OpenSSH Questions
Damien Miller
djm at mindrot.org
Tue Aug 15 11:07:50 EST 2000
On Fri, 11 Aug 2000, achanak wrote:
> Heya,
>
> I'm trying to convince my company to use OpenSSH instead of the
> commercial SSH version. I need a little help:
>
> 1. What features does OpenSSH offer over commercial SSH (besides
> being free and open source of course)?
>
> 2. Our lawyers want details on the licensing / patents stuff. I
> have the high level details from the OpenSSH page. I need the
> nitty gritty like RSA patent# and references, license statements
> for Diffie Hellman, DSA, openSSL, zlib, and any other components,
> besides the official license statement for OpenSSH. Any pointers
> would be appreciated.
IIRC and IANAL:
RSA expires soon 20-sep-2000
DH expired a couple of years back
DSA is unpatented or freely licensed (?)
zlib (deflate) is unpatented
> 3. The security folks want me to be able to disable tcp port
> forwarding and X11 forwarding in the binary. Commercial sshd
> has the compile time switches --disable-tcp-port-forwarding and
> --disable-X11-forwarding. How do I do this with openSSH?? (using
> the /etc/ssh_config directives is not an option - has to be a
> compile time switch).
This may be false security - what is to stop a luser from uploading
something that opens a socket and passes data back and forth over ssh?
OpenSSH doesn't have any such feature at the moment - though it would
be easy to add.
There is an untested patch attached to make PortForwarding a config
option and a second patch to disable it entirely.
> 4. There's also a requirement that tcp port forwarding attempts
> be logged to syslog whether the compile time switch has disabled
> port forwarding > or not. Commercial sshd currently offers this
> as well...can openssh do this too? I know it does regular syslog
> logging..not sure about port forwarding entries.
Either patch will take care of this requirement.
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
-------------- next part --------------
Index: servconf.c
===================================================================
RCS file: /var/cvs/openssh/servconf.c,v
retrieving revision 1.22
diff -u -r1.22 servconf.c
--- servconf.c 2000/07/15 04:14:17 1.22
+++ servconf.c 2000/08/15 00:58:45
@@ -74,6 +74,7 @@
options->num_deny_groups = 0;
options->ciphers = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
+ options->port_forwarding = -1;
options->gateway_ports = -1;
options->num_subsystems = 0;
options->max_startups = -1;
@@ -158,6 +159,8 @@
options->use_login = 0;
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+ if (options->port_forwarding == -1)
+ options->port_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->max_startups == -1)
@@ -184,7 +187,8 @@
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
+ sPortForwarding, sGatewayPorts, sDSAAuthentication, sXAuthLocation,
+ sSubsystem, sMaxStartups
} ServerOpCodes;
/* Textual representation of the tokens. */
@@ -238,6 +242,7 @@
{ "denygroups", sDenyGroups },
{ "ciphers", sCiphers },
{ "protocol", sProtocol },
+ { "portforwarding", sPortForwarding },
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
@@ -537,6 +542,10 @@
case sGatewayPorts:
intptr = &options->gateway_ports;
+ goto parse_flag;
+
+ case sPortForwarding:
+ intptr = &options->port_forwarding;
goto parse_flag;
case sLogFacility:
Index: servconf.h
===================================================================
RCS file: /var/cvs/openssh/servconf.h,v
retrieving revision 1.15
diff -u -r1.15 servconf.h
--- servconf.h 2000/07/11 07:31:38 1.15
+++ servconf.h 2000/08/15 00:58:45
@@ -53,6 +53,7 @@
int keepalives; /* If true, set SO_KEEPALIVE. */
char *ciphers; /* Ciphers in order of preference. */
int protocol; /* Protocol in order of preference. */
+ int port_forwarding; /* If true, permit port forwarding. */
int gateway_ports; /* If true, allow remote connects to forwarded ports. */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.30
diff -u -r1.30 session.c
--- session.c 2000/08/15 00:01:22 1.30
+++ session.c 2000/08/15 00:58:45
@@ -191,7 +191,7 @@
* by the client telling us, so we can equally well trust the client
* not to request anything bogus.)
*/
- if (!no_port_forwarding_flag)
+ if (!no_port_forwarding_flag && options.port_forwarding)
channel_permit_all_opens();
s = session_new();
@@ -330,7 +330,7 @@
break;
case SSH_CMSG_PORT_FORWARD_REQUEST:
- if (no_port_forwarding_flag) {
+ if (no_port_forwarding_flag || !options.port_forwarding) {
debug("Port forwarding not permitted for this authentication.");
break;
}
-------------- next part --------------
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.30
diff -u -r1.30 session.c
--- session.c 2000/08/15 00:01:22 1.30
+++ session.c 2000/08/15 01:02:23
@@ -191,8 +191,10 @@
* by the client telling us, so we can equally well trust the client
* not to request anything bogus.)
*/
+#if 0
if (!no_port_forwarding_flag)
channel_permit_all_opens();
+#endif
s = session_new();
s->pw = pw;
@@ -330,6 +332,9 @@
break;
case SSH_CMSG_PORT_FORWARD_REQUEST:
+ debug("Port forwarding not permitted for this authentication.");
+ break;
+#if 0
if (no_port_forwarding_flag) {
debug("Port forwarding not permitted for this authentication.");
break;
@@ -338,6 +343,7 @@
channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
success = 1;
break;
+#endif
case SSH_CMSG_MAX_PACKET_SIZE:
if (packet_set_maxsize(packet_get_int()) > 0)
More information about the openssh-unix-dev
mailing list