wok rev 20877
openssh: add ssh-copy-id (again)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sat Feb 23 23:59:15 2019 +0100 (2019-02-23) |
| parents | 07197587ca55 |
| children | 8244d340f239 |
| files | openssh-pam/receipt openssh/receipt openssh/stuff/knock.u |
line diff
1.1 --- a/openssh-pam/receipt Sat Feb 23 23:00:18 2019 +0100 1.2 +++ b/openssh-pam/receipt Sat Feb 23 23:59:15 2019 +0100 1.3 @@ -22,7 +22,7 @@ 1.4 # Rules to configure and make the package. 1.5 compile_rules() 1.6 { 1.7 - patch -p1 < ../$SOURCE/stuff/knock.u 1.8 + patch -p1 < $wanted_stuff/knock.u 1.9 unset LD # for cross compiling with --disable-strip 1.10 ./configure \ 1.11 --prefix=/usr \ 1.12 @@ -40,7 +40,7 @@ 1.13 install -m 644 $src/[A-Z][A-Z]* $DESTDIR/usr/share/doc 1.14 cd contrib && 1.15 cc -Wall $(pkg-config --cflags gtk+-2.0) gnome-ssh-askpass2.c \ 1.16 - -o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) && 1.17 + -o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) -lX11 && 1.18 cp gnome-ssh-askpass $DESTDIR/usr/bin/ssh-askpass 1.19 } 1.20
2.1 --- a/openssh/receipt Sat Feb 23 23:00:18 2019 +0100 2.2 +++ b/openssh/receipt Sat Feb 23 23:59:15 2019 +0100 2.3 @@ -40,7 +40,7 @@ 2.4 install -m 644 $src/[A-Z][A-Z]* $DESTDIR/usr/share/doc 2.5 cd contrib && 2.6 cc -Wall $(pkg-config --cflags gtk+-2.0) gnome-ssh-askpass2.c \ 2.7 - -o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) && 2.8 + -o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) -lX11 && 2.9 cp gnome-ssh-askpass $DESTDIR/usr/bin/ssh-askpass 2.10 } 2.11
3.1 --- a/openssh/stuff/knock.u Sat Feb 23 23:00:18 2019 +0100 3.2 +++ b/openssh/stuff/knock.u Sat Feb 23 23:59:15 2019 +0100 3.3 @@ -2,29 +2,29 @@ 3.4 https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff 3.5 --- a/readconf.c 3.6 +++ b/readconf.c 3.7 -@@ -172,6 +172,9 @@ 3.8 +@@ -173,6 +173,9 @@ 3.9 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 3.10 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 3.11 - oPubkeyAcceptedKeyTypes, oProxyJump, 3.12 + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, 3.13 +#ifdef TCP_STEALTH 3.14 + oTCPStealthSecret, 3.15 +#endif 3.16 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 3.17 } OpCodes; 3.18 3.19 -@@ -305,6 +308,9 @@ 3.20 +@@ -309,6 +312,9 @@ 3.21 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 3.22 { "ignoreunknown", oIgnoreUnknown }, 3.23 { "proxyjump", oProxyJump }, 3.24 +#ifdef TCP_STEALTH 3.25 -+ { "tcpstealthsecret", oTCPStealthSecret }, 3.26 ++ oTCPStealthSecret, 3.27 +#endif 3.28 3.29 { NULL, oBadOption } 3.30 }; 3.31 -@@ -1669,6 +1675,23 @@ 3.32 - charptr = &options->identity_agent; 3.33 - goto parse_string; 3.34 +@@ -1722,6 +1728,23 @@ 3.35 + *charptr = xstrdup(arg); 3.36 + break; 3.37 3.38 +#ifdef TCP_STEALTH 3.39 + case oTCPStealthSecret: 3.40 @@ -46,7 +46,7 @@ 3.41 case oDeprecated: 3.42 debug("%s line %d: Deprecated option \"%s\"", 3.43 filename, linenum, keyword); 3.44 -@@ -1869,6 +1892,9 @@ 3.45 +@@ -1926,6 +1949,9 @@ 3.46 options->update_hostkeys = -1; 3.47 options->hostbased_key_types = NULL; 3.48 options->pubkey_key_types = NULL; 3.49 @@ -58,7 +58,7 @@ 3.50 /* 3.51 --- a/readconf.h 3.52 +++ b/readconf.h 3.53 -@@ -164,6 +164,10 @@ 3.54 +@@ -166,6 +166,10 @@ 3.55 char *jump_extra; 3.56 3.57 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ 3.58 @@ -71,7 +71,7 @@ 3.59 #define SSH_CANONICALISE_NO 0 3.60 --- a/servconf.c 3.61 +++ b/servconf.c 3.62 -@@ -165,6 +165,9 @@ 3.63 +@@ -180,6 +180,9 @@ 3.64 options->fingerprint_hash = -1; 3.65 options->disable_forwarding = -1; 3.66 options->expose_userauth_info = -1; 3.67 @@ -81,29 +81,29 @@ 3.68 } 3.69 3.70 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 3.71 -@@ -422,6 +425,9 @@ 3.72 +@@ -497,6 +500,9 @@ 3.73 sStreamLocalBindMask, sStreamLocalBindUnlink, 3.74 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 3.75 - sExposeAuthInfo, 3.76 + sExposeAuthInfo, sRDomain, 3.77 +#ifdef TCP_STEALTH 3.78 + sTCPStealthSecret, 3.79 +#endif 3.80 sDeprecated, sIgnore, sUnsupported 3.81 } ServerOpCodes; 3.82 3.83 -@@ -566,6 +572,9 @@ 3.84 - { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 3.85 - { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 3.86 +@@ -645,6 +651,9 @@ 3.87 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 3.88 + { "rdomain", sRDomain, SSHCFG_ALL }, 3.89 + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 3.90 +#ifdef TCP_STEALTH 3.91 + { "tcpstealthsecret", sTCPStealthSecret }, 3.92 +#endif 3.93 { NULL, sBadOption, 0 } 3.94 }; 3.95 3.96 -@@ -1883,6 +1892,23 @@ 3.97 - intptr = &options->expose_userauth_info; 3.98 - goto parse_flag; 3.99 +@@ -2149,6 +2158,23 @@ 3.100 + *charptr = xstrdup(arg); 3.101 + break; 3.102 3.103 +#ifdef TCP_STEALTH 3.104 + case sTCPStealthSecret: 3.105 @@ -127,18 +127,17 @@ 3.106 case sUnsupported: 3.107 --- a/servconf.h 3.108 +++ b/servconf.h 3.109 -@@ -198,6 +198,10 @@ 3.110 - 3.111 +@@ -210,6 +210,9 @@ 3.112 int fingerprint_hash; 3.113 int expose_userauth_info; 3.114 -+ 3.115 + u_int64_t timing_secret; 3.116 +#ifdef TCP_STEALTH 3.117 + char *tcp_stealth_secret; 3.118 +#endif 3.119 } ServerOptions; 3.120 3.121 /* Information about the incoming connection as used by Match */ 3.122 -@@ -219,6 +223,11 @@ 3.123 +@@ -232,6 +235,11 @@ 3.124 * NB. an option must appear in servconf.c:copy_set_server_options() or 3.125 * COPY_MATCH_STRING_OPTS here but never both. 3.126 */ 3.127 @@ -150,205 +149,32 @@ 3.128 #define COPY_MATCH_STRING_OPTS() do { \ 3.129 M_CP_STROPT(banner); \ 3.130 M_CP_STROPT(trusted_user_ca_keys); \ 3.131 -@@ -238,6 +247,7 @@ 3.132 - M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 3.133 +@@ -255,6 +263,7 @@ 3.134 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 3.135 - M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \ 3.136 + M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \ 3.137 + M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \ 3.138 + M_CP_STEALTHSCRT(tcp_stealth_secret); \ 3.139 } while (0) 3.140 3.141 struct connection_info *get_connection_info(int, int); 3.142 ---- a/ssh.c 3.143 -+++ b/ssh.c 3.144 -@@ -191,6 +191,14 @@ 3.145 - extern int muxserver_sock; 3.146 - extern u_int muxclient_command; 3.147 - 3.148 -+#ifdef TCP_STEALTH 3.149 -+#define OPT_STEALTH "[-z tcp_stealth_secret] " 3.150 -+#define GETOPT_STEALTH "z:" 3.151 -+#else 3.152 -+#define OPT_STEALTH "" 3.153 -+#define GETOPT_STEALTH "" 3.154 -+#endif 3.155 -+ 3.156 - /* Prints a help message to the user. This function never returns. */ 3.157 - 3.158 - static void 3.159 -@@ -203,7 +211,7 @@ 3.160 - " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" 3.161 - " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n" 3.162 - " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n" 3.163 --" [user@]hostname [command]\n" 3.164 -+" " OPT_STEALTH "[user@]hostname [command]\n" 3.165 - ); 3.166 - exit(255); 3.167 - } 3.168 -@@ -612,7 +620,7 @@ 3.169 - 3.170 - again: 3.171 - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 3.172 -- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 3.173 -+ "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 3.174 - switch (opt) { 3.175 - case '1': 3.176 - fatal("SSH protocol v.1 is no longer supported"); 3.177 -@@ -921,6 +929,14 @@ 3.178 - case 'F': 3.179 - config = optarg; 3.180 - break; 3.181 -+#ifdef TCP_STEALTH 3.182 -+ case 'z': 3.183 -+ options.tcp_stealth_secret = 3.184 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.185 -+ strncpy(options.tcp_stealth_secret, optarg, 3.186 -+ TCP_STEALTH_SECRET_SIZE); 3.187 -+ break; 3.188 -+#endif 3.189 - default: 3.190 - usage(); 3.191 - } 3.192 ---- a/sshd.c 3.193 -+++ b/sshd.c 3.194 -@@ -896,6 +896,14 @@ 3.195 - return (r < p) ? 1 : 0; 3.196 - } 3.197 - 3.198 -+#ifdef TCP_STEALTH 3.199 -+#define OPT_STEALTH " [-z tcp_stealth_secret]" 3.200 -+#define GETOPT_STEALTH "z:" 3.201 -+#else 3.202 -+#define OPT_STEALTH "" 3.203 -+#define GETOPT_STEALTH "" 3.204 -+#endif 3.205 -+ 3.206 - static void 3.207 - usage(void) 3.208 - { 3.209 -@@ -911,6 +919,7 @@ 3.210 - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 3.211 - " [-E log_file] [-f config_file] [-g login_grace_time]\n" 3.212 - " [-h host_key_file] [-o option] [-p port] [-u len]\n" 3.213 -+" " OPT_STEALTH "\n" 3.214 - ); 3.215 - exit(1); 3.216 - } 3.217 -@@ -1057,6 +1066,15 @@ 3.218 - if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 3.219 - &on, sizeof(on)) == -1) 3.220 - error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 3.221 -+#ifdef TCP_STEALTH 3.222 -+ if (options.tcp_stealth_secret != NULL) { 3.223 -+ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 3.224 -+ options.tcp_stealth_secret, 3.225 -+ TCP_STEALTH_SECRET_SIZE) == -1) 3.226 -+ error("setsockopt TCP_STEALTH: %s", 3.227 -+ strerror(errno)); 3.228 -+ } 3.229 -+#endif 3.230 - 3.231 - /* Only communicate in IPv6 over AF_INET6 sockets. */ 3.232 - if (ai->ai_family == AF_INET6) 3.233 -@@ -1404,7 +1422,7 @@ 3.234 - 3.235 - /* Parse command-line arguments. */ 3.236 - while ((opt = getopt(ac, av, 3.237 -- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.238 -+ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.239 - switch (opt) { 3.240 - case '4': 3.241 - options.address_family = AF_INET; 3.242 -@@ -1512,6 +1530,14 @@ 3.243 - exit(1); 3.244 - free(line); 3.245 - break; 3.246 -+#ifdef TCP_STEALTH 3.247 -+ case 'z': 3.248 -+ options.tcp_stealth_secret = 3.249 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.250 -+ strncpy(options.tcp_stealth_secret, optarg, 3.251 -+ TCP_STEALTH_SECRET_SIZE); 3.252 -+ break; 3.253 -+#endif 3.254 - case '?': 3.255 - default: 3.256 - usage(); 3.257 ---- a/ssh_config.5 3.258 -+++ b/ssh_config.5 3.259 -@@ -1509,6 +1509,15 @@ 3.260 - .Pp 3.261 - To disable TCP keepalive messages, the value should be set to 3.262 - .Cm no . 3.263 -+.It Cm TCPStealthSecret 3.264 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP 3.265 -+Server. Any string specified will be truncated to or padded with zeroes to 64 3.266 -+bytes. This option needs kernel support and is therefore only available if the 3.267 -+required 3.268 -+.Xr setsockopt 2 3.269 -+call is available. 3.270 -+.Pp 3.271 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.272 - .It Cm Tunnel 3.273 - Request 3.274 - .Xr tun 4 3.275 ---- a/sshd_config.5 3.276 -+++ b/sshd_config.5 3.277 -@@ -1444,6 +1444,18 @@ 3.278 - .Pp 3.279 - To disable TCP keepalive messages, the value should be set to 3.280 - .Cm no . 3.281 -+.It Cm TCPStealthSecret 3.282 -+Turns this SSH server into a stealth SSH TCP server. This configuration option 3.283 -+specifies the shared secret needed by the clients in order to be able to connect 3.284 -+to the port the SSH server is listening on. This means that port scanners will 3.285 -+receive a TCP RST and thus will not recognize this TCP port being open. Any 3.286 -+string specified will be truncated or padded with zeroes to 64 bytes. This 3.287 -+option needs kernel support and is therefore only available if the required 3.288 -+.Xr setsockopt 2 3.289 -+call is available. 3.290 -+.Pp 3.291 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.292 -+ 3.293 - .It Cm TrustedUserCAKeys 3.294 - Specifies a file containing public keys of certificate authorities that are 3.295 - trusted to sign user certificates for authentication, or 3.296 ---- a/sshd.0 3.297 -+++ b/sshd.0 3.298 -@@ -7,6 +7,7 @@ 3.299 - sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 3.300 - [-E log_file] [-f config_file] [-g login_grace_time] 3.301 - [-h host_key_file] [-o option] [-p port] [-u len] 3.302 -+ [-z tcp_stealth_secret] 3.303 +--- a/ssh.0 3.304 ++++ b/ssh.0 3.305 +@@ -9,8 +9,8 @@ 3.306 + [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] 3.307 + [-J destination] [-L address] [-l login_name] [-m mac_spec] 3.308 + [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] 3.309 +- [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination 3.310 +- [command] 3.311 ++ [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 3.312 ++ [-z tcp_stealth_secret] destination [command] 3.313 3.314 DESCRIPTION 3.315 - sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 3.316 -@@ -121,6 +122,20 @@ 3.317 - from="pattern-list" option in a key file. Configuration options 3.318 - that require DNS include using a USER@HOST pattern in AllowUsers 3.319 - or DenyUsers. 3.320 -+ -z tcp_stealth_secret 3.321 -+ Turns this SSH server into a Stealth SSH TCP Server. This option 3.322 -+ specifies the shared secret which is needed by the clients in order 3.323 -+ to be able to connect to the port the SSH server is listening on. 3.324 -+ Any string specified will be truncated or padded with zeroes to 64 3.325 -+ bytes. This option needs kernel support and is therefore only 3.326 -+ available if the required setsockopt() call is available. 3.327 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.328 -+ for details. 3.329 -+ 3.330 -+ IMPORTANT: This option should only be used for the purpose of 3.331 -+ testing as other users could easily read out the secret from the 3.332 -+ command line arguments. The TCPStealthSecret configuration option 3.333 -+ is the preferred way of specifying the TCP Stealth secret. 3.334 + ssh (SSH client) is a program for logging into a remote machine and for 3.335 +@@ -436,6 +436,20 @@ 3.336 3.337 - AUTHENTICATION 3.338 - The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 3.339 ---- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400 3.340 -+++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500 3.341 -@@ -425,6 +425,20 @@ DESCRIPTION 3.342 -y Send log information using the syslog(3) system module. By 3.343 default this information is sent to stderr. 3.344 - 3.345 ++ 3.346 + -z tcp_stealth_secret 3.347 + Specifies the shared secret which is needed to connect to a stealth 3.348 + SSH TCP server. Any string specified will be truncated to or padded 3.349 @@ -362,21 +188,20 @@ 3.350 + testing as other users could easily read out the secret from the 3.351 + command line arguments. The TCPStealthSecret configuration option 3.352 + is the preferred way of specifying the TCP Stealth secret. 3.353 -+ 3.354 + 3.355 ssh may additionally obtain configuration data from a per-user 3.356 configuration file and a system-wide configuration file. The file format 3.357 - and configuration options are described in ssh_config(5). 3.358 ---- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400 3.359 -+++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500 3.360 +--- a/ssh.1 3.361 ++++ b/ssh.1 3.362 @@ -64,6 +64,7 @@ 3.363 .Op Fl S Ar ctl_path 3.364 .Op Fl W Ar host : Ns Ar port 3.365 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun 3.366 +.Op Fl z Ar tcp_stealth_secret 3.367 - .Oo Ar user Ns @ Oc Ns Ar hostname 3.368 + .Ar destination 3.369 .Op Ar command 3.370 - .Ek 3.371 -@@ -528,6 +529,7 @@ For full details of the options listed b 3.372 + .Sh DESCRIPTION 3.373 +@@ -536,6 +537,7 @@ 3.374 .It StreamLocalBindUnlink 3.375 .It StrictHostKeyChecking 3.376 .It TCPKeepAlive 3.377 @@ -384,7 +209,7 @@ 3.378 .It Tunnel 3.379 .It TunnelDevice 3.380 .It UpdateHostKeys 3.381 -@@ -777,6 +779,21 @@ Send log information using the 3.382 +@@ -795,6 +797,21 @@ 3.383 .Xr syslog 3 3.384 system module. 3.385 By default this information is sent to stderr. 3.386 @@ -406,11 +231,61 @@ 3.387 .El 3.388 .Pp 3.389 .Nm 3.390 ---- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400 3.391 -+++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500 3.392 -@@ -919,6 +919,15 @@ DESCRIPTION 3.393 +--- a/ssh.c 3.394 ++++ b/ssh.c 3.395 +@@ -190,6 +190,14 @@ 3.396 + extern int muxserver_sock; 3.397 + extern u_int muxclient_command; 3.398 3.399 ++#ifdef TCP_STEALTH 3.400 ++#define OPT_STEALTH "[-z tcp_stealth_secret] " 3.401 ++#define GETOPT_STEALTH "z:" 3.402 ++#else 3.403 ++#define OPT_STEALTH "" 3.404 ++#define GETOPT_STEALTH "" 3.405 ++#endif 3.406 ++ 3.407 + /* Prints a help message to the user. This function never returns. */ 3.408 + 3.409 + static void 3.410 +@@ -202,7 +210,7 @@ 3.411 + " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" 3.412 + " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 3.413 + " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" 3.414 +-" [-w local_tun[:remote_tun]] destination [command]\n" 3.415 ++" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n" 3.416 + ); 3.417 + exit(255); 3.418 + } 3.419 +@@ -657,7 +665,7 @@ 3.420 + 3.421 + again: 3.422 + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 3.423 +- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 3.424 ++ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 3.425 + switch (opt) { 3.426 + case '1': 3.427 + fatal("SSH protocol v.1 is no longer supported"); 3.428 +@@ -979,6 +987,14 @@ 3.429 + case 'F': 3.430 + config = optarg; 3.431 + break; 3.432 ++#ifdef TCP_STEALTH 3.433 ++ case 'z': 3.434 ++ options.tcp_stealth_secret = 3.435 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.436 ++ strncpy(options.tcp_stealth_secret, optarg, 3.437 ++ TCP_STEALTH_SECRET_SIZE); 3.438 ++ break; 3.439 ++#endif 3.440 + default: 3.441 + usage(); 3.442 + } 3.443 +--- a/ssh_config.0 3.444 ++++ b/ssh_config.0 3.445 +@@ -945,6 +945,15 @@ 3.446 To disable TCP keepalive messages, the value should be set to no. 3.447 + See also ServerAliveInterval for protocol-level keepalives. 3.448 3.449 + TCPStealthSecret 3.450 + Specifies the shared secret which is needed to connect to a stealth 3.451 @@ -424,9 +299,27 @@ 3.452 Tunnel Request tun(4) device forwarding between the client and the 3.453 server. The argument must be yes, point-to-point (layer 3), 3.454 ethernet (layer 2), or no (the default). Specifying yes requests 3.455 ---- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400 3.456 -+++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500 3.457 -@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct 3.458 +--- a/ssh_config.5 3.459 ++++ b/ssh_config.5 3.460 +@@ -1548,6 +1548,15 @@ 3.461 + See also 3.462 + .Cm ServerAliveInterval 3.463 + for protocol-level keepalives. 3.464 ++.It Cm TCPStealthSecret 3.465 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 3.466 ++Server. Any string specified will be truncated to or padded with zeroes to 64 3.467 ++bytes. This option needs kernel support and is therefore only available if the 3.468 ++required 3.469 ++.Xr setsockopt 2 3.470 ++call is available. 3.471 ++.Pp 3.472 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.473 + .It Cm Tunnel 3.474 + Request 3.475 + .Xr tun 4 3.476 +--- a/sshconnect.c 3.477 ++++ b/sshconnect.c 3.478 +@@ -349,6 +349,18 @@ 3.479 } 3.480 fcntl(sock, F_SETFD, FD_CLOEXEC); 3.481 3.482 @@ -443,10 +336,41 @@ 3.483 +#endif 3.484 + 3.485 /* Bind the socket to an alternative local IP address */ 3.486 - if (options.bind_address == NULL && !privileged) 3.487 + if (options.bind_address == NULL && options.bind_interface == NULL) 3.488 return sock; 3.489 ---- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400 3.490 -+++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500 3.491 +--- a/sshd.0 3.492 ++++ b/sshd.0 3.493 +@@ -7,6 +7,7 @@ 3.494 + sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 3.495 + [-E log_file] [-f config_file] [-g login_grace_time] 3.496 + [-h host_key_file] [-o option] [-p port] [-u len] 3.497 ++ [-z tcp_stealth_secret] 3.498 + 3.499 + DESCRIPTION 3.500 + sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 3.501 +@@ -122,6 +123,20 @@ 3.502 + from="pattern-list" option in a key file. Configuration options 3.503 + that require DNS include using a USER@HOST pattern in AllowUsers 3.504 + or DenyUsers. 3.505 ++ -z tcp_stealth_secret 3.506 ++ Turns this SSH server into a Stealth SSH TCP Server. This option 3.507 ++ specifies the shared secret which is needed by the clients in order 3.508 ++ to be able to connect to the port the SSH server is listening on. 3.509 ++ Any string specified will be truncated or padded with zeroes to 64 3.510 ++ bytes. This option needs kernel support and is therefore only 3.511 ++ available if the required setsockopt() call is available. 3.512 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.513 ++ for details. 3.514 ++ 3.515 ++ IMPORTANT: This option should only be used for the purpose of 3.516 ++ testing as other users could easily read out the secret from the 3.517 ++ command line arguments. The TCPStealthSecret configuration option 3.518 ++ is the preferred way of specifying the TCP Stealth secret. 3.519 + 3.520 + AUTHENTICATION 3.521 + The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 3.522 +--- a/sshd.8 3.523 ++++ b/sshd.8 3.524 @@ -53,6 +53,7 @@ 3.525 .Op Fl o Ar option 3.526 .Op Fl p Ar port 3.527 @@ -455,7 +379,7 @@ 3.528 .Ek 3.529 .Sh DESCRIPTION 3.530 .Nm 3.531 -@@ -243,6 +244,24 @@ USER@HOST pattern in 3.532 +@@ -244,6 +245,24 @@ 3.533 .Cm AllowUsers 3.534 or 3.535 .Cm DenyUsers . 3.536 @@ -480,9 +404,75 @@ 3.537 .El 3.538 .Sh AUTHENTICATION 3.539 The OpenSSH SSH daemon supports SSH protocol 2 only. 3.540 ---- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400 3.541 -+++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500 3.542 -@@ -872,6 +872,19 @@ DESCRIPTION 3.543 +--- a/sshd.c 3.544 ++++ b/sshd.c 3.545 +@@ -911,6 +911,14 @@ 3.546 + return (r < p) ? 1 : 0; 3.547 + } 3.548 + 3.549 ++#ifdef TCP_STEALTH 3.550 ++#define OPT_STEALTH " [-z tcp_stealth_secret]" 3.551 ++#define GETOPT_STEALTH "z:" 3.552 ++#else 3.553 ++#define OPT_STEALTH "" 3.554 ++#define GETOPT_STEALTH "" 3.555 ++#endif 3.556 ++ 3.557 + static void 3.558 + usage(void) 3.559 + { 3.560 +@@ -926,6 +934,7 @@ 3.561 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 3.562 + " [-E log_file] [-f config_file] [-g login_grace_time]\n" 3.563 + " [-h host_key_file] [-o option] [-p port] [-u len]\n" 3.564 ++" " OPT_STEALTH "\n" 3.565 + ); 3.566 + exit(1); 3.567 + } 3.568 +@@ -1075,6 +1084,16 @@ 3.569 + continue; 3.570 + } 3.571 + 3.572 ++#ifdef TCP_STEALTH 3.573 ++ if (options.tcp_stealth_secret != NULL) { 3.574 ++ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 3.575 ++ options.tcp_stealth_secret, 3.576 ++ TCP_STEALTH_SECRET_SIZE) == -1) 3.577 ++ error("setsockopt TCP_STEALTH: %s", 3.578 ++ strerror(errno)); 3.579 ++ } 3.580 ++#endif 3.581 ++ 3.582 + /* Only communicate in IPv6 over AF_INET6 sockets. */ 3.583 + if (ai->ai_family == AF_INET6) 3.584 + sock_set_v6only(listen_sock); 3.585 +@@ -1515,7 +1534,7 @@ 3.586 + 3.587 + /* Parse command-line arguments. */ 3.588 + while ((opt = getopt(ac, av, 3.589 +- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.590 ++ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.591 + switch (opt) { 3.592 + case '4': 3.593 + options.address_family = AF_INET; 3.594 +@@ -1616,6 +1635,14 @@ 3.595 + exit(1); 3.596 + free(line); 3.597 + break; 3.598 ++#ifdef TCP_STEALTH 3.599 ++ case 'z': 3.600 ++ options.tcp_stealth_secret = 3.601 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.602 ++ strncpy(options.tcp_stealth_secret, optarg, 3.603 ++ TCP_STEALTH_SECRET_SIZE); 3.604 ++ break; 3.605 ++#endif 3.606 + case '?': 3.607 + default: 3.608 + usage(); 3.609 +--- a/sshd_config.0 3.610 ++++ b/sshd_config.0 3.611 +@@ -937,6 +937,19 @@ 3.612 3.613 To disable TCP keepalive messages, the value should be set to no. 3.614 3.615 @@ -502,3 +492,24 @@ 3.616 TrustedUserCAKeys 3.617 Specifies a file containing public keys of certificate 3.618 authorities that are trusted to sign user certificates for 3.619 +--- a/sshd_config.5 3.620 ++++ b/sshd_config.5 3.621 +@@ -1567,6 +1567,18 @@ 3.622 + .Pp 3.623 + To disable TCP keepalive messages, the value should be set to 3.624 + .Cm no . 3.625 ++.It Cm TCPStealthSecret 3.626 ++Turns this SSH server into a stealth SSH TCP server. This configuration option 3.627 ++specifies the shared secret needed by the clients in order to be able to connect 3.628 ++to the port the SSH server is listening on. This means that port scanners will 3.629 ++receive a TCP RST and thus will not recognize this TCP port being open. Any 3.630 ++string specified will be truncated or padded with zeroes to 64 bytes. This 3.631 ++option needs kernel support and is therefore only available if the required 3.632 ++.Xr setsockopt 2 3.633 ++call is available. 3.634 ++.Pp 3.635 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.636 ++ 3.637 + .It Cm TrustedUserCAKeys 3.638 + Specifies a file containing public keys of certificate authorities that are 3.639 + trusted to sign user certificates for authentication, or