OpenSSH Questions

Damien Miller djm at mindrot.org
Tue Aug 15 11:07:50 EST 2000 

On Fri, 11 Aug 2000, achanak   wrote:

 
> Heya,
>
>  I'm trying to convince my company to use OpenSSH instead of the
>  commercial SSH version. I need a little help:
> 
>  1. What features does OpenSSH offer over commercial SSH (besides
>  being free and open source of course)?
>
>  2. Our lawyers want details on the licensing / patents stuff. I
>  have the high level details from the OpenSSH page. I need the
>  nitty gritty like RSA patent# and references, license statements
>  for Diffie Hellman, DSA, openSSL, zlib, and any other components,
>  besides the official license statement for OpenSSH. Any pointers
>  would be appreciated.

IIRC and IANAL:

RSA expires soon 20-sep-2000
DH expired a couple of years back
DSA is unpatented or freely licensed (?)
zlib (deflate) is unpatented

>  3. The security folks want me to be able to disable tcp port
>  forwarding and X11 forwarding in the binary. Commercial sshd
>  has the compile time switches --disable-tcp-port-forwarding and
>  --disable-X11-forwarding. How do I do this with openSSH?? (using
>  the /etc/ssh_config directives is not an option - has to be a
>  compile time switch).

This may be false security - what is to stop a luser from uploading 
something that opens a socket and passes data back and forth over ssh?

OpenSSH doesn't have any such feature at the moment - though it would
be easy to add. 

There is an untested patch attached to make PortForwarding a config 
option and a second patch to disable it entirely.

>  4. There's also a requirement that tcp port forwarding attempts
>  be logged to syslog whether the compile time switch has disabled
>  port forwarding > or not. Commercial sshd currently offers this
>  as well...can openssh do this too? I know it does regular syslog
>  logging..not sure about port forwarding entries.

Either patch will take care of this requirement.

-d

-- 
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-------------- next part --------------
Index: servconf.c
===================================================================
RCS file: /var/cvs/openssh/servconf.c,v
retrieving revision 1.22
diff -u -r1.22 servconf.c
--- servconf.c	2000/07/15 04:14:17	1.22
+++ servconf.c	2000/08/15 00:58:45
@@ -74,6 +74,7 @@
 	options->num_deny_groups = 0;
 	options->ciphers = NULL;
 	options->protocol = SSH_PROTO_UNKNOWN;
+	options->port_forwarding = -1;
 	options->gateway_ports = -1;
 	options->num_subsystems = 0;
 	options->max_startups = -1;
@@ -158,6 +159,8 @@
 		options->use_login = 0;
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+	if (options->port_forwarding == -1)
+		options->port_forwarding = 1;
 	if (options->gateway_ports == -1)
 		options->gateway_ports = 0;
 	if (options->max_startups == -1)
@@ -184,7 +187,8 @@
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
-	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
+	sPortForwarding, sGatewayPorts, sDSAAuthentication, sXAuthLocation, 
+	sSubsystem, sMaxStartups
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -238,6 +242,7 @@
 	{ "denygroups", sDenyGroups },
 	{ "ciphers", sCiphers },
 	{ "protocol", sProtocol },
+	{ "portforwarding", sPortForwarding },
 	{ "gatewayports", sGatewayPorts },
 	{ "subsystem", sSubsystem },
 	{ "maxstartups", sMaxStartups },
@@ -537,6 +542,10 @@
 
 		case sGatewayPorts:
 			intptr = &options->gateway_ports;
+			goto parse_flag;
+
+		case sPortForwarding:
+			intptr = &options->port_forwarding;
 			goto parse_flag;
 
 		case sLogFacility:
Index: servconf.h
===================================================================
RCS file: /var/cvs/openssh/servconf.h,v
retrieving revision 1.15
diff -u -r1.15 servconf.h
--- servconf.h	2000/07/11 07:31:38	1.15
+++ servconf.h	2000/08/15 00:58:45
@@ -53,6 +53,7 @@
 	int     keepalives;	/* If true, set SO_KEEPALIVE. */
 	char   *ciphers;	/* Ciphers in order of preference. */
 	int	protocol;	/* Protocol in order of preference. */
+	int     port_forwarding;	/* If true, permit port forwarding. */
 	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for system logging. */
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.30
diff -u -r1.30 session.c
--- session.c	2000/08/15 00:01:22	1.30
+++ session.c	2000/08/15 00:58:45
@@ -191,7 +191,7 @@
 	 * by the client telling us, so we can equally well trust the client
 	 * not to request anything bogus.)
 	 */
-	if (!no_port_forwarding_flag)
+	if (!no_port_forwarding_flag && options.port_forwarding)
 		channel_permit_all_opens();
 
 	s = session_new();
@@ -330,7 +330,7 @@
 			break;
 
 		case SSH_CMSG_PORT_FORWARD_REQUEST:
-			if (no_port_forwarding_flag) {
+			if (no_port_forwarding_flag || !options.port_forwarding) {
 				debug("Port forwarding not permitted for this authentication.");
 				break;
 			}
-------------- next part --------------
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.30
diff -u -r1.30 session.c
--- session.c	2000/08/15 00:01:22	1.30
+++ session.c	2000/08/15 01:02:23
@@ -191,8 +191,10 @@
 	 * by the client telling us, so we can equally well trust the client
 	 * not to request anything bogus.)
 	 */
+#if 0
 	if (!no_port_forwarding_flag)
 		channel_permit_all_opens();
+#endif
 
 	s = session_new();
 	s->pw = pw;
@@ -330,6 +332,9 @@
 			break;
 
 		case SSH_CMSG_PORT_FORWARD_REQUEST:
+			debug("Port forwarding not permitted for this authentication.");
+			break;
+#if 0
 			if (no_port_forwarding_flag) {
 				debug("Port forwarding not permitted for this authentication.");
 				break;
@@ -338,6 +343,7 @@
 			channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
 			success = 1;
 			break;
+#endif
 
 		case SSH_CMSG_MAX_PACKET_SIZE:
 			if (packet_set_maxsize(packet_get_int()) > 0)

More information about the openssh-unix-dev mailing list