch_run

some more Copyright fixes

cleanup window and packet sizes for ssh2 flow control; ok niels

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

more ~ support for ssh2

support for ~. in ssh2

OpenBSD tag

don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org

branches: 1.12.2;
GatewayPorts for sshd, ok deraadt@

use c-style comments

support for x11-fwding, client+server

whitespace cleanup

channel layer support for ssh2

replace big switch() with function tables (prepare for ssh2)

KNF, final part 3

much more KNF

remove broken x11 fix and document istate/ostate

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

stricter handling of channel window limits

This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

when deciding whether to enable keystroke timing obfuscation,
only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

make channel_output_poll() return a flag indicating whether channel
data was enqueued. Will be used to improve keystroke timing
obfuscation. Problem spotted by / tested by naddy@

add support for unix domain sockets to ssh -W

ok djm@ dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety. From Coverity CIDs 405197 and 405028, ok djm@

when restoring non-blocking mode to stdio fds, restore exactly
the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;

bz3523; ok dtucker@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Add channel_set_xtype()

This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

Add channel_force_close()

This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

replace manual poll/ppoll timeout math with ptimeout API

feedback markus / ok markus dtucker

channel_new no longer frees remote_name. So update the comment
accordingly. As remote_name is not modified, it can be const
as well. From Martin Vahlensieck

fix poll() spin when a channel's output fd closes without data in the
channel buffer. Introduce more exact packing of channel fds into the
pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@
has been in snaps for a few months

prepare for conversion of ssh, sshd mainloop from select() to poll()
by moving FD_SET construction out of channel handlers into separate
functions. ok markus

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

whitespace (tab after space)

cap channel input buffer size at 16MB; avoids high memory use when
peer advertises a large window but is slow to consume the data we
send (e.g. because of a slow network)

reported by Pierre-Yves David

fix with & ok markus@

some language improvements; ok markus

add a comment describing the ranges of channel IDs that we use;
requested by markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Add a PermitListen directive to control which server-side addresses
may be listened on when the client requests remote forwarding (ssh -R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

Add 'reverse' dynamic forwarding which combines dynamic forwarding
(-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

pass packet state down to some of the channels function (more
to come...); ok markus@

protocol handlers all get struct ssh passed; ok djm@

remove SSH_CHANNEL_XXX_DRAINING (ssh1 only); ok djm@

remove channel_input_close_confirmation (ssh1 only); ok djm@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

Return true reason for port forwarding failures where feasible rather
than always "administratively prohibited". bz#2674, ok djm@

Remove channel_input_port_forward_request(); the only caller was the
recently-removed SSH1 server code so it's now dead code. ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

better refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires; reported by Jann Horn

moar whitespace at eol

move dispatch to struct ssh; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

fix remote fwding with same listen port but different listen address
with gerhard@, ok djm@

Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.

typo in comment

don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@

Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949). ok djm@

unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@

Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.

support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@

support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@

hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@

Pause the mux channel while waiting for reply from aynch callbacks.
Prevents misordering of replies if new requests arrive while waiting.

Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.

motivated by and with feedback from markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single
port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@

Remove RoutingDomain from ssh since it's now not needed. It can be replaced
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.

For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3

ok deraadt@ markus@ stevesk@ reyk@

fix race condition in x11/agent channel allocation: don't read after
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@

Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@

make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@

don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus

The multiplexing escape char handler commit last night introduced a
small memory leak per session; plug it.

Enable ~ escapes for multiplex slave sessions; give each channel
its own escape state and hook the escape filters up to muxed
channels. bz #1331

Mux slaves do not currently support the ~^Z and ~& escapes.

NB. this change cranks the mux protocol version, so a new ssh
mux client will not be able to connect to a running old ssh
mux master.

ok dtucker@

Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.

Reported by stig AT venaas.com in bz#343

great feedback and ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

increase default channel windows; ok djm

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@

Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.

If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.

Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.

Feedback & ok djm@, man page corrections & ok jmc@.

add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc

standardise spacing in $OpenBSD$ tags; requested by deraadt@

branches: 1.83.2;
add channel output filter interface.

ok djm@, suggested by markus@

make sure protocol messages for internal channels are ignored.
allow adjust messages for non-open channels; with and ok djm@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@

branches: 1.79.2;
Fix a number of X11 forwarding channel leaks:
1. Refuse multiple X11 forwarding requests on the same session
2. Clean up all listeners after a single_connection X11 forward, not just
the one that made the single connection
3. Destroy X11 listeners when the session owning them goes away
testing and ok dtucker@

race when efd gets closed while there is still buffered data:
change CHANNEL_EFD_OUTPUT_ACTIVE()
1) c->efd must always be valid AND
2a) no EOF has been seen OR
2b) there is buffered data
report, initial fix and testing Chuck Cranor

move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd easier
later; ok deraadt@

branches: 1.76.2;
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote forwards
to bind to client-specified ports.

ok markus@

fix some window size change bugs for multiplexed connections: windows sizes
were not being updated if they had changed after ~^Z suspends and SIGWINCH
was not being processed unless the first connection had requested a tty;
ok markus

branches: 1.74.2;
some signed/unsigned int comparison cleanups; markus@ ok

implement session multiplexing in the client (the server has supported this
since 2.0); ok markus@

bz #756: add support for the cancel-tcpip-forward request for the server and
the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
ok markus@

branches: 1.71.2;
move client only agent code to clientloop.c

branches: 1.70.4; 1.70.6;
move channel counter to u_int

display, screen, row, col, xpixel, ypixel are u_int; markus ok

move creation of agent socket to session.c; no need for uidswapping
in channel.c.

branches: 1.67.2;
CHANNEL_EFD_OUTPUT_ACTIVE is false for CHAN_CLOSE_RCVD, too

don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

$OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; add
missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c
files. ok markus@

increase the SSH v2 window size to 4 packets. comsumes a little
bit more memory for slow receivers but increases througput.

merge channel_request() into channel_request_start()

generic callbacks are not really used, remove and
add a callback for msg of type SSH2_MSG_CHANNEL_OPEN_CONFIRMATION
ok djm@

remove unused channel_input_channel_request

wrapper for channel_setup_fwd_listener

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

remove plen from the dispatch fn. it's no longer used.

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

setup x11 listen socket for just one connect if the client requests so.
(v2 only, but the openssh client does not support this feature).

sshd X11 fake server will now listen on localhost by default:
$ echo $DISPLAY
localhost:12.0
$ netstat -an|grep 6012
tcp 0 0 127.0.0.1.6012 *.* LISTEN
tcp6 0 0 ::1.6012 *.* LISTEN
sshd_config gatewayports=yes can be used to revert back to the old
behavior. will control this with another option later. ok markus@

remove dead function prototype; ok markus@

crank c->path to 256 so they can hold a full hostname; dwd@bell-labs.com

branches: 1.50.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

simplify session close: no more delayed session_close, no more blocking wait() calls.

avoid possible FD_ISSET overflow for channels established
during channnel_after_select() (used for dynamic channels).

remove ugliness; vp@drexel.edu via angelos

try to fix agent-forwarding-backconnection-bug, as seen on HPUX, for example;
with Lutz.Jaenicke@aet.TU-Cottbus.DE,

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

improve cleanup/exit logic in ssh2:
stop listening to channels, detach channel users (e.g. sessions).
wait for children (i.e. dying sessions), send exit messages,
cleanup all channels.

adress -> address; ok markus@

remove comments from .h, since they are cut&paste from the .c files
and out of sync

prototype pedant. not very creative...
- () -> (void)
- no variable names

update copyright for 2001