search for: channel_output_pol

...the "byte to add" value is off by 4x the number of packets consumed by the server. Eventually over time this drives the client's remote window count to go to zero. As an aside the remote window count has to be exactly 0 for the stall to occur. Initially the following line of code in channel_output_poll that decrements the remote window count for datagram channels looked suspicious: c->remote_window -= dlen + 4; However, the code that updates Channel.local_window and Channel.local_consumed for a datagram channel also includes the +4 in the calculation. Does anybody know why the datagram ca...

...#39;' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -1590,9 +1616,12 @@ /* If there is data to send to the connection, enqueue some of it now. */ - +/* + * SD Mod: add arguments bogus_send_count and use_steno_timing_manipulation + * to channel_output_poll. +*/ void -channel_output_poll() +channel_output_poll(int *bogus_send_count, int use_steno_timing_manipulation) { int len, i; Channel *c; @@ -1649,11 +1678,49 @@ SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); pac...

I'm reading this fine article on O'Reilly: http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html <quote> The paper concludes that the keystroke timing data observable from today's SSH implementations reveals a dangerously significant amount of information about user terminal sessions--enough to locate typed passwords in the session data stream and reduce the

Hello, In response to the timing analysis attacks presented by Dawn Song et. al. in her paper http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html we at Silicon Defense developed a patch for openssh to avoid such measures. Timing Analysis Evasion changes were developed by C. Jason Coit and Roel Jonkman of Silicon Defense. These changes cause SSH to send packets unless request not to,

...ata transfers using the standard code and the patched code as follows. Standard: samples cum. samples % cum. % symbol name 15360 15360 11.4140 11.4140 client_loop 13277 28637 9.8661 21.2801 packet_send2_wrapped 11017 39654 8.1867 29.4668 channel_output_poll 8070 47724 5.9968 35.4635 buffer_append_space 7914 55638 5.8809 41.3444 channel_handler 5970 61608 4.4363 45.7807 arc4random 5346 66954 3.9726 49.7533 channel_pre_open 5159 72113 3.8336 53.5869 packet_read_poll_se...

...did a bit of debugging and found that ssh code was sending packet of size greater than 131072 bytes from the application level to the socket and hence the issue. On going through the code In client_loop( in clientloop.c) if (packet_not_very_much_data_to_write()) channel_output_poll(); In packet.c packet_not_very_much_data_to_write(void) { if (interactive_mode) { fprintf(stderr,"interactive mode buffer len %d\n", buffer_len(&output)); return buffer_len(&output) < 16384; } else {...

...tinue; + if (c->client_tty) + return 1; + } + return 0; +} + /* Returns the id of an open channel suitable for keepaliving */ int channel_find_open(struct ssh *ssh) diff --git a/channels.h b/channels.h index 7cfba92..c31733f 100644 --- a/channels.h +++ b/channels.h @@ -337,6 +337,7 @@ int channel_output_poll(struct ssh *); int channel_not_very_much_buffered_data(struct ssh *); void channel_close_all(struct ssh *); int channel_still_open(struct ssh *); +int channel_tty_open(struct ssh *); const char *channel_format_extended_usage(const Channel *); char *channel_open_message(struct s...

...to busywait but instead wait for the system clock. This introduces a variable delay that greatly reduces the information from timing analysis. I believe sshd already can handle multiple keypresses per packet, but I did get one to choke around 1500 after pasting in 10KB. I inserted a usleep() in channel_output_poll() [not the best place but I couldn't get it to work in clientloop.c] and it runs fine for me, but I may need to make the delay a bit smarter. -- Robert

...: void server_loop2(Authctxt *authctxt) { [ ... ] for (;;) { process_buffered_input_packets(); rekeying = (xxx_kex != NULL && !xxx_kex->done); if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); wait_until_can_do_something(&readset, &writeset, &max_fd, &nalloc, 0); [ ...] and it hangs in the select() call in wait_until_can_do_something(). question: why is the wait time set to 0 (= wait forever) ? server_loop() (the interactive fun...

...nnel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; } static void @@ -2190,10 +2306,12 @@ channel_output_poll(void) */ if (compat13) { if (c->type != SSH_CHANNEL_OPEN && - c->type != SSH_CHANNEL_INPUT_DRAINING) + c->type != SSH_CHANNEL_INPUT_DRAINING && + c->type != SSH_CHANNEL_RDYNAMIC) continue; } else { - if (c->type != SSH_CHANNEL_O...

Hi! I am resending the following message about problems with utmp handling. * In the meantime I had some request in private mail from people asking whether I have new information. * The problem is still persistant in 2.9p2. * My own new investigations show, that the problem only appears with protocol 2, not with protocol 1, I therefore only started to note it when protocol 2 became the