wok view openssh/stuff/knock.u @ rev 20645
updated hostapd (2.6 -> 2.7)
| author | Hans-G?nter Theisgen |
|---|---|
| date | Fri Jan 11 16:39:21 2019 +0100 (2019-01-11) |
| parents | |
| children | 809015307697 |
line source
1 From https://gnunet.org/knock :
2 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
3 --- a/readconf.c
4 +++ b/readconf.c
5 @@ -172,6 +172,9 @@
6 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
7 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
8 oPubkeyAcceptedKeyTypes, oProxyJump,
9 +#ifdef TCP_STEALTH
10 + oTCPStealthSecret,
11 +#endif
12 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
13 } OpCodes;
15 @@ -305,6 +308,9 @@
16 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
17 { "ignoreunknown", oIgnoreUnknown },
18 { "proxyjump", oProxyJump },
19 +#ifdef TCP_STEALTH
20 + { "tcpstealthsecret", oTCPStealthSecret },
21 +#endif
23 { NULL, oBadOption }
24 };
25 @@ -1669,6 +1675,23 @@
26 charptr = &options->identity_agent;
27 goto parse_string;
29 +#ifdef TCP_STEALTH
30 + case oTCPStealthSecret:
31 + charptr = &options->tcp_stealth_secret;
32 +
33 + arg = strdelim(&s);
34 + if (!arg || *arg == '\0')
35 + fatal("%.200s line %d: Missing argument.",
36 + filename, linenum);
37 +
38 + if (*activep && *charptr == NULL) {
39 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
40 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
41 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
42 + }
43 +
44 + break;
45 +#endif
46 case oDeprecated:
47 debug("%s line %d: Deprecated option \"%s\"",
48 filename, linenum, keyword);
49 @@ -1869,6 +1892,9 @@
50 options->update_hostkeys = -1;
51 options->hostbased_key_types = NULL;
52 options->pubkey_key_types = NULL;
53 +#ifdef TCP_STEALTH
54 + options->tcp_stealth_secret = NULL;
55 +#endif
56 }
58 /*
59 --- a/readconf.h
60 +++ b/readconf.h
61 @@ -164,6 +164,10 @@
62 char *jump_extra;
64 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
65 +
66 +#ifdef TCP_STEALTH
67 + char *tcp_stealth_secret;
68 +#endif
69 } Options;
71 #define SSH_CANONICALISE_NO 0
72 --- a/servconf.c
73 +++ b/servconf.c
74 @@ -165,6 +165,9 @@
75 options->fingerprint_hash = -1;
76 options->disable_forwarding = -1;
77 options->expose_userauth_info = -1;
78 +#ifdef TCP_STEALTH
79 + options->tcp_stealth_secret = NULL;
80 +#endif
81 }
83 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
84 @@ -422,6 +425,9 @@
85 sStreamLocalBindMask, sStreamLocalBindUnlink,
86 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
87 sExposeAuthInfo,
88 +#ifdef TCP_STEALTH
89 + sTCPStealthSecret,
90 +#endif
91 sDeprecated, sIgnore, sUnsupported
92 } ServerOpCodes;
94 @@ -566,6 +572,9 @@
95 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
96 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
97 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
98 +#ifdef TCP_STEALTH
99 + { "tcpstealthsecret", sTCPStealthSecret },
100 +#endif
101 { NULL, sBadOption, 0 }
102 };
104 @@ -1883,6 +1892,23 @@
105 intptr = &options->expose_userauth_info;
106 goto parse_flag;
108 +#ifdef TCP_STEALTH
109 + case sTCPStealthSecret:
110 + charptr = &options->tcp_stealth_secret;
111 +
112 + arg = strdelim(&cp);
113 + if (!arg || *arg == '\0')
114 + fatal("%s line %d: Missing argument.",
115 + filename, linenum);
116 +
117 + if (*activep && *charptr == NULL) {
118 + *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
119 + memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
120 + strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
121 + }
122 +
123 + break;
124 +#endif
125 case sDeprecated:
126 case sIgnore:
127 case sUnsupported:
128 --- a/servconf.h
129 +++ b/servconf.h
130 @@ -198,6 +198,10 @@
132 int fingerprint_hash;
133 int expose_userauth_info;
134 +
135 +#ifdef TCP_STEALTH
136 + char *tcp_stealth_secret;
137 +#endif
138 } ServerOptions;
140 /* Information about the incoming connection as used by Match */
141 @@ -219,6 +223,11 @@
142 * NB. an option must appear in servconf.c:copy_set_server_options() or
143 * COPY_MATCH_STRING_OPTS here but never both.
144 */
145 +#ifdef TCP_STEALTH
146 +#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X);
147 +#else
148 +#define M_CP_STEALTHSCRT(X)
149 +#endif
150 #define COPY_MATCH_STRING_OPTS() do { \
151 M_CP_STROPT(banner); \
152 M_CP_STROPT(trusted_user_ca_keys); \
153 @@ -238,6 +247,7 @@
154 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
155 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
156 M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
157 + M_CP_STEALTHSCRT(tcp_stealth_secret); \
158 } while (0)
160 struct connection_info *get_connection_info(int, int);
161 --- a/ssh.c
162 +++ b/ssh.c
163 @@ -191,6 +191,14 @@
164 extern int muxserver_sock;
165 extern u_int muxclient_command;
167 +#ifdef TCP_STEALTH
168 +#define OPT_STEALTH "[-z tcp_stealth_secret] "
169 +#define GETOPT_STEALTH "z:"
170 +#else
171 +#define OPT_STEALTH ""
172 +#define GETOPT_STEALTH ""
173 +#endif
174 +
175 /* Prints a help message to the user. This function never returns. */
177 static void
178 @@ -203,7 +211,7 @@
179 " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
180 " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n"
181 " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
182 -" [user@]hostname [command]\n"
183 +" " OPT_STEALTH "[user@]hostname [command]\n"
184 );
185 exit(255);
186 }
187 @@ -612,7 +620,7 @@
189 again:
190 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
191 - "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
192 + "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
193 switch (opt) {
194 case '1':
195 fatal("SSH protocol v.1 is no longer supported");
196 @@ -921,6 +929,14 @@
197 case 'F':
198 config = optarg;
199 break;
200 +#ifdef TCP_STEALTH
201 + case 'z':
202 + options.tcp_stealth_secret =
203 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
204 + strncpy(options.tcp_stealth_secret, optarg,
205 + TCP_STEALTH_SECRET_SIZE);
206 + break;
207 +#endif
208 default:
209 usage();
210 }
211 --- a/sshd.c
212 +++ b/sshd.c
213 @@ -896,6 +896,14 @@
214 return (r < p) ? 1 : 0;
215 }
217 +#ifdef TCP_STEALTH
218 +#define OPT_STEALTH " [-z tcp_stealth_secret]"
219 +#define GETOPT_STEALTH "z:"
220 +#else
221 +#define OPT_STEALTH ""
222 +#define GETOPT_STEALTH ""
223 +#endif
224 +
225 static void
226 usage(void)
227 {
228 @@ -911,6 +919,7 @@
229 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
230 " [-E log_file] [-f config_file] [-g login_grace_time]\n"
231 " [-h host_key_file] [-o option] [-p port] [-u len]\n"
232 +" " OPT_STEALTH "\n"
233 );
234 exit(1);
235 }
236 @@ -1057,6 +1066,15 @@
237 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
238 &on, sizeof(on)) == -1)
239 error("setsockopt SO_REUSEADDR: %s", strerror(errno));
240 +#ifdef TCP_STEALTH
241 + if (options.tcp_stealth_secret != NULL) {
242 + if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
243 + options.tcp_stealth_secret,
244 + TCP_STEALTH_SECRET_SIZE) == -1)
245 + error("setsockopt TCP_STEALTH: %s",
246 + strerror(errno));
247 + }
248 +#endif
250 /* Only communicate in IPv6 over AF_INET6 sockets. */
251 if (ai->ai_family == AF_INET6)
252 @@ -1404,7 +1422,7 @@
254 /* Parse command-line arguments. */
255 while ((opt = getopt(ac, av,
256 - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
257 + GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
258 switch (opt) {
259 case '4':
260 options.address_family = AF_INET;
261 @@ -1512,6 +1530,14 @@
262 exit(1);
263 free(line);
264 break;
265 +#ifdef TCP_STEALTH
266 + case 'z':
267 + options.tcp_stealth_secret =
268 + xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
269 + strncpy(options.tcp_stealth_secret, optarg,
270 + TCP_STEALTH_SECRET_SIZE);
271 + break;
272 +#endif
273 case '?':
274 default:
275 usage();
276 --- a/ssh_config.5
277 +++ b/ssh_config.5
278 @@ -1509,6 +1509,15 @@
279 .Pp
280 To disable TCP keepalive messages, the value should be set to
281 .Cm no .
282 +.It Cm TCPStealthSecret
283 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
284 +Server. Any string specified will be truncated to or padded with zeroes to 64
285 +bytes. This option needs kernel support and is therefore only available if the
286 +required
287 +.Xr setsockopt 2
288 +call is available.
289 +.Pp
290 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
291 .It Cm Tunnel
292 Request
293 .Xr tun 4
294 --- a/sshd_config.5
295 +++ b/sshd_config.5
296 @@ -1444,6 +1444,18 @@
297 .Pp
298 To disable TCP keepalive messages, the value should be set to
299 .Cm no .
300 +.It Cm TCPStealthSecret
301 +Turns this SSH server into a stealth SSH TCP server. This configuration option
302 +specifies the shared secret needed by the clients in order to be able to connect
303 +to the port the SSH server is listening on. This means that port scanners will
304 +receive a TCP RST and thus will not recognize this TCP port being open. Any
305 +string specified will be truncated or padded with zeroes to 64 bytes. This
306 +option needs kernel support and is therefore only available if the required
307 +.Xr setsockopt 2
308 +call is available.
309 +.Pp
310 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
311 +
312 .It Cm TrustedUserCAKeys
313 Specifies a file containing public keys of certificate authorities that are
314 trusted to sign user certificates for authentication, or
315 --- a/sshd.0
316 +++ b/sshd.0
317 @@ -7,6 +7,7 @@
318 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
319 [-E log_file] [-f config_file] [-g login_grace_time]
320 [-h host_key_file] [-o option] [-p port] [-u len]
321 + [-z tcp_stealth_secret]
323 DESCRIPTION
324 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
325 @@ -121,6 +122,20 @@
326 from="pattern-list" option in a key file. Configuration options
327 that require DNS include using a USER@HOST pattern in AllowUsers
328 or DenyUsers.
329 + -z tcp_stealth_secret
330 + Turns this SSH server into a Stealth SSH TCP Server. This option
331 + specifies the shared secret which is needed by the clients in order
332 + to be able to connect to the port the SSH server is listening on.
333 + Any string specified will be truncated or padded with zeroes to 64
334 + bytes. This option needs kernel support and is therefore only
335 + available if the required setsockopt() call is available.
336 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
337 + for details.
338 +
339 + IMPORTANT: This option should only be used for the purpose of
340 + testing as other users could easily read out the secret from the
341 + command line arguments. The TCPStealthSecret configuration option
342 + is the preferred way of specifying the TCP Stealth secret.
344 AUTHENTICATION
345 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
346 --- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400
347 +++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500
348 @@ -425,6 +425,20 @@ DESCRIPTION
349 -y Send log information using the syslog(3) system module. By
350 default this information is sent to stderr.
352 + -z tcp_stealth_secret
353 + Specifies the shared secret which is needed to connect to a stealth
354 + SSH TCP server. Any string specified will be truncated to or padded
355 + with zeroes to 64 bytes. This option needs kernel support and is
356 + therefore only available if the required setsockopt() call is
357 + available.
358 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
359 + for details.
360 +
361 + IMPORTANT: This option should only be used for the purpose of
362 + testing as other users could easily read out the secret from the
363 + command line arguments. The TCPStealthSecret configuration option
364 + is the preferred way of specifying the TCP Stealth secret.
365 +
366 ssh may additionally obtain configuration data from a per-user
367 configuration file and a system-wide configuration file. The file format
368 and configuration options are described in ssh_config(5).
369 --- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400
370 +++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500
371 @@ -64,6 +64,7 @@
372 .Op Fl S Ar ctl_path
373 .Op Fl W Ar host : Ns Ar port
374 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
375 +.Op Fl z Ar tcp_stealth_secret
376 .Oo Ar user Ns @ Oc Ns Ar hostname
377 .Op Ar command
378 .Ek
379 @@ -528,6 +529,7 @@ For full details of the options listed b
380 .It StreamLocalBindUnlink
381 .It StrictHostKeyChecking
382 .It TCPKeepAlive
383 +.It TCPStealthSecret
384 .It Tunnel
385 .It TunnelDevice
386 .It UpdateHostKeys
387 @@ -777,6 +779,21 @@ Send log information using the
388 .Xr syslog 3
389 system module.
390 By default this information is sent to stderr.
391 +.It Fl z Ar tcp_stealth_secret
392 +Specifies the shared secret which is needed to connect to a stealth SSH TCP
393 +server. Any string specified will be truncated to or padded with zeroes to 64
394 +bytes. This option needs kernel support and is therefore only available if the
395 +required
396 +.Xr setsockopt 2
397 +call is available.
398 +.Pp
399 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
400 +.Pp
401 +.Cm IMPORTANT:
402 +This option should only be used for the purpose of testing as other users could
403 +easily read out the secret from the command line arguments. The
404 +.Cm TCPStealthSecret
405 +configuration option is the preferred way of specifying the TCP Stealth secret.
406 .El
407 .Pp
408 .Nm
409 --- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400
410 +++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500
411 @@ -919,6 +919,15 @@ DESCRIPTION
413 To disable TCP keepalive messages, the value should be set to no.
415 + TCPStealthSecret
416 + Specifies the shared secret which is needed to connect to a stealth
417 + SSH TCP Server. Any string specified will be truncated to or padded
418 + with zeroes to 64 bytes. This option needs kernel support and is
419 + therefore only available if the required setsockopt() call is
420 + available.
421 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
422 + for details.
423 +
424 Tunnel Request tun(4) device forwarding between the client and the
425 server. The argument must be yes, point-to-point (layer 3),
426 ethernet (layer 2), or no (the default). Specifying yes requests
427 --- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400
428 +++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500
429 @@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct
430 }
431 fcntl(sock, F_SETFD, FD_CLOEXEC);
433 +#ifdef TCP_STEALTH
434 + if (options.tcp_stealth_secret) {
435 + if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
436 + options.tcp_stealth_secret,
437 + TCP_STEALTH_SECRET_SIZE) == -1) {
438 + error("setsockopt TCP_STEALTH: %s", strerror(errno));
439 + close(sock);
440 + return -1;
441 + }
442 + }
443 +#endif
444 +
445 /* Bind the socket to an alternative local IP address */
446 if (options.bind_address == NULL && !privileged)
447 return sock;
448 --- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400
449 +++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500
450 @@ -53,6 +53,7 @@
451 .Op Fl o Ar option
452 .Op Fl p Ar port
453 .Op Fl u Ar len
454 +.Op Fl z Ar tcp_stealth_secret
455 .Ek
456 .Sh DESCRIPTION
457 .Nm
458 @@ -243,6 +244,24 @@ USER@HOST pattern in
459 .Cm AllowUsers
460 or
461 .Cm DenyUsers .
462 +.It Fl z Ar tcp_stealth_secret
463 +Turns this SSH server into a stealth SSH TCP server. This option specifies the
464 +shared secret which is needed by the clients in order to be able to connect to
465 +the port the SSH server is listening on. Any string specified will be truncated
466 +or padded with zeroes to 64 bytes. This option needs kernel support and is
467 +therefore only available if the required
468 +.Xr setsockopt 2
469 +call is available.
470 +.Pp
471 +See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
472 +
473 +.Cm IMPORTANT:
474 +This option should only be used for the purpose of
475 +testing as other users could easily read out the secret from the
476 +command line arguments. The
477 +.Cm TCPStealthSecret
478 +configuration option
479 +is the preferred way of specifying the TCP Stealth secret.
480 .El
481 .Sh AUTHENTICATION
482 The OpenSSH SSH daemon supports SSH protocol 2 only.
483 --- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400
484 +++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500
485 @@ -872,6 +872,19 @@ DESCRIPTION
487 To disable TCP keepalive messages, the value should be set to no.
489 + TCPStealthSecret
490 + Turns this SSH server into a stealth SSH TCP server. This
491 + configuration option specifies the shared secret needed by the
492 + clients in order to be able to connect to the port the SSH server
493 + is listening on. This means that port scanners will receive a
494 + TCP RST and thus will not recognize this TCP port being open.
495 +
496 + Any string specified will be truncated or padded with zeroes to 64
497 + bytes. This option needs kernel support and is therefore only
498 + available if the required setsockopt() call is available.
499 + See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
500 + for details.
501 +
502 TrustedUserCAKeys
503 Specifies a file containing public keys of certificate
504 authorities that are trusted to sign user certificates for