[PATCH] Add a Maximum Idle Time (1.2.2)

Jacob Luna Lundberg jacob at velius.chaos2.org
Mon Mar 6 19:38:37 EST 2000


On Mon, 6 Mar 2000, Markus Friedl wrote:
> the patch looks reasonable, but SSH_MSG_NONE type packets
> must not travel over the wire. this violates the protocol spec.

     Ok.  Corrected patch attached.  :)  As before, it's also here:
http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2-trans_inter-r1

> SSH_MSG_IGNORE should be used, e.g.:
> 	packet_start(SSH_MSG_IGNORE);
> 	packet_put_string("bla", 3);
> 	packet_send();

     I wondered if I needed to stuff them with something.  Open sshd
didn't seem to mind if they were empty, but closed sshd terminated the
connection.  Thanks for the showing me how...

-Jacob

-- 

"Heh.  You mean this is Stef's source code?"
  -User Friendly

-------------- next part --------------
diff -ur openssh-1.2.2/clientloop.c openssh-1.2.2-trans_inter-r1/clientloop.c
--- openssh-1.2.2/clientloop.c	Mon Dec  6 20:38:32 1999
+++ openssh-1.2.2-trans_inter-r1/clientloop.c	Mon Mar  6 00:22:46 2000
@@ -396,8 +396,10 @@
  */
 
 void 
-client_wait_until_can_do_something(fd_set * readset, fd_set * writeset)
+client_wait_until_can_do_something(fd_set * readset, fd_set * writeset, int trans_inter)
 {
+	int select_return;
+
 	/* Initialize select masks. */
 	FD_ZERO(readset);
 
@@ -436,15 +438,31 @@
 		max_fd = channel_max_fd();
 
 	/*
-	 * Wait for something to happen.  This will suspend the process until
-	 * some selected descriptor can be read, written, or has some other
-	 * event pending. Note: if you want to implement SSH_MSG_IGNORE
-	 * messages to fool traffic analysis, this might be the place to do
-	 * it: just have a random timeout for the select, and send a random
-	 * SSH_MSG_IGNORE packet when the timeout expires.
+	 *	Wait for something to happen.  This will suspend the process
+	 * until some selected descriptor can be read, written, or has some
+	 * other event pending.
+	 *	Implemented timeout SSH_MSG_IGNORE packets to keep a minimum
+	 * frequency of traffic present on a connection.  This can be used to
+	 * prevent a firewall (ip_masq f.e.) from timing out and causing a new
+	 * port to be allocated which effectively kills the connection.
+	 *	To fool traffic analysis, set the timeout on the SSH_MSG_IGNORE
+	 * packets randomly.  Fill the packets with random-length traffic.
 	 */
 
-	if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) {
+	if( trans_inter > 0 ) {
+		struct timeval timeout;
+		timeout.tv_sec = trans_inter;
+		timeout.tv_usec = 0;
+		select_return = select(max_fd + 1, readset, writeset, NULL, &timeout);
+		if(select_return == 0) {
+			packet_start(SSH_MSG_IGNORE);
+			packet_put_string("TransmitInterlude", 17);
+			packet_send();
+		}
+	} else
+		select_return = select(max_fd + 1, readset, writeset, NULL, NULL);
+
+	if( select_return < 0 ) {
 		char buf[100];
 		/* Some systems fail to clear these automatically. */
 		FD_ZERO(readset);
@@ -863,7 +881,7 @@
 		 * Wait until we have something to do (something becomes
 		 * available on one of the descriptors).
 		 */
-		client_wait_until_can_do_something(&readset, &writeset);
+		client_wait_until_can_do_something(&readset, &writeset, options.trans_inter);
 
 		if (quit_pending)
 			break;
diff -ur openssh-1.2.2/readconf.c openssh-1.2.2-trans_inter-r1/readconf.c
--- openssh-1.2.2/readconf.c	Sun Dec  5 16:47:29 1999
+++ openssh-1.2.2-trans_inter-r1/readconf.c	Mon Mar  6 00:22:46 2000
@@ -78,6 +78,7 @@
      UseRsh no
      StrictHostKeyChecking yes
      KeepAlives no
+     TransmitInterlude 0
      IdentityFile ~/.ssh/identity
      Port 22
      EscapeChar ~
@@ -101,8 +102,8 @@
 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
-	oUsePrivilegedPort, oLogLevel
+	oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts,
+	oTISAuthentication, oUsePrivilegedPort, oLogLevel
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -148,6 +149,7 @@
 	{ "compression", oCompression },
 	{ "compressionlevel", oCompressionLevel },
 	{ "keepalive", oKeepAlives },
+	{ "transmitinterlude", oTransmitInterlude },
 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
 	{ "tisauthentication", oTISAuthentication },
 	{ "loglevel", oLogLevel },
@@ -355,6 +357,10 @@
 		intptr = &options->keepalives;
 		goto parse_flag;
 
+	case oTransmitInterlude:
+		intptr = &options->trans_inter;
+		goto parse_int;
+
 	case oNumberOfPasswordPrompts:
 		intptr = &options->number_of_password_prompts;
 		goto parse_int;
@@ -610,6 +616,7 @@
 	options->strict_host_key_checking = -1;
 	options->compression = -1;
 	options->keepalives = -1;
+	options->trans_inter = -1;
 	options->compression_level = -1;
 	options->port = -1;
 	options->connection_attempts = -1;
@@ -677,6 +684,8 @@
 		options->compression = 0;
 	if (options->keepalives == -1)
 		options->keepalives = 1;
+	if (options->trans_inter == -1)
+		options->trans_inter = 0;
 	if (options->compression_level == -1)
 		options->compression_level = 6;
 	if (options->port == -1)
diff -ur openssh-1.2.2/readconf.h openssh-1.2.2-trans_inter-r1/readconf.h
--- openssh-1.2.2/readconf.h	Sun Dec  5 16:47:29 1999
+++ openssh-1.2.2-trans_inter-r1/readconf.h	Mon Mar  6 00:22:46 2000
@@ -56,6 +56,7 @@
 	int     compression_level;	/* Compression level 1 (fast) to 9
 					 * (best). */
 	int     keepalives;	/* Set SO_KEEPALIVE. */
+	int     trans_inter;	/* Guarantee transmit every n seconds. */
 	LogLevel log_level;	/* Level for logging. */
 
 	int     port;		/* Port to connect. */
diff -ur openssh-1.2.2/ssh.0 openssh-1.2.2-trans_inter-r1/ssh.0
--- openssh-1.2.2/ssh.0	Wed Jan 26 19:17:09 2000
+++ openssh-1.2.2-trans_inter-r1/ssh.0	Mon Mar  6 00:32:28 2000
@@ -486,6 +486,21 @@
              be verified automatically in either case.  The argument must be
              ``yes'' or ``no''.
 
+     TransmitInterlude
+             Specifies a maximum time to allow between transmitting packets,
+             in seconds.  If this amount of time passes and the client has no
+             data to send, it will send an ignore packet to the server.  One
+             example where this is useful is when using ssh from behind a Lin-
+             ux ip_masquerade firewall.  If packets aren't sent through such a
+             firewall periodically, the firewall may forget about the connec-
+             tion.  Then when a packet finally is sent, the firewall will as-
+             sign a new port, which will cause the remote server to disconnect
+             the session.  This option defaults to ``0'', which means not
+             sending periodic packets.  A setting of a few hundred seconds
+             should be about right if this is needed.  You should probably try
+             setting KeepAlive to ``yes'' in your conf files on both the serv-
+             er and the client first.
+
      UsePrivilegedPort
              Specifies whether to use a privileged port for outgoing connec-
              tions.  The argument must be ``yes'' or ``no''. The default is
diff -ur openssh-1.2.2/ssh.1 openssh-1.2.2-trans_inter-r1/ssh.1
--- openssh-1.2.2/ssh.1	Sat Jan 22 00:57:40 2000
+++ openssh-1.2.2-trans_inter-r1/ssh.1	Mon Mar  6 00:30:30 2000
@@ -720,6 +720,22 @@
 .Dq yes
 or
 .Dq no .
+.It Cm TransmitInterlude
+Specifies a maximum time to allow between transmitting packets,
+in seconds.  If this amount of time passes and the client has
+no data to send, it will send an ignore packet to the server.
+One example where this is useful is when using ssh from behind
+a Linux ip_masquerade firewall.  If packets aren't sent through
+such a firewall periodically, the firewall may forget about the
+connection.  Then when a packet finally is sent, the firewall
+will assign a new port, which will cause the remote server to
+disconnect the session.  This option defaults to
+.Dq 0 ,
+which means not sending periodic packets.  A setting of a few
+hundred seconds should be about right if this is needed.  You
+should probably try setting KeepAlive to
+.Dq yes
+in your conf files on both the server and the client first.
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be


More information about the openssh-unix-dev mailing list