simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sun Mar 31 10:37:14 BST 2019
TL;DR:
75fccc5d Pass SshServerConfig through to sesschan.c.
4bb18677 uxserver.c: 'longoptnoarg' matching function.
8d84272d uxserver: option to generate numeric "exit-signal".
b494ecfc Uppity: allow CLI override of the KEXINIT strings.
b5ccdebf Uppity: get cipher directions the right way round!
3b51644f Add a /proc/net magic authenticator.
443ad75a Uppity: add a --listen mode, protected by /proc/net/tcp.
d990dfc3 Uppity: add a --listen-once option.
b9db5271 Uppity: enable the des-cbc cipher.
dd3f04ec Uppity: fix a really obvious use-after-free.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2019-03-31 10:37:14
commit 75fccc5d58827d6b4500048102537ac539d84f3b
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=75fccc5d58827d6b4500048102537ac539d84f3b;hp=ea329670448537732a812a57e3ee7d1bc3da791a
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Mar 30 07:27:26 2019 +0000
Pass SshServerConfig through to sesschan.c.
This will let me change the behaviour of the main session channel
based on command-line tweaks.
sesschan.c | 5 ++++-
ssh1connection-server.c | 3 ++-
ssh2connection-server.c | 2 +-
sshserver.h | 3 ++-
4 files changed, 9 insertions(+), 4 deletions(-)
commit 4bb1867788951b880eb1679c95d6e0e9c0c79f40
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4bb1867788951b880eb1679c95d6e0e9c0c79f40;hp=75fccc5d58827d6b4500048102537ac539d84f3b
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Mar 30 07:27:57 2019 +0000
uxserver.c: 'longoptnoarg' matching function.
Replaces a couple of existing strcmp, and does just slightly better
because as well as matching "--verbose" (say) it also matches
"--verbose=foo" and gives a comprehensible error message about it.
unix/uxserver.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
commit 8d84272d80e07ae8255f14acb025c2aeee323557
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=8d84272d80e07ae8255f14acb025c2aeee323557;hp=4bb1867788951b880eb1679c95d6e0e9c0c79f40
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Mar 30 07:28:38 2019 +0000
uxserver: option to generate numeric "exit-signal".
This mimics a bug in some old SSH servers for which PuTTY contains
compensation code (parsing an incoming "exit-signal" two ways and
seeing which one worked). I completely rewrote that code in commit
7535f645a, as part of the BinarySource rework. Now I can finally test
it sensibly.
sesschan.c | 34 ++++++++++++++++++++++++----------
sshserver.h | 3 +++
unix/uxpty.c | 16 +++++++++++-----
unix/uxserver.c | 2 ++
4 files changed, 40 insertions(+), 15 deletions(-)
commit b494ecfcfc17e26d9a214b7cbd4f943f50fc1aea
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=b494ecfcfc17e26d9a214b7cbd4f943f50fc1aea;hp=8d84272d80e07ae8255f14acb025c2aeee323557
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 08:35:31 2019 +0100
Uppity: allow CLI override of the KEXINIT strings.
This is an obviously useful test feature, since if nothing else it
will let me exercise every individual crypto primitive, even the ones
that the client-side configuration is too coarse-grained to describe
in detail (such as the difference between CBC and CTR mode versions of
the same cipher).
ssh.h | 7 +++++++
ssh2transport.c | 33 ++++++++++++++++++++++++++-------
ssh2transport.h | 5 -----
sshserver.h | 7 ++++++-
unix/uxserver.c | 16 ++++++++++++++++
5 files changed, 55 insertions(+), 13 deletions(-)
commit b5ccdebfb385b5bbb4ad87fc9b3fff6f4206b1de
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=b5ccdebfb385b5bbb4ad87fc9b3fff6f4206b1de;hp=b494ecfcfc17e26d9a214b7cbd4f943f50fc1aea
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 08:45:30 2019 +0100
Uppity: get cipher directions the right way round!
The very first thing I tried to test with the new KEXINIT override was
to select a non-default cipher in only one of the two connection
directions. It failed because both client and server tried to send AES
and receive ChaCha20, which doesn't work very well!
The server-readiness tweaks in ssh2transport.c included a switching
system so that when we scan both KEXINITs to determine the chosen
cipher, we can change which one we think is client and which is
server. But I'd forgotten to put in a similar switch for the
structures into which we put the selected algorithms for
client->server and server->client directions. Ahem.
ssh2transport.c | 8 ++++++--
ssh2transport.h | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
commit 3b51644f2bef372abff6c575a61a7711a43cc97d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3b51644f2bef372abff6c575a61a7711a43cc97d;hp=b5ccdebfb385b5bbb4ad87fc9b3fff6f4206b1de
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 09:24:17 2019 +0100
Add a /proc/net magic authenticator.
This is a Linux-specific trick that I'm quite fond of: I've used it
before in 'agedu' and a lot of my unpublished personal scriptery.
Suppose you want to run a listening network server in such a way that
it can only accept connections from processes under your own control.
Often it's not convenient to do this by adding an authentication step
to the protocol itself (either because the password management gets
hairy or because the protocol is already well defined). The 'right'
answer is to switch from TCP to Unix-domain sockets, because then you
can use the file permissions on the path leading to the socket inode
to ensure that no other user id can connect to it - but that's often
inconvenient as well, because if any _client_ of the server is not
already prepared to speak AF_UNIX your control then you can only trick
it into connecting to an AF_UNIX socket instead of TCP by applying a
downstream patch or resorting to LD_PRELOAD shenanigans.
But on Linux, there's an alternative shenanigan available, in the form
of /proc/net/tcp (or tcp6), which lists every currently active TCP
endpoint known to the kernel, and for each one, lists an owning uid.
Listen on localhost only. Then, when a connection comes in, look up
the far end of it in that file and see if the owning uid is the right
one!
I've always vaguely wondered if there would be uses for this trick in
PuTTY. One potentially useful one might be to protect the listening
sockets created by local-to-remote port forwarding. But for the
moment, I'm only planning to use it for a less security-critical
purpose, which will appear in the next commit.
unix/procnet.c | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
unix/unix.h | 11 +++
unix/uxnet.c | 9 +++
3 files changed, 249 insertions(+)
commit 443ad75a81f3ddeb54417a90639663b59731e038
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=443ad75a81f3ddeb54417a90639663b59731e038;hp=3b51644f2bef372abff6c575a61a7711a43cc97d
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 09:27:10 2019 +0100
Uppity: add a --listen mode, protected by /proc/net/tcp.
Uppity is not secure enough to listen on a TCP port as if it was a
normal SSH server. Until now, I've been using it by means of a local
proxy command, i.e. PuTTY invokes Uppity in the same way it might
invoke 'plink -nc'. This rigorously prevents any hostile user from
connecting to my utterly insecure test server, but it's a thundering
inconvenience as soon as you want to attach a debugger to the Uppity
process itself - you have to stick a gdbserver somewhere in the middle
of your already complicated shell pipeline, and then find a way to
connect back to it from a gdb in a terminal window.
So I've added an option to make Uppity listen on a TCP port in the
normal way - but it's protected using that /proc/net/tcp trick I just
added in the previous commit.
Recipe | 2 +-
sshserver.c | 4 +-
sshserver.h | 2 +-
unix/uxserver.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++--------
4 files changed, 139 insertions(+), 25 deletions(-)
commit d990dfc395ce264e41492186ea971c44ba0ee72f
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d990dfc395ce264e41492186ea971c44ba0ee72f;hp=443ad75a81f3ddeb54417a90639663b59731e038
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 09:27:47 2019 +0100
Uppity: add a --listen-once option.
This modifies 'uppity --listen' so that it closes the listening socket
after the first connection comes in.
unix/uxserver.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
commit b9db527102b71f86268ce705f9dfed855c6e6a3c
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=b9db527102b71f86268ce705f9dfed855c6e6a3c;hp=d990dfc395ce264e41492186ea971c44ba0ee72f
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 10:08:53 2019 +0100
Uppity: enable the des-cbc cipher.
There was no way to enable it for testing purposes at all until now.
Overriding the server KEX string to mention it doesn't help when it
was prevented from getting into the list that scan_kexinit_lists will
go through afterwards to find pointers to algorithm structures.
sshserver.c | 13 +++++++++++++
sshserver.h | 2 ++
unix/uxserver.c | 3 +--
3 files changed, 16 insertions(+), 2 deletions(-)
commit dd3f04ec4052760eeccd971525c79feade83d411
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=dd3f04ec4052760eeccd971525c79feade83d411;hp=b9db527102b71f86268ce705f9dfed855c6e6a3c
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 31 10:19:04 2019 +0100
Uppity: fix a really obvious use-after-free.
Oops! Fortunately, it's _only_ in Uppity. Must have written that code
in a hell of a hurry to make that goof.
sshserver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
More information about the tartarus-commits
mailing list