wok annotate openssh/stuff/knock.u @ rev 20313

linux, openssh: add tcp_stealth patch
author Pascal Bellard <pascal.bellard@slitaz.org>
date Fri May 18 13:47:33 2018 +0200 (2018-05-18)
parents
children 809015307697
rev   line source
pascal@20313 1 From https://gnunet.org/knock :
pascal@20313 2 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
pascal@20313 3 --- a/readconf.c
pascal@20313 4 +++ b/readconf.c
pascal@20313 5 @@ -172,6 +172,9 @@
pascal@20313 6 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
pascal@20313 7 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
pascal@20313 8 oPubkeyAcceptedKeyTypes, oProxyJump,
pascal@20313 9 +#ifdef TCP_STEALTH
pascal@20313 10 + oTCPStealthSecret,
pascal@20313 11 +#endif
pascal@20313 12 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
pascal@20313 13 } OpCodes;
pascal@20313 14
pascal@20313 15 @@ -305,6 +308,9 @@
pascal@20313 16 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
pascal@20313 17 { "ignoreunknown", oIgnoreUnknown },
pascal@20313 18 { "proxyjump", oProxyJump },
pascal@20313 19 +#ifdef TCP_STEALTH
pascal@20313 20 + { "tcpstealthsecret", oTCPStealthSecret },
pascal@20313 21 +#endif
pascal@20313 22
pascal@20313 23 { NULL, oBadOption }
pascal@20313 24 };
pascal@20313 25 @@ -1669,6 +1675,23 @@
pascal@20313 26 charptr = &options->identity_agent;
pascal@20313 27 goto parse_string;
pascal@20313 28
pascal@20313 29 +#ifdef TCP_STEALTH
pascal@20313 30 + case oTCPStealthSecret:
pascal@20313 31 + charptr = &options->tcp_stealth_secret;
pascal@20313 32 +
pascal@20313 33 + arg = strdelim(&s);
pascal@20313 34 + if (!arg || *arg == '\0')
pascal@20313 35 + fatal("%.200s line %d: Missing argument.",
pascal@20313 36 + filename, linenum);
pascal@20313 37 +
pascal@20313 38 + if (*activep && *charptr == NULL) {
pascal@20313 39 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 40 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 41 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
pascal@20313 42 + }
pascal@20313 43 +
pascal@20313 44 + break;
pascal@20313 45 +#endif
pascal@20313 46 case oDeprecated:
pascal@20313 47 debug("%s line %d: Deprecated option \"%s\"",
pascal@20313 48 filename, linenum, keyword);
pascal@20313 49 @@ -1869,6 +1892,9 @@
pascal@20313 50 options->update_hostkeys = -1;
pascal@20313 51 options->hostbased_key_types = NULL;
pascal@20313 52 options->pubkey_key_types = NULL;
pascal@20313 53 +#ifdef TCP_STEALTH
pascal@20313 54 + options->tcp_stealth_secret = NULL;
pascal@20313 55 +#endif
pascal@20313 56 }
pascal@20313 57
pascal@20313 58 /*
pascal@20313 59 --- a/readconf.h
pascal@20313 60 +++ b/readconf.h
pascal@20313 61 @@ -164,6 +164,10 @@
pascal@20313 62 char *jump_extra;
pascal@20313 63
pascal@20313 64 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
pascal@20313 65 +
pascal@20313 66 +#ifdef TCP_STEALTH
pascal@20313 67 + char *tcp_stealth_secret;
pascal@20313 68 +#endif
pascal@20313 69 } Options;
pascal@20313 70
pascal@20313 71 #define SSH_CANONICALISE_NO 0
pascal@20313 72 --- a/servconf.c
pascal@20313 73 +++ b/servconf.c
pascal@20313 74 @@ -165,6 +165,9 @@
pascal@20313 75 options->fingerprint_hash = -1;
pascal@20313 76 options->disable_forwarding = -1;
pascal@20313 77 options->expose_userauth_info = -1;
pascal@20313 78 +#ifdef TCP_STEALTH
pascal@20313 79 + options->tcp_stealth_secret = NULL;
pascal@20313 80 +#endif
pascal@20313 81 }
pascal@20313 82
pascal@20313 83 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
pascal@20313 84 @@ -422,6 +425,9 @@
pascal@20313 85 sStreamLocalBindMask, sStreamLocalBindUnlink,
pascal@20313 86 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
pascal@20313 87 sExposeAuthInfo,
pascal@20313 88 +#ifdef TCP_STEALTH
pascal@20313 89 + sTCPStealthSecret,
pascal@20313 90 +#endif
pascal@20313 91 sDeprecated, sIgnore, sUnsupported
pascal@20313 92 } ServerOpCodes;
pascal@20313 93
pascal@20313 94 @@ -566,6 +572,9 @@
pascal@20313 95 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
pascal@20313 96 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
pascal@20313 97 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
pascal@20313 98 +#ifdef TCP_STEALTH
pascal@20313 99 + { "tcpstealthsecret", sTCPStealthSecret },
pascal@20313 100 +#endif
pascal@20313 101 { NULL, sBadOption, 0 }
pascal@20313 102 };
pascal@20313 103
pascal@20313 104 @@ -1883,6 +1892,23 @@
pascal@20313 105 intptr = &options->expose_userauth_info;
pascal@20313 106 goto parse_flag;
pascal@20313 107
pascal@20313 108 +#ifdef TCP_STEALTH
pascal@20313 109 + case sTCPStealthSecret:
pascal@20313 110 + charptr = &options->tcp_stealth_secret;
pascal@20313 111 +
pascal@20313 112 + arg = strdelim(&cp);
pascal@20313 113 + if (!arg || *arg == '\0')
pascal@20313 114 + fatal("%s line %d: Missing argument.",
pascal@20313 115 + filename, linenum);
pascal@20313 116 +
pascal@20313 117 + if (*activep && *charptr == NULL) {
pascal@20313 118 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 119 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
pascal@20313 120 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
pascal@20313 121 + }
pascal@20313 122 +
pascal@20313 123 + break;
pascal@20313 124 +#endif
pascal@20313 125 case sDeprecated:
pascal@20313 126 case sIgnore:
pascal@20313 127 case sUnsupported:
pascal@20313 128 --- a/servconf.h
pascal@20313 129 +++ b/servconf.h
pascal@20313 130 @@ -198,6 +198,10 @@
pascal@20313 131
pascal@20313 132 int fingerprint_hash;
pascal@20313 133 int expose_userauth_info;
pascal@20313 134 +
pascal@20313 135 +#ifdef TCP_STEALTH
pascal@20313 136 + char *tcp_stealth_secret;
pascal@20313 137 +#endif
pascal@20313 138 } ServerOptions;
pascal@20313 139
pascal@20313 140 /* Information about the incoming connection as used by Match */
pascal@20313 141 @@ -219,6 +223,11 @@
pascal@20313 142 * NB. an option must appear in servconf.c:copy_set_server_options() or
pascal@20313 143 * COPY_MATCH_STRING_OPTS here but never both.
pascal@20313 144 */
pascal@20313 145 +#ifdef TCP_STEALTH
pascal@20313 146 +#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X);
pascal@20313 147 +#else
pascal@20313 148 +#define M_CP_STEALTHSCRT(X)
pascal@20313 149 +#endif
pascal@20313 150 #define COPY_MATCH_STRING_OPTS() do { \
pascal@20313 151 M_CP_STROPT(banner); \
pascal@20313 152 M_CP_STROPT(trusted_user_ca_keys); \
pascal@20313 153 @@ -238,6 +247,7 @@
pascal@20313 154 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
pascal@20313 155 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
pascal@20313 156 M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
pascal@20313 157 + M_CP_STEALTHSCRT(tcp_stealth_secret); \
pascal@20313 158 } while (0)
pascal@20313 159
pascal@20313 160 struct connection_info *get_connection_info(int, int);
pascal@20313 161 --- a/ssh.c
pascal@20313 162 +++ b/ssh.c
pascal@20313 163 @@ -191,6 +191,14 @@
pascal@20313 164 extern int muxserver_sock;
pascal@20313 165 extern u_int muxclient_command;
pascal@20313 166
pascal@20313 167 +#ifdef TCP_STEALTH
pascal@20313 168 +#define OPT_STEALTH "[-z tcp_stealth_secret] "
pascal@20313 169 +#define GETOPT_STEALTH "z:"
pascal@20313 170 +#else
pascal@20313 171 +#define OPT_STEALTH ""
pascal@20313 172 +#define GETOPT_STEALTH ""
pascal@20313 173 +#endif
pascal@20313 174 +
pascal@20313 175 /* Prints a help message to the user. This function never returns. */
pascal@20313 176
pascal@20313 177 static void
pascal@20313 178 @@ -203,7 +211,7 @@
pascal@20313 179 " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
pascal@20313 180 " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n"
pascal@20313 181 " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
pascal@20313 182 -" [user@]hostname [command]\n"
pascal@20313 183 +" " OPT_STEALTH "[user@]hostname [command]\n"
pascal@20313 184 );
pascal@20313 185 exit(255);
pascal@20313 186 }
pascal@20313 187 @@ -612,7 +620,7 @@
pascal@20313 188
pascal@20313 189 again:
pascal@20313 190 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
pascal@20313 191 - "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
pascal@20313 192 + "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
pascal@20313 193 switch (opt) {
pascal@20313 194 case '1':
pascal@20313 195 fatal("SSH protocol v.1 is no longer supported");
pascal@20313 196 @@ -921,6 +929,14 @@
pascal@20313 197 case 'F':
pascal@20313 198 config = optarg;
pascal@20313 199 break;
pascal@20313 200 +#ifdef TCP_STEALTH
pascal@20313 201 + case 'z':
pascal@20313 202 + options.tcp_stealth_secret =
pascal@20313 203 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
pascal@20313 204 + strncpy(options.tcp_stealth_secret, optarg,
pascal@20313 205 + TCP_STEALTH_SECRET_SIZE);
pascal@20313 206 + break;
pascal@20313 207 +#endif
pascal@20313 208 default:
pascal@20313 209 usage();
pascal@20313 210 }
pascal@20313 211 --- a/sshd.c
pascal@20313 212 +++ b/sshd.c
pascal@20313 213 @@ -896,6 +896,14 @@
pascal@20313 214 return (r < p) ? 1 : 0;
pascal@20313 215 }
pascal@20313 216
pascal@20313 217 +#ifdef TCP_STEALTH
pascal@20313 218 +#define OPT_STEALTH " [-z tcp_stealth_secret]"
pascal@20313 219 +#define GETOPT_STEALTH "z:"
pascal@20313 220 +#else
pascal@20313 221 +#define OPT_STEALTH ""
pascal@20313 222 +#define GETOPT_STEALTH ""
pascal@20313 223 +#endif
pascal@20313 224 +
pascal@20313 225 static void
pascal@20313 226 usage(void)
pascal@20313 227 {
pascal@20313 228 @@ -911,6 +919,7 @@
pascal@20313 229 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
pascal@20313 230 " [-E log_file] [-f config_file] [-g login_grace_time]\n"
pascal@20313 231 " [-h host_key_file] [-o option] [-p port] [-u len]\n"
pascal@20313 232 +" " OPT_STEALTH "\n"
pascal@20313 233 );
pascal@20313 234 exit(1);
pascal@20313 235 }
pascal@20313 236 @@ -1057,6 +1066,15 @@
pascal@20313 237 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
pascal@20313 238 &on, sizeof(on)) == -1)
pascal@20313 239 error("setsockopt SO_REUSEADDR: %s", strerror(errno));
pascal@20313 240 +#ifdef TCP_STEALTH
pascal@20313 241 + if (options.tcp_stealth_secret != NULL) {
pascal@20313 242 + if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
pascal@20313 243 + options.tcp_stealth_secret,
pascal@20313 244 + TCP_STEALTH_SECRET_SIZE) == -1)
pascal@20313 245 + error("setsockopt TCP_STEALTH: %s",
pascal@20313 246 + strerror(errno));
pascal@20313 247 + }
pascal@20313 248 +#endif
pascal@20313 249
pascal@20313 250 /* Only communicate in IPv6 over AF_INET6 sockets. */
pascal@20313 251 if (ai->ai_family == AF_INET6)
pascal@20313 252 @@ -1404,7 +1422,7 @@
pascal@20313 253
pascal@20313 254 /* Parse command-line arguments. */
pascal@20313 255 while ((opt = getopt(ac, av,
pascal@20313 256 - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
pascal@20313 257 + GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
pascal@20313 258 switch (opt) {
pascal@20313 259 case '4':
pascal@20313 260 options.address_family = AF_INET;
pascal@20313 261 @@ -1512,6 +1530,14 @@
pascal@20313 262 exit(1);
pascal@20313 263 free(line);
pascal@20313 264 break;
pascal@20313 265 +#ifdef TCP_STEALTH
pascal@20313 266 + case 'z':
pascal@20313 267 + options.tcp_stealth_secret =
pascal@20313 268 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
pascal@20313 269 + strncpy(options.tcp_stealth_secret, optarg,
pascal@20313 270 + TCP_STEALTH_SECRET_SIZE);
pascal@20313 271 + break;
pascal@20313 272 +#endif
pascal@20313 273 case '?':
pascal@20313 274 default:
pascal@20313 275 usage();
pascal@20313 276 --- a/ssh_config.5
pascal@20313 277 +++ b/ssh_config.5
pascal@20313 278 @@ -1509,6 +1509,15 @@
pascal@20313 279 .Pp
pascal@20313 280 To disable TCP keepalive messages, the value should be set to
pascal@20313 281 .Cm no .
pascal@20313 282 +.It Cm TCPStealthSecret
pascal@20313 283 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
pascal@20313 284 +Server. Any string specified will be truncated to or padded with zeroes to 64
pascal@20313 285 +bytes. This option needs kernel support and is therefore only available if the
pascal@20313 286 +required
pascal@20313 287 +.Xr setsockopt 2
pascal@20313 288 +call is available.
pascal@20313 289 +.Pp
pascal@20313 290 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 291 .It Cm Tunnel
pascal@20313 292 Request
pascal@20313 293 .Xr tun 4
pascal@20313 294 --- a/sshd_config.5
pascal@20313 295 +++ b/sshd_config.5
pascal@20313 296 @@ -1444,6 +1444,18 @@
pascal@20313 297 .Pp
pascal@20313 298 To disable TCP keepalive messages, the value should be set to
pascal@20313 299 .Cm no .
pascal@20313 300 +.It Cm TCPStealthSecret
pascal@20313 301 +Turns this SSH server into a stealth SSH TCP server. This configuration option
pascal@20313 302 +specifies the shared secret needed by the clients in order to be able to connect
pascal@20313 303 +to the port the SSH server is listening on. This means that port scanners will
pascal@20313 304 +receive a TCP RST and thus will not recognize this TCP port being open. Any
pascal@20313 305 +string specified will be truncated or padded with zeroes to 64 bytes. This
pascal@20313 306 +option needs kernel support and is therefore only available if the required
pascal@20313 307 +.Xr setsockopt 2
pascal@20313 308 +call is available.
pascal@20313 309 +.Pp
pascal@20313 310 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 311 +
pascal@20313 312 .It Cm TrustedUserCAKeys
pascal@20313 313 Specifies a file containing public keys of certificate authorities that are
pascal@20313 314 trusted to sign user certificates for authentication, or
pascal@20313 315 --- a/sshd.0
pascal@20313 316 +++ b/sshd.0
pascal@20313 317 @@ -7,6 +7,7 @@
pascal@20313 318 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
pascal@20313 319 [-E log_file] [-f config_file] [-g login_grace_time]
pascal@20313 320 [-h host_key_file] [-o option] [-p port] [-u len]
pascal@20313 321 + [-z tcp_stealth_secret]
pascal@20313 322
pascal@20313 323 DESCRIPTION
pascal@20313 324 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
pascal@20313 325 @@ -121,6 +122,20 @@
pascal@20313 326 from="pattern-list" option in a key file. Configuration options
pascal@20313 327 that require DNS include using a USER@HOST pattern in AllowUsers
pascal@20313 328 or DenyUsers.
pascal@20313 329 + -z tcp_stealth_secret
pascal@20313 330 + Turns this SSH server into a Stealth SSH TCP Server. This option
pascal@20313 331 + specifies the shared secret which is needed by the clients in order
pascal@20313 332 + to be able to connect to the port the SSH server is listening on.
pascal@20313 333 + Any string specified will be truncated or padded with zeroes to 64
pascal@20313 334 + bytes. This option needs kernel support and is therefore only
pascal@20313 335 + available if the required setsockopt() call is available.
pascal@20313 336 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 337 + for details.
pascal@20313 338 +
pascal@20313 339 + IMPORTANT: This option should only be used for the purpose of
pascal@20313 340 + testing as other users could easily read out the secret from the
pascal@20313 341 + command line arguments. The TCPStealthSecret configuration option
pascal@20313 342 + is the preferred way of specifying the TCP Stealth secret.
pascal@20313 343
pascal@20313 344 AUTHENTICATION
pascal@20313 345 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
pascal@20313 346 --- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400
pascal@20313 347 +++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500
pascal@20313 348 @@ -425,6 +425,20 @@ DESCRIPTION
pascal@20313 349 -y Send log information using the syslog(3) system module. By
pascal@20313 350 default this information is sent to stderr.
pascal@20313 351
pascal@20313 352 + -z tcp_stealth_secret
pascal@20313 353 + Specifies the shared secret which is needed to connect to a stealth
pascal@20313 354 + SSH TCP server. Any string specified will be truncated to or padded
pascal@20313 355 + with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 356 + therefore only available if the required setsockopt() call is
pascal@20313 357 + available.
pascal@20313 358 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 359 + for details.
pascal@20313 360 +
pascal@20313 361 + IMPORTANT: This option should only be used for the purpose of
pascal@20313 362 + testing as other users could easily read out the secret from the
pascal@20313 363 + command line arguments. The TCPStealthSecret configuration option
pascal@20313 364 + is the preferred way of specifying the TCP Stealth secret.
pascal@20313 365 +
pascal@20313 366 ssh may additionally obtain configuration data from a per-user
pascal@20313 367 configuration file and a system-wide configuration file. The file format
pascal@20313 368 and configuration options are described in ssh_config(5).
pascal@20313 369 --- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400
pascal@20313 370 +++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500
pascal@20313 371 @@ -64,6 +64,7 @@
pascal@20313 372 .Op Fl S Ar ctl_path
pascal@20313 373 .Op Fl W Ar host : Ns Ar port
pascal@20313 374 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
pascal@20313 375 +.Op Fl z Ar tcp_stealth_secret
pascal@20313 376 .Oo Ar user Ns @ Oc Ns Ar hostname
pascal@20313 377 .Op Ar command
pascal@20313 378 .Ek
pascal@20313 379 @@ -528,6 +529,7 @@ For full details of the options listed b
pascal@20313 380 .It StreamLocalBindUnlink
pascal@20313 381 .It StrictHostKeyChecking
pascal@20313 382 .It TCPKeepAlive
pascal@20313 383 +.It TCPStealthSecret
pascal@20313 384 .It Tunnel
pascal@20313 385 .It TunnelDevice
pascal@20313 386 .It UpdateHostKeys
pascal@20313 387 @@ -777,6 +779,21 @@ Send log information using the
pascal@20313 388 .Xr syslog 3
pascal@20313 389 system module.
pascal@20313 390 By default this information is sent to stderr.
pascal@20313 391 +.It Fl z Ar tcp_stealth_secret
pascal@20313 392 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
pascal@20313 393 +server. Any string specified will be truncated to or padded with zeroes to 64
pascal@20313 394 +bytes. This option needs kernel support and is therefore only available if the
pascal@20313 395 +required
pascal@20313 396 +.Xr setsockopt 2
pascal@20313 397 +call is available.
pascal@20313 398 +.Pp
pascal@20313 399 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 400 +.Pp
pascal@20313 401 +.Cm IMPORTANT:
pascal@20313 402 +This option should only be used for the purpose of testing as other users could
pascal@20313 403 +easily read out the secret from the command line arguments. The
pascal@20313 404 +.Cm TCPStealthSecret
pascal@20313 405 +configuration option is the preferred way of specifying the TCP Stealth secret.
pascal@20313 406 .El
pascal@20313 407 .Pp
pascal@20313 408 .Nm
pascal@20313 409 --- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400
pascal@20313 410 +++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500
pascal@20313 411 @@ -919,6 +919,15 @@ DESCRIPTION
pascal@20313 412
pascal@20313 413 To disable TCP keepalive messages, the value should be set to no.
pascal@20313 414
pascal@20313 415 + TCPStealthSecret
pascal@20313 416 + Specifies the shared secret which is needed to connect to a stealth
pascal@20313 417 + SSH TCP Server. Any string specified will be truncated to or padded
pascal@20313 418 + with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 419 + therefore only available if the required setsockopt() call is
pascal@20313 420 + available.
pascal@20313 421 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 422 + for details.
pascal@20313 423 +
pascal@20313 424 Tunnel Request tun(4) device forwarding between the client and the
pascal@20313 425 server. The argument must be yes, point-to-point (layer 3),
pascal@20313 426 ethernet (layer 2), or no (the default). Specifying yes requests
pascal@20313 427 --- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400
pascal@20313 428 +++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500
pascal@20313 429 @@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct
pascal@20313 430 }
pascal@20313 431 fcntl(sock, F_SETFD, FD_CLOEXEC);
pascal@20313 432
pascal@20313 433 +#ifdef TCP_STEALTH
pascal@20313 434 + if (options.tcp_stealth_secret) {
pascal@20313 435 + if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
pascal@20313 436 + options.tcp_stealth_secret,
pascal@20313 437 + TCP_STEALTH_SECRET_SIZE) == -1) {
pascal@20313 438 + error("setsockopt TCP_STEALTH: %s", strerror(errno));
pascal@20313 439 + close(sock);
pascal@20313 440 + return -1;
pascal@20313 441 + }
pascal@20313 442 + }
pascal@20313 443 +#endif
pascal@20313 444 +
pascal@20313 445 /* Bind the socket to an alternative local IP address */
pascal@20313 446 if (options.bind_address == NULL && !privileged)
pascal@20313 447 return sock;
pascal@20313 448 --- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400
pascal@20313 449 +++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500
pascal@20313 450 @@ -53,6 +53,7 @@
pascal@20313 451 .Op Fl o Ar option
pascal@20313 452 .Op Fl p Ar port
pascal@20313 453 .Op Fl u Ar len
pascal@20313 454 +.Op Fl z Ar tcp_stealth_secret
pascal@20313 455 .Ek
pascal@20313 456 .Sh DESCRIPTION
pascal@20313 457 .Nm
pascal@20313 458 @@ -243,6 +244,24 @@ USER@HOST pattern in
pascal@20313 459 .Cm AllowUsers
pascal@20313 460 or
pascal@20313 461 .Cm DenyUsers .
pascal@20313 462 +.It Fl z Ar tcp_stealth_secret
pascal@20313 463 +Turns this SSH server into a stealth SSH TCP server. This option specifies the
pascal@20313 464 +shared secret which is needed by the clients in order to be able to connect to
pascal@20313 465 +the port the SSH server is listening on. Any string specified will be truncated
pascal@20313 466 +or padded with zeroes to 64 bytes. This option needs kernel support and is
pascal@20313 467 +therefore only available if the required
pascal@20313 468 +.Xr setsockopt 2
pascal@20313 469 +call is available.
pascal@20313 470 +.Pp
pascal@20313 471 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
pascal@20313 472 +
pascal@20313 473 +.Cm IMPORTANT:
pascal@20313 474 +This option should only be used for the purpose of
pascal@20313 475 +testing as other users could easily read out the secret from the
pascal@20313 476 +command line arguments. The
pascal@20313 477 +.Cm TCPStealthSecret
pascal@20313 478 +configuration option
pascal@20313 479 +is the preferred way of specifying the TCP Stealth secret.
pascal@20313 480 .El
pascal@20313 481 .Sh AUTHENTICATION
pascal@20313 482 The OpenSSH SSH daemon supports SSH protocol 2 only.
pascal@20313 483 --- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400
pascal@20313 484 +++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500
pascal@20313 485 @@ -872,6 +872,19 @@ DESCRIPTION
pascal@20313 486
pascal@20313 487 To disable TCP keepalive messages, the value should be set to no.
pascal@20313 488
pascal@20313 489 + TCPStealthSecret
pascal@20313 490 + Turns this SSH server into a stealth SSH TCP server. This
pascal@20313 491 + configuration option specifies the shared secret needed by the
pascal@20313 492 + clients in order to be able to connect to the port the SSH server
pascal@20313 493 + is listening on. This means that port scanners will receive a
pascal@20313 494 + TCP RST and thus will not recognize this TCP port being open.
pascal@20313 495 +
pascal@20313 496 + Any string specified will be truncated or padded with zeroes to 64
pascal@20313 497 + bytes. This option needs kernel support and is therefore only
pascal@20313 498 + available if the required setsockopt() call is available.
pascal@20313 499 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
pascal@20313 500 + for details.
pascal@20313 501 +
pascal@20313 502 TrustedUserCAKeys
pascal@20313 503 Specifies a file containing public keys of certificate
pascal@20313 504 authorities that are trusted to sign user certificates for