search for: rfc4254

...TF mailing list but I figured I'd start here first. I ran across this because signals need to be sent as explicit commands, not as special characters, when using EXTPROC. So I started implementing the "signal" channel request. However, the description of the request is inadequate. RFC4254 section 6.9 says the 'signal name' values are the same as discussed in 6.10 for the "exit-signal" message. But that list of signals is specifically limited to values that can cause a program to exit, and be returned in a program's exit status. This list of signals you can *...

Hi, Currently, OpenSSH only accepts the SOCKS5 command "CONNECT": <https://anongit.mindrot.org/openssh.git/tree/channels.c#n1281> The RFC also specifies the commands "BIND" and "UDP ASSOCIATE": <https://tools.ietf.org/html/rfc1928#section-4> As a consequence, in particular, a SOCKS5 server started with "ssh -D" cannot proxify UDP packets. Are

Hi everybody I?d like to resurrect the discussion on a known issue with the openssh server, regarding signal delivery as described in rfc4254 This has been originally reported about ten years ago in this thread: https://bugzilla.mindrot.org/show_bug.cgi?id=1424 I am taking he liberty to copy a few people who contributed that thread over time The discussion does not seem to expose the reasons that lead to the feature being held back fo...

...vices and thus they had to use rlogin because it handles local flow control correctly for them. An easy and quick/dirty method was to remove IXON & IXOFF flags from sshtty.c:enter_raw_mode(), but it can easily brake transparency. Another standart method to use was a must. According to IETF RFC4254 ssh server can provide client an idea of doing the control flow at the client side. A special SSH_MSG_CHANNEL_REQUEST message with "xon-xoff" string MUST be used, and client MAY ignore this message. This feature is not implemented in OpenSSH, nor in client nor in the server. As we ha...

Hi! Is it possible to override in OpenSSH so that the shell specified in the /etc/passwd (or what comes from the LDAP server) is not executed at login? We have na?vely tried to specify this with subsystem but found out that by default the ssh client does not specify any subsystem. So how to override something that is unset from the client? /John -- John Olsson Ericsson AB BSC/BSS System

https://bugzilla.mindrot.org/show_bug.cgi?id=2312 Bug ID: 2312 Summary: [Query] Window resizing support in ssh Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org

Hi, I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here. Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed: --- channels_old.c?? ?Mon Mar? 4 02:07:06 2002 +++ channels.c?? ?Mon Mar? 4 02:07:16 2002 @@ -151,7 +151,7 @@ ?channel_lookup(int id) ?{ ??? ?Channel *c; -??

https://bugzilla.mindrot.org/show_bug.cgi?id=2578 Bug ID: 2578 Summary: -W should honor -4 and -b Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1334 Summary: Bind tunnels to given interface on the server Product: Portable OpenSSH Version: 4.6p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy:

...r started with "ssh -D" > > cannot proxify UDP packets. > > > > Are there deep reasons why OpenSSH does not implement them (security, or > > whatever)? > > ssh -D accepts SOCKS CONNECT requests and maps them to SSH > "direct-tcpip" requests (see RFC4254 section 7.2). These are only > defined for TCP, there's no equivalent for UDP. Thank you for your answer. So if I understand correctly, making "ssh -D" create a "full" SOCKS5 server, including UDP relay?, would require to add a new SSH request type (like "relay-ud...

...command arguments to a single string without escaping them. (I concede there may be no "standard" way to do such escaping.) It also appears that the ssh protocol defines the command as a single string, not an argv-style list of multiple strings. (See section 6.5 of https://www.ssh.com/a/rfc4254.txt .) It might be worth documenting the escape-less flattening of the command (and the corresponding loss of information) on the ssh manpage. I could write something and submit a patch, if the openssh developers are interested. Cheers, Parke

https://bugzilla.mindrot.org/show_bug.cgi?id=2094 Bug ID: 2094 Summary: Executing commands via ssh on a remote host has different parameter passing properties Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: OpenBSD Status: NEW Severity:

...t subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. Fro...

https://bugzilla.mindrot.org/show_bug.cgi?id=2477 Bug ID: 2477 Summary: backspace in interactive session does not delete multi-byte Unicode characters correctly Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

...detect errors in either specified port number. (bz#1378) - Fix memory leak in ssh(1) ~ escape commandline handling. (bz#1379) - Make ssh(1) skip listening on the IPv6 wildcard address when a binding address of 0.0.0.0 is used against an old SSH server that does not support the RFC4254 syntax for wildcard bind addresses. (bz#1381) - Remove extra backslashes in the RB_PROTOTYPE macro definition. (bz#1385) - Support ssh(1) RekeyLimits up to the maximum allowed by the protocol: 2**32-1. (bz#1390) - Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as...

...detect errors in either specified port number. (bz#1378) - Fix memory leak in ssh(1) ~ escape commandline handling. (bz#1379) - Make ssh(1) skip listening on the IPv6 wildcard address when a binding address of 0.0.0.0 is used against an old SSH server that does not support the RFC4254 syntax for wildcard bind addresses. (bz#1381) - Remove extra backslashes in the RB_PROTOTYPE macro definition. (bz#1385) - Support ssh(1) RekeyLimits up to the maximum allowed by the protocol: 2**32-1. (bz#1390) - Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as...

...t subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. Fro...

...ng fork()+exec() or similar, without invoking the shell. This would help avoid quoting confusion, shell metacharacter attacks and things like shellshock. This appears to require a protocol extension to work since RFC 4254 specifies just a string to be passed with exec: https://tools.ietf.org/html/rfc4254#section-6.5 There could be: A client-side option to turn it on. A server-side option (sshd_config, authorized_keys) to allow it. A server-side option (sshd_config, authorized_keys) to disallow in-shell commands and interactive shells. A way to pass the original command requested by the user to...