wok annotate openssh/stuff/knock.u @ rev 21259

updated libmowgli and libmowgli-dev (2.0.0 -> 2.1.3)
author Hans-G?nter Theisgen
date Fri Apr 12 11:33:57 2019 +0100 (2019-04-12)
parents fa77ea692592
children
rev   line source
pascal@20313 1 From https://gnunet.org/knock :
pascal@20313 2 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
pascal@20313 3 --- a/readconf.c
pascal@20313 4 +++ b/readconf.c
pascal@20877 5 @@ -173,6 +173,9 @@
pascal@20313 6 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
pascal@20313 7 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
pascal@20877 8 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
pascal@20313 9 +#ifdef TCP_STEALTH
pascal@20313 10 + oTCPStealthSecret,
pascal@20313 11 +#endif
pascal@20313 12 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
pascal@20313 13 } OpCodes;
pascal@20313 14
pascal@20877 15 @@ -309,6 +312,9 @@
pascal@20313 16 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
pascal@20313 17 { "ignoreunknown", oIgnoreUnknown },
pascal@20313 18 { "proxyjump", oProxyJump },
pascal@20313 19 +#ifdef TCP_STEALTH
pascal@20877 20 + oTCPStealthSecret,
pascal@20313 21 +#endif
pascal@20313 22
pascal@20313 23 { NULL, oBadOption }
pascal@20313 24 };
pascal@20877 25 @@ -1722,6 +1728,23 @@
pascal@20877 26 *charptr = xstrdup(arg);
pascal@20877 27 break;
pascal@20313 28
pascal@20313 29 +#ifdef TCP_STEALTH
pascal@20313 30 + case oTCPStealthSecret:
pascal@20313 31 + charptr = &options->tcp_stealth_secret;
pascal@20313 32 +
pascal@20313 33 + arg = strdelim(&s);
pascal@20313 34 + if (!arg || *arg == '\0')
pascal@20313 35 + fatal("%.200s line %d: Missing argument.",
pascal@20313 36 + filename, linenum);
pascal@20313 37 +
pascal@20313 38 + if (*activep && *charptr == NULL) {
pascal@20313 39 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 40 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 41 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
pascal@20313 42 + }
pascal@20313 43 +
pascal@20313 44 + break;
pascal@20313 45 +#endif
pascal@20313 46 case oDeprecated:
pascal@20313 47 debug("%s line %d: Deprecated option \"%s\"",
pascal@20313 48 filename, linenum, keyword);
pascal@20877 49 @@ -1926,6 +1949,9 @@
pascal@20313 50 options->update_hostkeys = -1;
pascal@20313 51 options->hostbased_key_types = NULL;
pascal@20313 52 options->pubkey_key_types = NULL;
pascal@20313 53 +#ifdef TCP_STEALTH
pascal@20313 54 + options->tcp_stealth_secret = NULL;
pascal@20313 55 +#endif
pascal@20313 56 }
pascal@20313 57
pascal@20313 58 /*
pascal@20313 59 --- a/readconf.h
pascal@20313 60 +++ b/readconf.h
pascal@20877 61 @@ -166,6 +166,10 @@
pascal@20313 62 char *jump_extra;
pascal@20313 63
pascal@20313 64 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
pascal@20313 65 +
pascal@20313 66 +#ifdef TCP_STEALTH
pascal@20313 67 + char *tcp_stealth_secret;
pascal@20313 68 +#endif
pascal@20313 69 } Options;
pascal@20313 70
pascal@20313 71 #define SSH_CANONICALISE_NO 0
pascal@20313 72 --- a/servconf.c
pascal@20313 73 +++ b/servconf.c
pascal@20877 74 @@ -180,6 +180,9 @@
pascal@20313 75 options->fingerprint_hash = -1;
pascal@20313 76 options->disable_forwarding = -1;
pascal@20313 77 options->expose_userauth_info = -1;
pascal@20313 78 +#ifdef TCP_STEALTH
pascal@20313 79 + options->tcp_stealth_secret = NULL;
pascal@20313 80 +#endif
pascal@20313 81 }
pascal@20313 82
pascal@20313 83 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
pascal@20877 84 @@ -497,6 +500,9 @@
pascal@20313 85 sStreamLocalBindMask, sStreamLocalBindUnlink,
pascal@20313 86 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
pascal@20877 87 sExposeAuthInfo, sRDomain,
pascal@20313 88 +#ifdef TCP_STEALTH
pascal@20313 89 + sTCPStealthSecret,
pascal@20313 90 +#endif
pascal@20313 91 sDeprecated, sIgnore, sUnsupported
pascal@20313 92 } ServerOpCodes;
pascal@20313 93
pascal@20877 94 @@ -645,6 +651,9 @@
pascal@20313 95 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
pascal@20877 96 { "rdomain", sRDomain, SSHCFG_ALL },
pascal@20877 97 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
pascal@20313 98 +#ifdef TCP_STEALTH
pascal@20313 99 + { "tcpstealthsecret", sTCPStealthSecret },
pascal@20313 100 +#endif
pascal@20313 101 { NULL, sBadOption, 0 }
pascal@20313 102 };
pascal@20313 103
pascal@20877 104 @@ -2149,6 +2158,23 @@
pascal@20877 105 *charptr = xstrdup(arg);
pascal@20877 106 break;
pascal@20313 107
pascal@20313 108 +#ifdef TCP_STEALTH
pascal@20313 109 + case sTCPStealthSecret:
pascal@20313 110 + charptr = &options->tcp_stealth_secret;
pascal@20313 111 +
pascal@20313 112 + arg = strdelim(&cp);
pascal@20313 113 + if (!arg || *arg == '\0')
pascal@20313 114 + fatal("%s line %d: Missing argument.",
pascal@20313 115 + filename, linenum);
pascal@20313 116 +
pascal@20313 117 + if (*activep && *charptr == NULL) {
pascal@20313 118 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 119 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 120 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
pascal@20313 121 + }
pascal@20313 122 +
pascal@20313 123 + break;
pascal@20313 124 +#endif
pascal@20313 125 case sDeprecated:
pascal@20313 126 case sIgnore:
pascal@20313 127 case sUnsupported:
pascal@20313 128 --- a/servconf.h
pascal@20313 129 +++ b/servconf.h
pascal@20877 130 @@ -210,6 +210,9 @@
pascal@20313 131 int fingerprint_hash;
pascal@20313 132 int expose_userauth_info;
pascal@20877 133 u_int64_t timing_secret;
pascal@20313 134 +#ifdef TCP_STEALTH
pascal@20313 135 + char *tcp_stealth_secret;
pascal@20313 136 +#endif
pascal@20313 137 } ServerOptions;
pascal@20313 138
pascal@20313 139 /* Information about the incoming connection as used by Match */
pascal@20877 140 @@ -232,6 +235,11 @@
pascal@20313 141 * NB. an option must appear in servconf.c:copy_set_server_options() or
pascal@20313 142 * COPY_MATCH_STRING_OPTS here but never both.
pascal@20313 143 */
pascal@20313 144 +#ifdef TCP_STEALTH
pascal@20313 145 +#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X);
pascal@20313 146 +#else
pascal@20313 147 +#define M_CP_STEALTHSCRT(X)
pascal@20313 148 +#endif
pascal@20313 149 #define COPY_MATCH_STRING_OPTS() do { \
pascal@20313 150 M_CP_STROPT(banner); \
pascal@20313 151 M_CP_STROPT(trusted_user_ca_keys); \
pascal@20877 152 @@ -255,6 +263,7 @@
pascal@20313 153 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
pascal@20877 154 M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
pascal@20877 155 M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
pascal@20313 156 + M_CP_STEALTHSCRT(tcp_stealth_secret); \
pascal@20313 157 } while (0)
pascal@20313 158
pascal@20313 159 struct connection_info *get_connection_info(int, int);
pascal@20877 160 --- a/ssh.0
pascal@20877 161 +++ b/ssh.0
pascal@20877 162 @@ -9,8 +9,8 @@
pascal@20877 163 [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
pascal@20877 164 [-J destination] [-L address] [-l login_name] [-m mac_spec]
pascal@20877 165 [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
pascal@20877 166 - [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
pascal@20877 167 - [command]
pascal@20877 168 + [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
pascal@20877 169 + [-z tcp_stealth_secret] destination [command]
pascal@20313 170
pascal@20313 171 DESCRIPTION
pascal@20877 172 ssh (SSH client) is a program for logging into a remote machine and for
pascal@20877 173 @@ -436,6 +436,20 @@
pascal@20313 174
pascal@20313 175 -y Send log information using the syslog(3) system module. By
pascal@20313 176 default this information is sent to stderr.
pascal@20877 177 +
pascal@20313 178 + -z tcp_stealth_secret
pascal@20313 179 + Specifies the shared secret which is needed to connect to a stealth
pascal@20313 180 + SSH TCP server. Any string specified will be truncated to or padded
pascal@20313 181 + with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 182 + therefore only available if the required setsockopt() call is
pascal@20313 183 + available.
pascal@20313 184 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 185 + for details.
pascal@20313 186 +
pascal@20313 187 + IMPORTANT: This option should only be used for the purpose of
pascal@20313 188 + testing as other users could easily read out the secret from the
pascal@20313 189 + command line arguments. The TCPStealthSecret configuration option
pascal@20313 190 + is the preferred way of specifying the TCP Stealth secret.
pascal@20877 191
pascal@20313 192 ssh may additionally obtain configuration data from a per-user
pascal@20313 193 configuration file and a system-wide configuration file. The file format
pascal@20877 194 --- a/ssh.1
pascal@20877 195 +++ b/ssh.1
pascal@20313 196 @@ -64,6 +64,7 @@
pascal@20313 197 .Op Fl S Ar ctl_path
pascal@20313 198 .Op Fl W Ar host : Ns Ar port
pascal@20313 199 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
pascal@20313 200 +.Op Fl z Ar tcp_stealth_secret
pascal@20877 201 .Ar destination
pascal@20313 202 .Op Ar command
pascal@20877 203 .Sh DESCRIPTION
pascal@20877 204 @@ -536,6 +537,7 @@
pascal@20313 205 .It StreamLocalBindUnlink
pascal@20313 206 .It StrictHostKeyChecking
pascal@20313 207 .It TCPKeepAlive
pascal@20313 208 +.It TCPStealthSecret
pascal@20313 209 .It Tunnel
pascal@20313 210 .It TunnelDevice
pascal@20313 211 .It UpdateHostKeys
pascal@20877 212 @@ -795,6 +797,21 @@
pascal@20313 213 .Xr syslog 3
pascal@20313 214 system module.
pascal@20313 215 By default this information is sent to stderr.
pascal@20313 216 +.It Fl z Ar tcp_stealth_secret
pascal@20313 217 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
pascal@20313 218 +server. Any string specified will be truncated to or padded with zeroes to 64
pascal@20313 219 +bytes. This option needs kernel support and is therefore only available if the
pascal@20313 220 +required
pascal@20313 221 +.Xr setsockopt 2
pascal@20313 222 +call is available.
pascal@20313 223 +.Pp
pascal@20313 224 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 225 +.Pp
pascal@20313 226 +.Cm IMPORTANT:
pascal@20313 227 +This option should only be used for the purpose of testing as other users could
pascal@20313 228 +easily read out the secret from the command line arguments. The
pascal@20313 229 +.Cm TCPStealthSecret
pascal@20313 230 +configuration option is the preferred way of specifying the TCP Stealth secret.
pascal@20313 231 .El
pascal@20313 232 .Pp
pascal@20313 233 .Nm
pascal@20877 234 --- a/ssh.c
pascal@20877 235 +++ b/ssh.c
pascal@20877 236 @@ -190,6 +190,14 @@
pascal@20877 237 extern int muxserver_sock;
pascal@20877 238 extern u_int muxclient_command;
pascal@20313 239
pascal@20877 240 +#ifdef TCP_STEALTH
pascal@20877 241 +#define OPT_STEALTH "[-z tcp_stealth_secret] "
pascal@20877 242 +#define GETOPT_STEALTH "z:"
pascal@20877 243 +#else
pascal@20877 244 +#define OPT_STEALTH ""
pascal@20877 245 +#define GETOPT_STEALTH ""
pascal@20877 246 +#endif
pascal@20877 247 +
pascal@20877 248 /* Prints a help message to the user. This function never returns. */
pascal@20877 249
pascal@20877 250 static void
pascal@20877 251 @@ -202,7 +210,7 @@
pascal@20877 252 " [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
pascal@20877 253 " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
pascal@20877 254 " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
pascal@20877 255 -" [-w local_tun[:remote_tun]] destination [command]\n"
pascal@20877 256 +" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n"
pascal@20877 257 );
pascal@20877 258 exit(255);
pascal@20877 259 }
pascal@20877 260 @@ -657,7 +665,7 @@
pascal@20877 261
pascal@20877 262 again:
pascal@20877 263 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
pascal@20877 264 - "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
pascal@20877 265 + "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
pascal@20877 266 switch (opt) {
pascal@20877 267 case '1':
pascal@20877 268 fatal("SSH protocol v.1 is no longer supported");
pascal@20877 269 @@ -979,6 +987,14 @@
pascal@20877 270 case 'F':
pascal@20877 271 config = optarg;
pascal@20877 272 break;
pascal@20877 273 +#ifdef TCP_STEALTH
pascal@20877 274 + case 'z':
pascal@20877 275 + options.tcp_stealth_secret =
pascal@20877 276 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
pascal@20877 277 + strncpy(options.tcp_stealth_secret, optarg,
pascal@20877 278 + TCP_STEALTH_SECRET_SIZE);
pascal@20877 279 + break;
pascal@20877 280 +#endif
pascal@20877 281 default:
pascal@20877 282 usage();
pascal@20877 283 }
pascal@20877 284 --- a/ssh_config.0
pascal@20877 285 +++ b/ssh_config.0
pascal@20877 286 @@ -945,6 +945,15 @@
pascal@20313 287 To disable TCP keepalive messages, the value should be set to no.
pascal@20877 288 See also ServerAliveInterval for protocol-level keepalives.
pascal@20313 289
pascal@20313 290 + TCPStealthSecret
pascal@20313 291 + Specifies the shared secret which is needed to connect to a stealth
pascal@20313 292 + SSH TCP Server. Any string specified will be truncated to or padded
pascal@20313 293 + with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 294 + therefore only available if the required setsockopt() call is
pascal@20313 295 + available.
pascal@20313 296 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 297 + for details.
pascal@20313 298 +
pascal@20313 299 Tunnel Request tun(4) device forwarding between the client and the
pascal@20313 300 server. The argument must be yes, point-to-point (layer 3),
pascal@20313 301 ethernet (layer 2), or no (the default). Specifying yes requests
pascal@20877 302 --- a/ssh_config.5
pascal@20877 303 +++ b/ssh_config.5
pascal@20877 304 @@ -1548,6 +1548,15 @@
pascal@20877 305 See also
pascal@20877 306 .Cm ServerAliveInterval
pascal@20877 307 for protocol-level keepalives.
pascal@20877 308 +.It Cm TCPStealthSecret
pascal@20877 309 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
pascal@20877 310 +Server. Any string specified will be truncated to or padded with zeroes to 64
pascal@20877 311 +bytes. This option needs kernel support and is therefore only available if the
pascal@20877 312 +required
pascal@20877 313 +.Xr setsockopt 2
pascal@20877 314 +call is available.
pascal@20877 315 +.Pp
pascal@20877 316 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20877 317 .It Cm Tunnel
pascal@20877 318 Request
pascal@20877 319 .Xr tun 4
pascal@20877 320 --- a/sshconnect.c
pascal@20877 321 +++ b/sshconnect.c
pascal@20877 322 @@ -349,6 +349,18 @@
pascal@20313 323 }
pascal@20313 324 fcntl(sock, F_SETFD, FD_CLOEXEC);
pascal@20313 325
pascal@20313 326 +#ifdef TCP_STEALTH
pascal@20313 327 + if (options.tcp_stealth_secret) {
pascal@20313 328 + if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
pascal@20313 329 + options.tcp_stealth_secret,
pascal@20313 330 + TCP_STEALTH_SECRET_SIZE) == -1) {
pascal@20313 331 + error("setsockopt TCP_STEALTH: %s", strerror(errno));
pascal@20313 332 + close(sock);
pascal@20313 333 + return -1;
pascal@20313 334 + }
pascal@20313 335 + }
pascal@20313 336 +#endif
pascal@20313 337 +
pascal@20313 338 /* Bind the socket to an alternative local IP address */
pascal@20877 339 if (options.bind_address == NULL && options.bind_interface == NULL)
pascal@20313 340 return sock;
pascal@20877 341 --- a/sshd.0
pascal@20877 342 +++ b/sshd.0
pascal@20877 343 @@ -7,6 +7,7 @@
pascal@20877 344 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
pascal@20877 345 [-E log_file] [-f config_file] [-g login_grace_time]
pascal@20877 346 [-h host_key_file] [-o option] [-p port] [-u len]
pascal@20877 347 + [-z tcp_stealth_secret]
pascal@20877 348
pascal@20877 349 DESCRIPTION
pascal@20877 350 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
pascal@20877 351 @@ -122,6 +123,20 @@
pascal@20877 352 from="pattern-list" option in a key file. Configuration options
pascal@20877 353 that require DNS include using a USER@HOST pattern in AllowUsers
pascal@20877 354 or DenyUsers.
pascal@20877 355 + -z tcp_stealth_secret
pascal@20877 356 + Turns this SSH server into a Stealth SSH TCP Server. This option
pascal@20877 357 + specifies the shared secret which is needed by the clients in order
pascal@20877 358 + to be able to connect to the port the SSH server is listening on.
pascal@20877 359 + Any string specified will be truncated or padded with zeroes to 64
pascal@20877 360 + bytes. This option needs kernel support and is therefore only
pascal@20877 361 + available if the required setsockopt() call is available.
pascal@20877 362 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20877 363 + for details.
pascal@20877 364 +
pascal@20877 365 + IMPORTANT: This option should only be used for the purpose of
pascal@20877 366 + testing as other users could easily read out the secret from the
pascal@20877 367 + command line arguments. The TCPStealthSecret configuration option
pascal@20877 368 + is the preferred way of specifying the TCP Stealth secret.
pascal@20877 369
pascal@20877 370 AUTHENTICATION
pascal@20877 371 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
pascal@20877 372 --- a/sshd.8
pascal@20877 373 +++ b/sshd.8
pascal@20313 374 @@ -53,6 +53,7 @@
pascal@20313 375 .Op Fl o Ar option
pascal@20313 376 .Op Fl p Ar port
pascal@20313 377 .Op Fl u Ar len
pascal@20313 378 +.Op Fl z Ar tcp_stealth_secret
pascal@20313 379 .Ek
pascal@20313 380 .Sh DESCRIPTION
pascal@20313 381 .Nm
pascal@20877 382 @@ -244,6 +245,24 @@
pascal@20313 383 .Cm AllowUsers
pascal@20313 384 or
pascal@20313 385 .Cm DenyUsers .
pascal@20313 386 +.It Fl z Ar tcp_stealth_secret
pascal@20313 387 +Turns this SSH server into a stealth SSH TCP server. This option specifies the
pascal@20313 388 +shared secret which is needed by the clients in order to be able to connect to
pascal@20313 389 +the port the SSH server is listening on. Any string specified will be truncated
pascal@20313 390 +or padded with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 391 +therefore only available if the required
pascal@20313 392 +.Xr setsockopt 2
pascal@20313 393 +call is available.
pascal@20313 394 +.Pp
pascal@20313 395 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 396 +
pascal@20313 397 +.Cm IMPORTANT:
pascal@20313 398 +This option should only be used for the purpose of
pascal@20313 399 +testing as other users could easily read out the secret from the
pascal@20313 400 +command line arguments. The
pascal@20313 401 +.Cm TCPStealthSecret
pascal@20313 402 +configuration option
pascal@20313 403 +is the preferred way of specifying the TCP Stealth secret.
pascal@20313 404 .El
pascal@20313 405 .Sh AUTHENTICATION
pascal@20313 406 The OpenSSH SSH daemon supports SSH protocol 2 only.
pascal@20877 407 --- a/sshd.c
pascal@20877 408 +++ b/sshd.c
pascal@20877 409 @@ -911,6 +911,14 @@
pascal@20877 410 return (r < p) ? 1 : 0;
pascal@20877 411 }
pascal@20877 412
pascal@20877 413 +#ifdef TCP_STEALTH
pascal@20877 414 +#define OPT_STEALTH " [-z tcp_stealth_secret]"
pascal@20877 415 +#define GETOPT_STEALTH "z:"
pascal@20877 416 +#else
pascal@20877 417 +#define OPT_STEALTH ""
pascal@20877 418 +#define GETOPT_STEALTH ""
pascal@20877 419 +#endif
pascal@20877 420 +
pascal@20877 421 static void
pascal@20877 422 usage(void)
pascal@20877 423 {
pascal@20877 424 @@ -926,6 +934,7 @@
pascal@20877 425 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
pascal@20877 426 " [-E log_file] [-f config_file] [-g login_grace_time]\n"
pascal@20877 427 " [-h host_key_file] [-o option] [-p port] [-u len]\n"
pascal@20877 428 +" " OPT_STEALTH "\n"
pascal@20877 429 );
pascal@20877 430 exit(1);
pascal@20877 431 }
pascal@20877 432 @@ -1075,6 +1084,16 @@
pascal@20877 433 continue;
pascal@20877 434 }
pascal@20877 435
pascal@20877 436 +#ifdef TCP_STEALTH
pascal@20877 437 + if (options.tcp_stealth_secret != NULL) {
pascal@20877 438 + if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
pascal@20877 439 + options.tcp_stealth_secret,
pascal@20877 440 + TCP_STEALTH_SECRET_SIZE) == -1)
pascal@20877 441 + error("setsockopt TCP_STEALTH: %s",
pascal@20877 442 + strerror(errno));
pascal@20877 443 + }
pascal@20877 444 +#endif
pascal@20877 445 +
pascal@20877 446 /* Only communicate in IPv6 over AF_INET6 sockets. */
pascal@20877 447 if (ai->ai_family == AF_INET6)
pascal@20877 448 sock_set_v6only(listen_sock);
pascal@20877 449 @@ -1515,7 +1534,7 @@
pascal@20877 450
pascal@20877 451 /* Parse command-line arguments. */
pascal@20877 452 while ((opt = getopt(ac, av,
pascal@20877 453 - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
pascal@20877 454 + GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
pascal@20877 455 switch (opt) {
pascal@20877 456 case '4':
pascal@20877 457 options.address_family = AF_INET;
pascal@20877 458 @@ -1616,6 +1635,14 @@
pascal@20877 459 exit(1);
pascal@20877 460 free(line);
pascal@20877 461 break;
pascal@20877 462 +#ifdef TCP_STEALTH
pascal@20877 463 + case 'z':
pascal@20877 464 + options.tcp_stealth_secret =
pascal@20877 465 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
pascal@20877 466 + strncpy(options.tcp_stealth_secret, optarg,
pascal@20877 467 + TCP_STEALTH_SECRET_SIZE);
pascal@20877 468 + break;
pascal@20877 469 +#endif
pascal@20877 470 case '?':
pascal@20877 471 default:
pascal@20877 472 usage();
pascal@20877 473 --- a/sshd_config.0
pascal@20877 474 +++ b/sshd_config.0
pascal@20877 475 @@ -937,6 +937,19 @@
pascal@20313 476
pascal@20313 477 To disable TCP keepalive messages, the value should be set to no.
pascal@20313 478
pascal@20313 479 + TCPStealthSecret
pascal@20313 480 + Turns this SSH server into a stealth SSH TCP server. This
pascal@20313 481 + configuration option specifies the shared secret needed by the
pascal@20313 482 + clients in order to be able to connect to the port the SSH server
pascal@20313 483 + is listening on. This means that port scanners will receive a
pascal@20313 484 + TCP RST and thus will not recognize this TCP port being open.
pascal@20313 485 +
pascal@20313 486 + Any string specified will be truncated or padded with zeroes to 64
pascal@20313 487 + bytes. This option needs kernel support and is therefore only
pascal@20313 488 + available if the required setsockopt() call is available.
pascal@20313 489 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 490 + for details.
pascal@20313 491 +
pascal@20313 492 TrustedUserCAKeys
pascal@20313 493 Specifies a file containing public keys of certificate
pascal@20313 494 authorities that are trusted to sign user certificates for
pascal@20877 495 --- a/sshd_config.5
pascal@20877 496 +++ b/sshd_config.5
pascal@20877 497 @@ -1567,6 +1567,18 @@
pascal@20877 498 .Pp
pascal@20877 499 To disable TCP keepalive messages, the value should be set to
pascal@20877 500 .Cm no .
pascal@20877 501 +.It Cm TCPStealthSecret
pascal@20877 502 +Turns this SSH server into a stealth SSH TCP server. This configuration option
pascal@20877 503 +specifies the shared secret needed by the clients in order to be able to connect
pascal@20877 504 +to the port the SSH server is listening on. This means that port scanners will
pascal@20877 505 +receive a TCP RST and thus will not recognize this TCP port being open. Any
pascal@20877 506 +string specified will be truncated or padded with zeroes to 64 bytes. This
pascal@20877 507 +option needs kernel support and is therefore only available if the required
pascal@20877 508 +.Xr setsockopt 2
pascal@20877 509 +call is available.
pascal@20877 510 +.Pp
pascal@20877 511 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20877 512 +
pascal@20877 513 .It Cm TrustedUserCAKeys
pascal@20877 514 Specifies a file containing public keys of certificate authorities that are
pascal@20877 515 trusted to sign user certificates for authentication, or