rev |
line source |
pascal@20313
|
1 From https://gnunet.org/knock :
|
pascal@20313
|
2 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
|
pascal@20313
|
3 --- a/readconf.c
|
pascal@20313
|
4 +++ b/readconf.c
|
pascal@20313
|
5 @@ -172,6 +172,9 @@
|
pascal@20313
|
6 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
pascal@20313
|
7 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
pascal@20313
|
8 oPubkeyAcceptedKeyTypes, oProxyJump,
|
pascal@20313
|
9 +#ifdef TCP_STEALTH
|
pascal@20313
|
10 + oTCPStealthSecret,
|
pascal@20313
|
11 +#endif
|
pascal@20313
|
12 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
pascal@20313
|
13 } OpCodes;
|
pascal@20313
|
14
|
pascal@20313
|
15 @@ -305,6 +308,9 @@
|
pascal@20313
|
16 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
pascal@20313
|
17 { "ignoreunknown", oIgnoreUnknown },
|
pascal@20313
|
18 { "proxyjump", oProxyJump },
|
pascal@20313
|
19 +#ifdef TCP_STEALTH
|
pascal@20313
|
20 + { "tcpstealthsecret", oTCPStealthSecret },
|
pascal@20313
|
21 +#endif
|
pascal@20313
|
22
|
pascal@20313
|
23 { NULL, oBadOption }
|
pascal@20313
|
24 };
|
pascal@20313
|
25 @@ -1669,6 +1675,23 @@
|
pascal@20313
|
26 charptr = &options->identity_agent;
|
pascal@20313
|
27 goto parse_string;
|
pascal@20313
|
28
|
pascal@20313
|
29 +#ifdef TCP_STEALTH
|
pascal@20313
|
30 + case oTCPStealthSecret:
|
pascal@20313
|
31 + charptr = &options->tcp_stealth_secret;
|
pascal@20313
|
32 +
|
pascal@20313
|
33 + arg = strdelim(&s);
|
pascal@20313
|
34 + if (!arg || *arg == '\0')
|
pascal@20313
|
35 + fatal("%.200s line %d: Missing argument.",
|
pascal@20313
|
36 + filename, linenum);
|
pascal@20313
|
37 +
|
pascal@20313
|
38 + if (*activep && *charptr == NULL) {
|
pascal@20313
|
39 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
|
pascal@20313
|
40 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
|
pascal@20313
|
41 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
|
pascal@20313
|
42 + }
|
pascal@20313
|
43 +
|
pascal@20313
|
44 + break;
|
pascal@20313
|
45 +#endif
|
pascal@20313
|
46 case oDeprecated:
|
pascal@20313
|
47 debug("%s line %d: Deprecated option \"%s\"",
|
pascal@20313
|
48 filename, linenum, keyword);
|
pascal@20313
|
49 @@ -1869,6 +1892,9 @@
|
pascal@20313
|
50 options->update_hostkeys = -1;
|
pascal@20313
|
51 options->hostbased_key_types = NULL;
|
pascal@20313
|
52 options->pubkey_key_types = NULL;
|
pascal@20313
|
53 +#ifdef TCP_STEALTH
|
pascal@20313
|
54 + options->tcp_stealth_secret = NULL;
|
pascal@20313
|
55 +#endif
|
pascal@20313
|
56 }
|
pascal@20313
|
57
|
pascal@20313
|
58 /*
|
pascal@20313
|
59 --- a/readconf.h
|
pascal@20313
|
60 +++ b/readconf.h
|
pascal@20313
|
61 @@ -164,6 +164,10 @@
|
pascal@20313
|
62 char *jump_extra;
|
pascal@20313
|
63
|
pascal@20313
|
64 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
|
pascal@20313
|
65 +
|
pascal@20313
|
66 +#ifdef TCP_STEALTH
|
pascal@20313
|
67 + char *tcp_stealth_secret;
|
pascal@20313
|
68 +#endif
|
pascal@20313
|
69 } Options;
|
pascal@20313
|
70
|
pascal@20313
|
71 #define SSH_CANONICALISE_NO 0
|
pascal@20313
|
72 --- a/servconf.c
|
pascal@20313
|
73 +++ b/servconf.c
|
pascal@20313
|
74 @@ -165,6 +165,9 @@
|
pascal@20313
|
75 options->fingerprint_hash = -1;
|
pascal@20313
|
76 options->disable_forwarding = -1;
|
pascal@20313
|
77 options->expose_userauth_info = -1;
|
pascal@20313
|
78 +#ifdef TCP_STEALTH
|
pascal@20313
|
79 + options->tcp_stealth_secret = NULL;
|
pascal@20313
|
80 +#endif
|
pascal@20313
|
81 }
|
pascal@20313
|
82
|
pascal@20313
|
83 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
pascal@20313
|
84 @@ -422,6 +425,9 @@
|
pascal@20313
|
85 sStreamLocalBindMask, sStreamLocalBindUnlink,
|
pascal@20313
|
86 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
pascal@20313
|
87 sExposeAuthInfo,
|
pascal@20313
|
88 +#ifdef TCP_STEALTH
|
pascal@20313
|
89 + sTCPStealthSecret,
|
pascal@20313
|
90 +#endif
|
pascal@20313
|
91 sDeprecated, sIgnore, sUnsupported
|
pascal@20313
|
92 } ServerOpCodes;
|
pascal@20313
|
93
|
pascal@20313
|
94 @@ -566,6 +572,9 @@
|
pascal@20313
|
95 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
pascal@20313
|
96 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
pascal@20313
|
97 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
|
pascal@20313
|
98 +#ifdef TCP_STEALTH
|
pascal@20313
|
99 + { "tcpstealthsecret", sTCPStealthSecret },
|
pascal@20313
|
100 +#endif
|
pascal@20313
|
101 { NULL, sBadOption, 0 }
|
pascal@20313
|
102 };
|
pascal@20313
|
103
|
pascal@20313
|
104 @@ -1883,6 +1892,23 @@
|
pascal@20313
|
105 intptr = &options->expose_userauth_info;
|
pascal@20313
|
106 goto parse_flag;
|
pascal@20313
|
107
|
pascal@20313
|
108 +#ifdef TCP_STEALTH
|
pascal@20313
|
109 + case sTCPStealthSecret:
|
pascal@20313
|
110 + charptr = &options->tcp_stealth_secret;
|
pascal@20313
|
111 +
|
pascal@20313
|
112 + arg = strdelim(&cp);
|
pascal@20313
|
113 + if (!arg || *arg == '\0')
|
pascal@20313
|
114 + fatal("%s line %d: Missing argument.",
|
pascal@20313
|
115 + filename, linenum);
|
pascal@20313
|
116 +
|
pascal@20313
|
117 + if (*activep && *charptr == NULL) {
|
pascal@20313
|
118 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
|
pascal@20313
|
119 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
|
pascal@20313
|
120 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
|
pascal@20313
|
121 + }
|
pascal@20313
|
122 +
|
pascal@20313
|
123 + break;
|
pascal@20313
|
124 +#endif
|
pascal@20313
|
125 case sDeprecated:
|
pascal@20313
|
126 case sIgnore:
|
pascal@20313
|
127 case sUnsupported:
|
pascal@20313
|
128 --- a/servconf.h
|
pascal@20313
|
129 +++ b/servconf.h
|
pascal@20313
|
130 @@ -198,6 +198,10 @@
|
pascal@20313
|
131
|
pascal@20313
|
132 int fingerprint_hash;
|
pascal@20313
|
133 int expose_userauth_info;
|
pascal@20313
|
134 +
|
pascal@20313
|
135 +#ifdef TCP_STEALTH
|
pascal@20313
|
136 + char *tcp_stealth_secret;
|
pascal@20313
|
137 +#endif
|
pascal@20313
|
138 } ServerOptions;
|
pascal@20313
|
139
|
pascal@20313
|
140 /* Information about the incoming connection as used by Match */
|
pascal@20313
|
141 @@ -219,6 +223,11 @@
|
pascal@20313
|
142 * NB. an option must appear in servconf.c:copy_set_server_options() or
|
pascal@20313
|
143 * COPY_MATCH_STRING_OPTS here but never both.
|
pascal@20313
|
144 */
|
pascal@20313
|
145 +#ifdef TCP_STEALTH
|
pascal@20313
|
146 +#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X);
|
pascal@20313
|
147 +#else
|
pascal@20313
|
148 +#define M_CP_STEALTHSCRT(X)
|
pascal@20313
|
149 +#endif
|
pascal@20313
|
150 #define COPY_MATCH_STRING_OPTS() do { \
|
pascal@20313
|
151 M_CP_STROPT(banner); \
|
pascal@20313
|
152 M_CP_STROPT(trusted_user_ca_keys); \
|
pascal@20313
|
153 @@ -238,6 +247,7 @@
|
pascal@20313
|
154 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
|
pascal@20313
|
155 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
|
pascal@20313
|
156 M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
|
pascal@20313
|
157 + M_CP_STEALTHSCRT(tcp_stealth_secret); \
|
pascal@20313
|
158 } while (0)
|
pascal@20313
|
159
|
pascal@20313
|
160 struct connection_info *get_connection_info(int, int);
|
pascal@20313
|
161 --- a/ssh.c
|
pascal@20313
|
162 +++ b/ssh.c
|
pascal@20313
|
163 @@ -191,6 +191,14 @@
|
pascal@20313
|
164 extern int muxserver_sock;
|
pascal@20313
|
165 extern u_int muxclient_command;
|
pascal@20313
|
166
|
pascal@20313
|
167 +#ifdef TCP_STEALTH
|
pascal@20313
|
168 +#define OPT_STEALTH "[-z tcp_stealth_secret] "
|
pascal@20313
|
169 +#define GETOPT_STEALTH "z:"
|
pascal@20313
|
170 +#else
|
pascal@20313
|
171 +#define OPT_STEALTH ""
|
pascal@20313
|
172 +#define GETOPT_STEALTH ""
|
pascal@20313
|
173 +#endif
|
pascal@20313
|
174 +
|
pascal@20313
|
175 /* Prints a help message to the user. This function never returns. */
|
pascal@20313
|
176
|
pascal@20313
|
177 static void
|
pascal@20313
|
178 @@ -203,7 +211,7 @@
|
pascal@20313
|
179 " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
|
pascal@20313
|
180 " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n"
|
pascal@20313
|
181 " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
|
pascal@20313
|
182 -" [user@]hostname [command]\n"
|
pascal@20313
|
183 +" " OPT_STEALTH "[user@]hostname [command]\n"
|
pascal@20313
|
184 );
|
pascal@20313
|
185 exit(255);
|
pascal@20313
|
186 }
|
pascal@20313
|
187 @@ -612,7 +620,7 @@
|
pascal@20313
|
188
|
pascal@20313
|
189 again:
|
pascal@20313
|
190 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
|
pascal@20313
|
191 - "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
pascal@20313
|
192 + "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
|
pascal@20313
|
193 switch (opt) {
|
pascal@20313
|
194 case '1':
|
pascal@20313
|
195 fatal("SSH protocol v.1 is no longer supported");
|
pascal@20313
|
196 @@ -921,6 +929,14 @@
|
pascal@20313
|
197 case 'F':
|
pascal@20313
|
198 config = optarg;
|
pascal@20313
|
199 break;
|
pascal@20313
|
200 +#ifdef TCP_STEALTH
|
pascal@20313
|
201 + case 'z':
|
pascal@20313
|
202 + options.tcp_stealth_secret =
|
pascal@20313
|
203 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
|
pascal@20313
|
204 + strncpy(options.tcp_stealth_secret, optarg,
|
pascal@20313
|
205 + TCP_STEALTH_SECRET_SIZE);
|
pascal@20313
|
206 + break;
|
pascal@20313
|
207 +#endif
|
pascal@20313
|
208 default:
|
pascal@20313
|
209 usage();
|
pascal@20313
|
210 }
|
pascal@20313
|
211 --- a/sshd.c
|
pascal@20313
|
212 +++ b/sshd.c
|
pascal@20313
|
213 @@ -896,6 +896,14 @@
|
pascal@20313
|
214 return (r < p) ? 1 : 0;
|
pascal@20313
|
215 }
|
pascal@20313
|
216
|
pascal@20313
|
217 +#ifdef TCP_STEALTH
|
pascal@20313
|
218 +#define OPT_STEALTH " [-z tcp_stealth_secret]"
|
pascal@20313
|
219 +#define GETOPT_STEALTH "z:"
|
pascal@20313
|
220 +#else
|
pascal@20313
|
221 +#define OPT_STEALTH ""
|
pascal@20313
|
222 +#define GETOPT_STEALTH ""
|
pascal@20313
|
223 +#endif
|
pascal@20313
|
224 +
|
pascal@20313
|
225 static void
|
pascal@20313
|
226 usage(void)
|
pascal@20313
|
227 {
|
pascal@20313
|
228 @@ -911,6 +919,7 @@
|
pascal@20313
|
229 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
|
pascal@20313
|
230 " [-E log_file] [-f config_file] [-g login_grace_time]\n"
|
pascal@20313
|
231 " [-h host_key_file] [-o option] [-p port] [-u len]\n"
|
pascal@20313
|
232 +" " OPT_STEALTH "\n"
|
pascal@20313
|
233 );
|
pascal@20313
|
234 exit(1);
|
pascal@20313
|
235 }
|
pascal@20313
|
236 @@ -1057,6 +1066,15 @@
|
pascal@20313
|
237 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
|
pascal@20313
|
238 &on, sizeof(on)) == -1)
|
pascal@20313
|
239 error("setsockopt SO_REUSEADDR: %s", strerror(errno));
|
pascal@20313
|
240 +#ifdef TCP_STEALTH
|
pascal@20313
|
241 + if (options.tcp_stealth_secret != NULL) {
|
pascal@20313
|
242 + if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
|
pascal@20313
|
243 + options.tcp_stealth_secret,
|
pascal@20313
|
244 + TCP_STEALTH_SECRET_SIZE) == -1)
|
pascal@20313
|
245 + error("setsockopt TCP_STEALTH: %s",
|
pascal@20313
|
246 + strerror(errno));
|
pascal@20313
|
247 + }
|
pascal@20313
|
248 +#endif
|
pascal@20313
|
249
|
pascal@20313
|
250 /* Only communicate in IPv6 over AF_INET6 sockets. */
|
pascal@20313
|
251 if (ai->ai_family == AF_INET6)
|
pascal@20313
|
252 @@ -1404,7 +1422,7 @@
|
pascal@20313
|
253
|
pascal@20313
|
254 /* Parse command-line arguments. */
|
pascal@20313
|
255 while ((opt = getopt(ac, av,
|
pascal@20313
|
256 - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
|
pascal@20313
|
257 + GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
|
pascal@20313
|
258 switch (opt) {
|
pascal@20313
|
259 case '4':
|
pascal@20313
|
260 options.address_family = AF_INET;
|
pascal@20313
|
261 @@ -1512,6 +1530,14 @@
|
pascal@20313
|
262 exit(1);
|
pascal@20313
|
263 free(line);
|
pascal@20313
|
264 break;
|
pascal@20313
|
265 +#ifdef TCP_STEALTH
|
pascal@20313
|
266 + case 'z':
|
pascal@20313
|
267 + options.tcp_stealth_secret =
|
pascal@20313
|
268 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
|
pascal@20313
|
269 + strncpy(options.tcp_stealth_secret, optarg,
|
pascal@20313
|
270 + TCP_STEALTH_SECRET_SIZE);
|
pascal@20313
|
271 + break;
|
pascal@20313
|
272 +#endif
|
pascal@20313
|
273 case '?':
|
pascal@20313
|
274 default:
|
pascal@20313
|
275 usage();
|
pascal@20313
|
276 --- a/ssh_config.5
|
pascal@20313
|
277 +++ b/ssh_config.5
|
pascal@20313
|
278 @@ -1509,6 +1509,15 @@
|
pascal@20313
|
279 .Pp
|
pascal@20313
|
280 To disable TCP keepalive messages, the value should be set to
|
pascal@20313
|
281 .Cm no .
|
pascal@20313
|
282 +.It Cm TCPStealthSecret
|
pascal@20313
|
283 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
|
pascal@20313
|
284 +Server. Any string specified will be truncated to or padded with zeroes to 64
|
pascal@20313
|
285 +bytes. This option needs kernel support and is therefore only available if the
|
pascal@20313
|
286 +required
|
pascal@20313
|
287 +.Xr setsockopt 2
|
pascal@20313
|
288 +call is available.
|
pascal@20313
|
289 +.Pp
|
pascal@20313
|
290 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
|
pascal@20313
|
291 .It Cm Tunnel
|
pascal@20313
|
292 Request
|
pascal@20313
|
293 .Xr tun 4
|
pascal@20313
|
294 --- a/sshd_config.5
|
pascal@20313
|
295 +++ b/sshd_config.5
|
pascal@20313
|
296 @@ -1444,6 +1444,18 @@
|
pascal@20313
|
297 .Pp
|
pascal@20313
|
298 To disable TCP keepalive messages, the value should be set to
|
pascal@20313
|
299 .Cm no .
|
pascal@20313
|
300 +.It Cm TCPStealthSecret
|
pascal@20313
|
301 +Turns this SSH server into a stealth SSH TCP server. This configuration option
|
pascal@20313
|
302 +specifies the shared secret needed by the clients in order to be able to connect
|
pascal@20313
|
303 +to the port the SSH server is listening on. This means that port scanners will
|
pascal@20313
|
304 +receive a TCP RST and thus will not recognize this TCP port being open. Any
|
pascal@20313
|
305 +string specified will be truncated or padded with zeroes to 64 bytes. This
|
pascal@20313
|
306 +option needs kernel support and is therefore only available if the required
|
pascal@20313
|
307 +.Xr setsockopt 2
|
pascal@20313
|
308 +call is available.
|
pascal@20313
|
309 +.Pp
|
pascal@20313
|
310 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
|
pascal@20313
|
311 +
|
pascal@20313
|
312 .It Cm TrustedUserCAKeys
|
pascal@20313
|
313 Specifies a file containing public keys of certificate authorities that are
|
pascal@20313
|
314 trusted to sign user certificates for authentication, or
|
pascal@20313
|
315 --- a/sshd.0
|
pascal@20313
|
316 +++ b/sshd.0
|
pascal@20313
|
317 @@ -7,6 +7,7 @@
|
pascal@20313
|
318 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
|
pascal@20313
|
319 [-E log_file] [-f config_file] [-g login_grace_time]
|
pascal@20313
|
320 [-h host_key_file] [-o option] [-p port] [-u len]
|
pascal@20313
|
321 + [-z tcp_stealth_secret]
|
pascal@20313
|
322
|
pascal@20313
|
323 DESCRIPTION
|
pascal@20313
|
324 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
|
pascal@20313
|
325 @@ -121,6 +122,20 @@
|
pascal@20313
|
326 from="pattern-list" option in a key file. Configuration options
|
pascal@20313
|
327 that require DNS include using a USER@HOST pattern in AllowUsers
|
pascal@20313
|
328 or DenyUsers.
|
pascal@20313
|
329 + -z tcp_stealth_secret
|
pascal@20313
|
330 + Turns this SSH server into a Stealth SSH TCP Server. This option
|
pascal@20313
|
331 + specifies the shared secret which is needed by the clients in order
|
pascal@20313
|
332 + to be able to connect to the port the SSH server is listening on.
|
pascal@20313
|
333 + Any string specified will be truncated or padded with zeroes to 64
|
pascal@20313
|
334 + bytes. This option needs kernel support and is therefore only
|
pascal@20313
|
335 + available if the required setsockopt() call is available.
|
pascal@20313
|
336 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
|
pascal@20313
|
337 + for details.
|
pascal@20313
|
338 +
|
pascal@20313
|
339 + IMPORTANT: This option should only be used for the purpose of
|
pascal@20313
|
340 + testing as other users could easily read out the secret from the
|
pascal@20313
|
341 + command line arguments. The TCPStealthSecret configuration option
|
pascal@20313
|
342 + is the preferred way of specifying the TCP Stealth secret.
|
pascal@20313
|
343
|
pascal@20313
|
344 AUTHENTICATION
|
pascal@20313
|
345 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
|
pascal@20313
|
346 --- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400
|
pascal@20313
|
347 +++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500
|
pascal@20313
|
348 @@ -425,6 +425,20 @@ DESCRIPTION
|
pascal@20313
|
349 -y Send log information using the syslog(3) system module. By
|
pascal@20313
|
350 default this information is sent to stderr.
|
pascal@20313
|
351
|
pascal@20313
|
352 + -z tcp_stealth_secret
|
pascal@20313
|
353 + Specifies the shared secret which is needed to connect to a stealth
|
pascal@20313
|
354 + SSH TCP server. Any string specified will be truncated to or padded
|
pascal@20313
|
355 + with zeroes to 64 bytes. This option needs kernel support and is
|
pascal@20313
|
356 + therefore only available if the required setsockopt() call is
|
pascal@20313
|
357 + available.
|
pascal@20313
|
358 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
|
pascal@20313
|
359 + for details.
|
pascal@20313
|
360 +
|
pascal@20313
|
361 + IMPORTANT: This option should only be used for the purpose of
|
pascal@20313
|
362 + testing as other users could easily read out the secret from the
|
pascal@20313
|
363 + command line arguments. The TCPStealthSecret configuration option
|
pascal@20313
|
364 + is the preferred way of specifying the TCP Stealth secret.
|
pascal@20313
|
365 +
|
pascal@20313
|
366 ssh may additionally obtain configuration data from a per-user
|
pascal@20313
|
367 configuration file and a system-wide configuration file. The file format
|
pascal@20313
|
368 and configuration options are described in ssh_config(5).
|
pascal@20313
|
369 --- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400
|
pascal@20313
|
370 +++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500
|
pascal@20313
|
371 @@ -64,6 +64,7 @@
|
pascal@20313
|
372 .Op Fl S Ar ctl_path
|
pascal@20313
|
373 .Op Fl W Ar host : Ns Ar port
|
pascal@20313
|
374 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
|
pascal@20313
|
375 +.Op Fl z Ar tcp_stealth_secret
|
pascal@20313
|
376 .Oo Ar user Ns @ Oc Ns Ar hostname
|
pascal@20313
|
377 .Op Ar command
|
pascal@20313
|
378 .Ek
|
pascal@20313
|
379 @@ -528,6 +529,7 @@ For full details of the options listed b
|
pascal@20313
|
380 .It StreamLocalBindUnlink
|
pascal@20313
|
381 .It StrictHostKeyChecking
|
pascal@20313
|
382 .It TCPKeepAlive
|
pascal@20313
|
383 +.It TCPStealthSecret
|
pascal@20313
|
384 .It Tunnel
|
pascal@20313
|
385 .It TunnelDevice
|
pascal@20313
|
386 .It UpdateHostKeys
|
pascal@20313
|
387 @@ -777,6 +779,21 @@ Send log information using the
|
pascal@20313
|
388 .Xr syslog 3
|
pascal@20313
|
389 system module.
|
pascal@20313
|
390 By default this information is sent to stderr.
|
pascal@20313
|
391 +.It Fl z Ar tcp_stealth_secret
|
pascal@20313
|
392 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
|
pascal@20313
|
393 +server. Any string specified will be truncated to or padded with zeroes to 64
|
pascal@20313
|
394 +bytes. This option needs kernel support and is therefore only available if the
|
pascal@20313
|
395 +required
|
pascal@20313
|
396 +.Xr setsockopt 2
|
pascal@20313
|
397 +call is available.
|
pascal@20313
|
398 +.Pp
|
pascal@20313
|
399 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
|
pascal@20313
|
400 +.Pp
|
pascal@20313
|
401 +.Cm IMPORTANT:
|
pascal@20313
|
402 +This option should only be used for the purpose of testing as other users could
|
pascal@20313
|
403 +easily read out the secret from the command line arguments. The
|
pascal@20313
|
404 +.Cm TCPStealthSecret
|
pascal@20313
|
405 +configuration option is the preferred way of specifying the TCP Stealth secret.
|
pascal@20313
|
406 .El
|
pascal@20313
|
407 .Pp
|
pascal@20313
|
408 .Nm
|
pascal@20313
|
409 --- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400
|
pascal@20313
|
410 +++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500
|
pascal@20313
|
411 @@ -919,6 +919,15 @@ DESCRIPTION
|
pascal@20313
|
412
|
pascal@20313
|
413 To disable TCP keepalive messages, the value should be set to no.
|
pascal@20313
|
414
|
pascal@20313
|
415 + TCPStealthSecret
|
pascal@20313
|
416 + Specifies the shared secret which is needed to connect to a stealth
|
pascal@20313
|
417 + SSH TCP Server. Any string specified will be truncated to or padded
|
pascal@20313
|
418 + with zeroes to 64 bytes. This option needs kernel support and is
|
pascal@20313
|
419 + therefore only available if the required setsockopt() call is
|
pascal@20313
|
420 + available.
|
pascal@20313
|
421 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
|
pascal@20313
|
422 + for details.
|
pascal@20313
|
423 +
|
pascal@20313
|
424 Tunnel Request tun(4) device forwarding between the client and the
|
pascal@20313
|
425 server. The argument must be yes, point-to-point (layer 3),
|
pascal@20313
|
426 ethernet (layer 2), or no (the default). Specifying yes requests
|
pascal@20313
|
427 --- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400
|
pascal@20313
|
428 +++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500
|
pascal@20313
|
429 @@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct
|
pascal@20313
|
430 }
|
pascal@20313
|
431 fcntl(sock, F_SETFD, FD_CLOEXEC);
|
pascal@20313
|
432
|
pascal@20313
|
433 +#ifdef TCP_STEALTH
|
pascal@20313
|
434 + if (options.tcp_stealth_secret) {
|
pascal@20313
|
435 + if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
|
pascal@20313
|
436 + options.tcp_stealth_secret,
|
pascal@20313
|
437 + TCP_STEALTH_SECRET_SIZE) == -1) {
|
pascal@20313
|
438 + error("setsockopt TCP_STEALTH: %s", strerror(errno));
|
pascal@20313
|
439 + close(sock);
|
pascal@20313
|
440 + return -1;
|
pascal@20313
|
441 + }
|
pascal@20313
|
442 + }
|
pascal@20313
|
443 +#endif
|
pascal@20313
|
444 +
|
pascal@20313
|
445 /* Bind the socket to an alternative local IP address */
|
pascal@20313
|
446 if (options.bind_address == NULL && !privileged)
|
pascal@20313
|
447 return sock;
|
pascal@20313
|
448 --- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400
|
pascal@20313
|
449 +++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500
|
pascal@20313
|
450 @@ -53,6 +53,7 @@
|
pascal@20313
|
451 .Op Fl o Ar option
|
pascal@20313
|
452 .Op Fl p Ar port
|
pascal@20313
|
453 .Op Fl u Ar len
|
pascal@20313
|
454 +.Op Fl z Ar tcp_stealth_secret
|
pascal@20313
|
455 .Ek
|
pascal@20313
|
456 .Sh DESCRIPTION
|
pascal@20313
|
457 .Nm
|
pascal@20313
|
458 @@ -243,6 +244,24 @@ USER@HOST pattern in
|
pascal@20313
|
459 .Cm AllowUsers
|
pascal@20313
|
460 or
|
pascal@20313
|
461 .Cm DenyUsers .
|
pascal@20313
|
462 +.It Fl z Ar tcp_stealth_secret
|
pascal@20313
|
463 +Turns this SSH server into a stealth SSH TCP server. This option specifies the
|
pascal@20313
|
464 +shared secret which is needed by the clients in order to be able to connect to
|
pascal@20313
|
465 +the port the SSH server is listening on. Any string specified will be truncated
|
pascal@20313
|
466 +or padded with zeroes to 64 bytes. This option needs kernel support and is
|
pascal@20313
|
467 +therefore only available if the required
|
pascal@20313
|
468 +.Xr setsockopt 2
|
pascal@20313
|
469 +call is available.
|
pascal@20313
|
470 +.Pp
|
pascal@20313
|
471 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
|
pascal@20313
|
472 +
|
pascal@20313
|
473 +.Cm IMPORTANT:
|
pascal@20313
|
474 +This option should only be used for the purpose of
|
pascal@20313
|
475 +testing as other users could easily read out the secret from the
|
pascal@20313
|
476 +command line arguments. The
|
pascal@20313
|
477 +.Cm TCPStealthSecret
|
pascal@20313
|
478 +configuration option
|
pascal@20313
|
479 +is the preferred way of specifying the TCP Stealth secret.
|
pascal@20313
|
480 .El
|
pascal@20313
|
481 .Sh AUTHENTICATION
|
pascal@20313
|
482 The OpenSSH SSH daemon supports SSH protocol 2 only.
|
pascal@20313
|
483 --- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400
|
pascal@20313
|
484 +++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500
|
pascal@20313
|
485 @@ -872,6 +872,19 @@ DESCRIPTION
|
pascal@20313
|
486
|
pascal@20313
|
487 To disable TCP keepalive messages, the value should be set to no.
|
pascal@20313
|
488
|
pascal@20313
|
489 + TCPStealthSecret
|
pascal@20313
|
490 + Turns this SSH server into a stealth SSH TCP server. This
|
pascal@20313
|
491 + configuration option specifies the shared secret needed by the
|
pascal@20313
|
492 + clients in order to be able to connect to the port the SSH server
|
pascal@20313
|
493 + is listening on. This means that port scanners will receive a
|
pascal@20313
|
494 + TCP RST and thus will not recognize this TCP port being open.
|
pascal@20313
|
495 +
|
pascal@20313
|
496 + Any string specified will be truncated or padded with zeroes to 64
|
pascal@20313
|
497 + bytes. This option needs kernel support and is therefore only
|
pascal@20313
|
498 + available if the required setsockopt() call is available.
|
pascal@20313
|
499 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
|
pascal@20313
|
500 + for details.
|
pascal@20313
|
501 +
|
pascal@20313
|
502 TrustedUserCAKeys
|
pascal@20313
|
503 Specifies a file containing public keys of certificate
|
pascal@20313
|
504 authorities that are trusted to sign user certificates for
|