Call for testers.

Sat Sep 15 17:12:34 EST 2001

On Fri, Sep 14, 2001 at 06:24:13PM -0500, mouring at etoh.eviladmin.org wrote:
> 
> http://bass.directhit.com/openssh_snap/
> 
> Starting tonight I plan on tracking changes very closely with the OpenBSD
> tree.  I need people to test the latest snapshot (9/14 at of right now)
> and report success or failure on compiling.
> 
> I am starting this now because we are looking at a code freeze soon and I
> really want to ensure it compiles and runs on all existing platforms.  So
> we (the portable group) is not rushing to get a release out of the door.
 
Mumble, mumble. I feel like a parrot: the fix for the ssh-agent forwarding
problem on some platforms (e.g. HP-UX) is still not in the code.
Background: When using agent forwarding (-A) and actually accessing
the agent, the forwarded connection is not closed. This has two consequences:
1. with the forwarded connection still open, the ssh connection will not
   close down properly (similar to the often discussed sleep;exit hang).
2. The ssh-agent itself will only serve a limited number of connections
   at a time (10?), so that the ssh-agent will run into a resource limit
   and will stop accepting connections.
Reason is, that on some platforms (namely HP-UX), the shutdown() in only
one direction is not propagated (ssh uses shutdown() on the UNIX socket to
the agent, but the agent never learns about this shutdown()). I have seen
similar effects on pipe-connections on HP-UX, which therefore requires the
USE_PIPE flag. I would therefore expect the other platforms requiring the
USE_PIPE flag to also be affected. According to configure.in these are:
cygwin, NeXT, SunOS4, SNI-SysV, SysV4.2, SysV5, SCO3.2v?, unicos.

I have again attached the patch worked out between Markus Friedl and myself.
Please test, whether agent forwarding works for you _and_, if you experience
the problem described above, whether the patch appended helps.

To test:
* start the agent and load a key.
* connect to a server with ssh -A.
* from there open another ssh connection which requires public key
  authentication with the key in the agent.
* exit both connections. If the second exit hangs, you have the problem
  described.
Hint1: the patch only affects the client, as it is the UNIX socket between
  client and ssh-agent that makes the problem.
Hint2: don't forget to "make clean; make" after applying the patch, as the
  data structures are changed.

Sorry for bothering you with this longish email, but the security advantages
of agent forwarding are obvious:
- a malicious ssh-client binary cannot log your password, as you do not
  type it in. (This does not protect the malicious binary from changing
  the communication once established, but this is much harder to exploit
  than simply logging the password and using it later.)
- the password timing attack does not apply, as no passwords have to be
  typed in to open the second connection.

Best regards,
	Lutz

-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
-------------- next part --------------
diff -r -u newsoft/openssh_cvs/channels.c n2/openssh/channels.c

--- newsoft/openssh_cvs/channels.c	Thu Jul 19 18:03:32 2001
+++ n2/openssh/channels.c	Wed Jul 25 18:09:44 2001
@@ -260,6 +260,7 @@
 	c->cb_fn = NULL;
 	c->cb_arg = NULL;
 	c->cb_event = 0;
+	c->force_drain = 0;
 	c->detach_user = NULL;
 	c->input_filter = NULL;
 	debug("channel %d: new [%s]", found, remote_name);
@@ -1031,6 +1032,7 @@
 			xfree(remote_ipaddr);
 			return;
 		}
+		nc->force_drain = 0;
 		if (compat20) {
 			packet_start(SSH2_MSG_CHANNEL_OPEN);
 			packet_put_cstring("x11");
@@ -1185,6 +1187,7 @@
 			xfree(name);
 			close(newsock);
 		}
+		nc->force_drain = 0;
 		if (compat20) {
 			packet_start(SSH2_MSG_CHANNEL_OPEN);
 			packet_put_cstring("auth-agent at openssh.com");
@@ -1781,6 +1784,13 @@
 	if (c == NULL)
 		packet_disconnect("Received ieof for nonexistent channel %d.", id);
 	chan_rcvd_ieof(c);
+
+	/* XXX force input close */
+	if (c->force_drain) {
+		debug2("channel %d: XXX FORCE input drain", c->self);
+		c->istate = CHAN_INPUT_WAIT_DRAIN;
+	}
+
 }
 
 void
@@ -2669,6 +2679,7 @@
 			close(sock);
 		} else {
 			c->remote_id = remote_id;
+			c->force_drain = 1;
 		}
 	}
 	if (c == NULL) {
@@ -2931,6 +2942,7 @@
 			close(sock);
 		} else {
 			c->remote_id = remote_id;
+			c->force_drain = 1;
 		}
 	}
 	if (c == NULL) {
diff -r -u newsoft/openssh_cvs/channels.h n2/openssh/channels.h
--- newsoft/openssh_cvs/channels.h	Thu Jul 19 18:03:33 2001
+++ n2/openssh/channels.h	Thu Jul 19 18:31:56 2001
@@ -77,6 +77,7 @@
 	int     efd;		/* extended fd */
 	int     sock;		/* sock fd */
 	int     isatty;		/* rfd is a tty */
+	int     force_drain;		/* force close on iEOF */
 	Buffer  input;		/* data read from socket, to be sent over
 				 * encrypted connection */
 	Buffer  output;		/* data received over encrypted connection for
diff -r -u newsoft/openssh_cvs/clientloop.c n2/openssh/clientloop.c
--- newsoft/openssh_cvs/clientloop.c	Thu Jul 19 18:03:33 2001
+++ n2/openssh/clientloop.c	Thu Jul 19 19:24:27 2001
@@ -1111,6 +1111,7 @@
 		error("client_request_x11: channel_new failed");
 		close(sock);
 	}
+	c->force_drain = 1;
 	return c;
 }
 
@@ -1136,6 +1137,7 @@
 		error("client_request_agent: channel_new failed");
 		close(sock);
 	}
+	c->force_drain = 1;
 	return c;
 }
 
