Attachment #1880 for bug #1733




/*
 * Temporarily needed file until glibc 2.12 becomes ubiquitous.
 */
#ifndef __IPCLASS_H__
#define __IPCLASS_H__

/* in glibc 2.12 */
#ifndef IPTOS_CLASS_CS0
#define IPTOS_CLASS_CS0		0x00
#define IPTOS_CLASS_CS1		0x20
#define IPTOS_CLASS_CS2		0x40
#define IPTOS_CLASS_CS3		0x60
#define IPTOS_CLASS_CS4		0x80
#define IPTOS_CLASS_CS5		0xa0
#define IPTOS_CLASS_CS6		0xc0
#define IPTOS_CLASS_CS7		0xe0
#endif

#endif /* __IPCLASS_H__ */





#include "misc.h"
#include "ssh.h"
#include "roaming.h"
#include "readconf.h"

#ifdef PACKET_DEBUG
#define DBG(x) x

}

static void
packet_set_tos(int tos)
{
	int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT;

	if (!packet_connection_is_on_socket() ||
	    !packet_connection_is_ipv4())
		return;

/* Informs that the current session is interactive.  Sets IP flags for that. */

void
packet_set_interactive(int interactive, int qos[2])
{
	if (active_state->set_interactive_called)
		return;

	if (!packet_connection_is_on_socket())
		return;
	set_nodelay(active_state->connection_in);
	packet_set_tos((u_char) (interactive ? qos[1] : qos[0]));
}

/* Returns true if the current connection is interactive. */

Lines 31-37 u_int packet_get_encryption_key(u_char *); Link Here

(-)packet.h (-1 / +1 lines)
31	void packet_set_protocol_flags(u_int);	31	void packet_set_protocol_flags(u_int);
32	u_int packet_get_protocol_flags(void);	32	u_int packet_get_protocol_flags(void);
33	void packet_start_compression(int);	33	void packet_start_compression(int);
34	void packet_set_interactive(int);	34	void packet_set_interactive(int, int [2]);
35	int packet_is_interactive(void);	35	int packet_is_interactive(void);
36	void packet_set_server(void);	36	void packet_set_server(void);
37	void packet_set_authenticated(void);	37	void packet_set_authenticated(void);

Lines 40-45 Link Here

(-)readconf.c (-95 / +185 lines)
40	#include "kex.h"	40	#include "kex.h"
41	#include "mac.h"	41	#include "mac.h"
42		42
		43	#include <netinet/in_systm.h>
		44	#include <netinet/ip.h>
		45	#ifndef IPTOS_CLASS_CS0
		46	#include "ipclass.h"
		47	#endif
		48
43	/* Format of the configuration file:	49	/* Format of the configuration file:
44		50
45	# Configuration data is parsed as follows:	51	# Configuration data is parsed as follows:
Lines 128-133 typedef enum { Link Here
128	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,	134	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
129	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	135	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
130	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,	136	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
		137	oUseQoS,
131	oDeprecated, oUnsupported	138	oDeprecated, oUnsupported
132	} OpCodes;	139	} OpCodes;
133		140
Lines 135-241 typedef enum { Link Here
135		142
136	static struct {	143	static struct {
137	const char *name;	144	const char *name;
		145	int restricted;
138	OpCodes opcode;	146	OpCodes opcode;
139	} keywords[] = {	147	} keywords[] = {
140	{ "forwardagent", oForwardAgent },	148	{ "forwardagent", 0, oForwardAgent },
141	{ "forwardx11", oForwardX11 },	149	{ "forwardx11", 0, oForwardX11 },
142	{ "forwardx11trusted", oForwardX11Trusted },	150	{ "forwardx11trusted", 0, oForwardX11Trusted },
143	{ "exitonforwardfailure", oExitOnForwardFailure },	151	{ "exitonforwardfailure", 0, oExitOnForwardFailure },
144	{ "xauthlocation", oXAuthLocation },	152	{ "xauthlocation", 0, oXAuthLocation },
145	{ "gatewayports", oGatewayPorts },	153	{ "gatewayports", 0, oGatewayPorts },
146	{ "useprivilegedport", oUsePrivilegedPort },	154	{ "useprivilegedport", 0, oUsePrivilegedPort },
147	{ "rhostsauthentication", oDeprecated },	155	{ "rhostsauthentication", 0, oDeprecated },
148	{ "passwordauthentication", oPasswordAuthentication },	156	{ "passwordauthentication", 0, oPasswordAuthentication },
149	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },	157	{ "kbdinteractiveauthentication", 0, oKbdInteractiveAuthentication },
150	{ "kbdinteractivedevices", oKbdInteractiveDevices },	158	{ "kbdinteractivedevices", 0, oKbdInteractiveDevices },
151	{ "rsaauthentication", oRSAAuthentication },	159	{ "rsaauthentication", 0, oRSAAuthentication },
152	{ "pubkeyauthentication", oPubkeyAuthentication },	160	{ "pubkeyauthentication", 0, oPubkeyAuthentication },
153	{ "dsaauthentication", oPubkeyAuthentication }, /* alias */	161	{ "dsaauthentication", 0, oPubkeyAuthentication }, /* alias */
154	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },	162	{ "rhostsrsaauthentication", 0, oRhostsRSAAuthentication },
155	{ "hostbasedauthentication", oHostbasedAuthentication },	163	{ "hostbasedauthentication", 0, oHostbasedAuthentication },
156	{ "challengeresponseauthentication", oChallengeResponseAuthentication },	164	{ "challengeresponseauthentication", 0, oChallengeResponseAuthentication },
157	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */	165	{ "skeyauthentication", 0, oChallengeResponseAuthentication }, /* alias */
158	{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */	166	{ "tisauthentication", 0, oChallengeResponseAuthentication }, /* alias */
159	{ "kerberosauthentication", oUnsupported },	167	{ "kerberosauthentication", 0, oUnsupported },
160	{ "kerberostgtpassing", oUnsupported },	168	{ "kerberostgtpassing", 0, oUnsupported },
161	{ "afstokenpassing", oUnsupported },	169	{ "afstokenpassing", 0, oUnsupported },
162	#if defined(GSSAPI)	170	#if defined(GSSAPI)
163	{ "gssapiauthentication", oGssAuthentication },	171	{ "gssapiauthentication", 0, oGssAuthentication },
164	{ "gssapidelegatecredentials", oGssDelegateCreds },	172	{ "gssapidelegatecredentials", 0, oGssDelegateCreds },
165	#else	173	#else
166	{ "gssapiauthentication", oUnsupported },	174	{ "gssapiauthentication", 0, oUnsupported },
167	{ "gssapidelegatecredentials", oUnsupported },	175	{ "gssapidelegatecredentials", 0, oUnsupported },
168	#endif	176	#endif
169	{ "fallbacktorsh", oDeprecated },	177	{ "fallbacktorsh", 0, oDeprecated },
170	{ "usersh", oDeprecated },	178	{ "usersh", 0, oDeprecated },
171	{ "identityfile", oIdentityFile },	179	{ "identityfile", 0, oIdentityFile },
172	{ "identityfile2", oIdentityFile }, /* obsolete */	180	{ "identityfile2", 0, oIdentityFile }, /* obsolete */
173	{ "identitiesonly", oIdentitiesOnly },	181	{ "identitiesonly", 0, oIdentitiesOnly },
174	{ "hostname", oHostName },	182	{ "hostname", 0, oHostName },
175	{ "hostkeyalias", oHostKeyAlias },	183	{ "hostkeyalias", 0, oHostKeyAlias },
176	{ "proxycommand", oProxyCommand },	184	{ "proxycommand", 0, oProxyCommand },
177	{ "port", oPort },	185	{ "port", 0, oPort },
178	{ "cipher", oCipher },	186	{ "cipher", 0, oCipher },
179	{ "ciphers", oCiphers },	187	{ "ciphers", 0, oCiphers },
180	{ "macs", oMacs },	188	{ "macs", 0, oMacs },
181	{ "protocol", oProtocol },	189	{ "protocol", 0, oProtocol },
182	{ "remoteforward", oRemoteForward },	190	{ "remoteforward", 0, oRemoteForward },
183	{ "localforward", oLocalForward },	191	{ "localforward", 0, oLocalForward },
184	{ "user", oUser },	192	{ "user", 0, oUser },
185	{ "host", oHost },	193	{ "host", 0, oHost },
186	{ "escapechar", oEscapeChar },	194	{ "escapechar", 0, oEscapeChar },
187	{ "globalknownhostsfile", oGlobalKnownHostsFile },	195	{ "globalknownhostsfile", 0, oGlobalKnownHostsFile },
188	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */	196	{ "globalknownhostsfile2", 0, oGlobalKnownHostsFile2 }, /* obsolete */
189	{ "userknownhostsfile", oUserKnownHostsFile },	197	{ "userknownhostsfile", 0, oUserKnownHostsFile },
190	{ "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */	198	{ "userknownhostsfile2", 0, oUserKnownHostsFile2 }, /* obsolete */
191	{ "connectionattempts", oConnectionAttempts },	199	{ "connectionattempts", 0, oConnectionAttempts },
192	{ "batchmode", oBatchMode },	200	{ "batchmode", 0, oBatchMode },
193	{ "checkhostip", oCheckHostIP },	201	{ "checkhostip", 0, oCheckHostIP },
194	{ "stricthostkeychecking", oStrictHostKeyChecking },	202	{ "stricthostkeychecking", 0, oStrictHostKeyChecking },
195	{ "compression", oCompression },	203	{ "compression", 0, oCompression },
196	{ "compressionlevel", oCompressionLevel },	204	{ "compressionlevel", 0, oCompressionLevel },
197	{ "tcpkeepalive", oTCPKeepAlive },	205	{ "tcpkeepalive", 0, oTCPKeepAlive },
198	{ "keepalive", oTCPKeepAlive }, /* obsolete */	206	{ "keepalive", 0, oTCPKeepAlive }, /* obsolete */
199	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },	207	{ "numberofpasswordprompts", 0, oNumberOfPasswordPrompts },
200	{ "loglevel", oLogLevel },	208	{ "loglevel", 0, oLogLevel },
201	{ "dynamicforward", oDynamicForward },	209	{ "dynamicforward", 0, oDynamicForward },
202	{ "preferredauthentications", oPreferredAuthentications },	210	{ "preferredauthentications", 0, oPreferredAuthentications },
203	{ "hostkeyalgorithms", oHostKeyAlgorithms },	211	{ "hostkeyalgorithms", 0, oHostKeyAlgorithms },
204	{ "bindaddress", oBindAddress },	212	{ "bindaddress", 0, oBindAddress },
205	#ifdef ENABLE_PKCS11	213	#ifdef ENABLE_PKCS11
206	{ "smartcarddevice", oPKCS11Provider },	214	{ "smartcarddevice", 0, oPKCS11Provider },
207	{ "pkcs11provider", oPKCS11Provider },	215	{ "pkcs11provider", 0, oPKCS11Provider },
208	#else	216	#else
209	{ "smartcarddevice", oUnsupported },	217	{ "smartcarddevice", 0, oUnsupported },
210	{ "pkcs11provider", oUnsupported },	218	{ "pkcs11provider", 0, oUnsupported },
211	#endif	219	#endif
212	{ "clearallforwardings", oClearAllForwardings },	220	{ "clearallforwardings", 0, oClearAllForwardings },
213	{ "enablesshkeysign", oEnableSSHKeysign },	221	{ "enablesshkeysign", 0, oEnableSSHKeysign },
214	{ "verifyhostkeydns", oVerifyHostKeyDNS },	222	{ "verifyhostkeydns", 0, oVerifyHostKeyDNS },
215	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },	223	{ "nohostauthenticationforlocalhost", 0, oNoHostAuthenticationForLocalhost },
216	{ "rekeylimit", oRekeyLimit },	224	{ "rekeylimit", 0, oRekeyLimit },
217	{ "connecttimeout", oConnectTimeout },	225	{ "connecttimeout", 0, oConnectTimeout },
218	{ "addressfamily", oAddressFamily },	226	{ "addressfamily", 0, oAddressFamily },
219	{ "serveraliveinterval", oServerAliveInterval },	227	{ "serveraliveinterval", 0, oServerAliveInterval },
220	{ "serveralivecountmax", oServerAliveCountMax },	228	{ "serveralivecountmax", 0, oServerAliveCountMax },
221	{ "sendenv", oSendEnv },	229	{ "sendenv", 0, oSendEnv },
222	{ "controlpath", oControlPath },	230	{ "controlpath", 0, oControlPath },
223	{ "controlmaster", oControlMaster },	231	{ "controlmaster", 0, oControlMaster },
224	{ "hashknownhosts", oHashKnownHosts },	232	{ "hashknownhosts", 0, oHashKnownHosts },
225	{ "tunnel", oTunnel },	233	{ "tunnel", 0, oTunnel },
226	{ "tunneldevice", oTunnelDevice },	234	{ "tunneldevice", 0, oTunnelDevice },
227	{ "localcommand", oLocalCommand },	235	{ "localcommand", 0, oLocalCommand },
228	{ "permitlocalcommand", oPermitLocalCommand },	236	{ "permitlocalcommand", 0, oPermitLocalCommand },
229	{ "visualhostkey", oVisualHostKey },	237	{ "visualhostkey", 0, oVisualHostKey },
230	{ "useroaming", oUseRoaming },	238	{ "useroaming", 0, oUseRoaming },
		239	{ "useqos", 1, oUseQoS},
231	#ifdef JPAKE	240	#ifdef JPAKE
232	{ "zeroknowledgepasswordauthentication",	241	{ "zeroknowledgepasswordauthentication", 0,
233	oZeroKnowledgePasswordAuthentication },	242	oZeroKnowledgePasswordAuthentication },
234	#else	243	#else
235	{ "zeroknowledgepasswordauthentication", oUnsupported },	244	{ "zeroknowledgepasswordauthentication", 0, oUnsupported },
236	#endif	245	#endif
237		246
238	{ NULL, oBadOption }	247	{ NULL, 0, oBadOption }
239	};	248	};
240		249
241	/*	250	/*
Lines 306-324 clear_forwardings(Options *options) Link Here
306	*/	315	*/
307		316
308	static OpCodes	317	static OpCodes
309	parse_token(const char cp, const char filename, int linenum)	318	parse_token(const char cp, const char filename, int linenum, int *restricted)
310	{	319	{
311	u_int i;	320	u_int i;
312		321
313	for (i = 0; keywords[i].name; i++)	322	for (i = 0; keywords[i].name; i++)
314	if (strcasecmp(cp, keywords[i].name) == 0)	323	if (strcasecmp(cp, keywords[i].name) == 0) {
		324	*restricted= keywords[i].restricted;
315	return keywords[i].opcode;	325	return keywords[i].opcode;
		326	}
316		327
317	error("%s: line %d: Bad configuration option: %s",	328	error("%s: line %d: Bad configuration option: %s",
318	filename, linenum, cp);	329	filename, linenum, cp);
319	return oBadOption;	330	return oBadOption;
320	}	331	}
321		332
		333	struct {
		334	const char *name;
		335	int value;
		336	} qos[] = {
		337	{ "cs0", IPTOS_CLASS_CS0 },
		338	{ "cs1", IPTOS_CLASS_CS1 },
		339	{ "cs2", IPTOS_CLASS_CS2 },
		340	{ "cs3", IPTOS_CLASS_CS3 },
		341	{ "cs4", IPTOS_CLASS_CS4 },
		342	{ "cs5", IPTOS_CLASS_CS5 },
		343	{ "cs6", IPTOS_CLASS_CS6 },
		344	{ "cs7", IPTOS_CLASS_CS7 },
		345	{ "af11", IPTOS_DSCP_AF11 },
		346	{ "af12", IPTOS_DSCP_AF12 },
		347	{ "af13", IPTOS_DSCP_AF13 },
		348	{ "af21", IPTOS_DSCP_AF21 },
		349	{ "af22", IPTOS_DSCP_AF22 },
		350	{ "af23", IPTOS_DSCP_AF23 },
		351	{ "af31", IPTOS_DSCP_AF31 },
		352	{ "af32", IPTOS_DSCP_AF32 },
		353	{ "af33", IPTOS_DSCP_AF33 },
		354	{ "af41", IPTOS_DSCP_AF41 },
		355	{ "af42", IPTOS_DSCP_AF42 },
		356	{ "af43", IPTOS_DSCP_AF43 },
		357	{ "ef", IPTOS_DSCP_EF },
		358	{ "lowdelay", IPTOS_LOWDELAY },
		359	{ "throughput", IPTOS_THROUGHPUT },
		360	{ "reliability", IPTOS_RELIABILITY },
		361	#ifdef IPTOS_LOWCOST
		362	{ "lowcost", IPTOS_LOWCOST },
		363	#endif
		364	#ifdef IPTOS_MINCOST
		365	{ "mincost", IPTOS_MINCOST },
		366	#endif
		367	{ "none", IPTOS_CLASS_CS0 },
		368	{ NULL, -1 },
		369	};
		370
		371	static int parse_qos(const char *cp)
		372	{
		373	u_int i;
		374
		375	for (i = 0; qos[i].name; i++)
		376	if (strcasecmp(cp, qos[i].name) == 0)
		377	return qos[i].value;
		378	return -1;
		379	}
		380
322	/*	381	/*
323	* Processes a single option line as used in the configuration files. This	382	* Processes a single option line as used in the configuration files. This
324	* only sets those values that have not already been set.	383	* only sets those values that have not already been set.
Lines 328-337 parse_token(const char cp, const char filename, int Link Here
328	int	387	int
329	process_config_line(Options options, const char host,	388	process_config_line(Options options, const char host,
330	char line, const char filename, int linenum,	389	char line, const char filename, int linenum,
331	int *activep)	390	int *activep, int systemwide)
332	{	391	{
333	char s, charptr, endofnumber, keyword, arg, *arg2, fwdarg[256];	392	char s, charptr, endofnumber, keyword, arg, *arg2, fwdarg[256];
334	int opcode, *intptr, value, value2, scale;	393	int opcode, *intptr, value, value2, scale, restricted;
335	LogLevel *log_level_ptr;	394	LogLevel *log_level_ptr;
336	long long orig, val64;	395	long long orig, val64;
337	size_t len;	396	size_t len;
Lines 354-361 process_config_line(Options options, const char host Link Here
354	if (keyword == NULL \|\| !keyword \|\| keyword == '\n' \|\| *keyword == '#')	413	if (keyword == NULL \|\| !keyword \|\| keyword == '\n' \|\| *keyword == '#')
355	return 0;	414	return 0;
356		415
357	opcode = parse_token(keyword, filename, linenum);	416	opcode = parse_token(keyword, filename, linenum, &restricted);
358		417
		418	if (restricted && !systemwide) {
		419	fatal("%s line %d: not permitted in user profile.", filename, linenum);
		420	}
		421
359	switch (opcode) {	422	switch (opcode) {
360	case oBadOption:	423	case oBadOption:
361	/* don't panic, but count bad options */	424	/* don't panic, but count bad options */
Lines 917-922 parse_int: Link Here
917	intptr = &options->use_roaming;	980	intptr = &options->use_roaming;
918	goto parse_flag;	981	goto parse_flag;
919		982
		983	case oUseQoS:
		984	arg = strdelim(&s);
		985	if (arg == NULL \|\| *arg == '\0')
		986	fatal("%.200s line %d: Missing non-interactive QoS argument.",
		987	filename, linenum);
		988
		989	arg2 = strdelim(&s);
		990	if (arg2 == NULL \|\| *arg2 == '\0')
		991	fatal("%.200s line %d: Missing interactive QoS argument.",
		992	filename, linenum);
		993
		994	value = parse_qos(arg);
		995	value2 = parse_qos(arg2);
		996	if (value == -1 \|\| value2 == -1)
		997	fatal("%.200s line %d: Bad QoS argument.",
		998	filename, linenum);
		999
		1000	options->use_qos[0] = value;
		1001	options->use_qos[1] = value2;
		1002	break;
		1003
920	case oDeprecated:	1004	case oDeprecated:
921	debug("%s line %d: Deprecated option \"%s\"",	1005	debug("%s line %d: Deprecated option \"%s\"",
922	filename, linenum, keyword);	1006	filename, linenum, keyword);
Lines 948-954 parse_int: Link Here
948		1032
949	int	1033	int
950	read_config_file(const char filename, const char host, Options *options,	1034	read_config_file(const char filename, const char host, Options *options,
951	int checkperm)	1035	int checkperm, int systemwide)
952	{	1036	{
953	FILE *f;	1037	FILE *f;
954	char line[1024];	1038	char line[1024];
Lines 979-985 read_config_file(const char filename, const char hos Link Here
979	while (fgets(line, sizeof(line), f)) {	1063	while (fgets(line, sizeof(line), f)) {
980	/* Update line number counter. */	1064	/* Update line number counter. */
981	linenum++;	1065	linenum++;
982	if (process_config_line(options, host, line, filename, linenum, &active) != 0)	1066	if (process_config_line(options, host, line, filename, linenum, &active, systemwide) != 0)
983	bad_options++;	1067	bad_options++;
984	}	1068	}
985	fclose(f);	1069	fclose(f);
Lines 1067-1072 initialize_options(Options * options) Link Here
1067	options->local_command = NULL;	1151	options->local_command = NULL;
1068	options->permit_local_command = -1;	1152	options->permit_local_command = -1;
1069	options->use_roaming = -1;	1153	options->use_roaming = -1;
		1154	options->use_qos[0] = -1;
		1155	options->use_qos[1] = -1;
1070	options->visual_host_key = -1;	1156	options->visual_host_key = -1;
1071	options->zero_knowledge_password_authentication = -1;	1157	options->zero_knowledge_password_authentication = -1;
1072	}	1158	}
Lines 1215-1220 fill_default_options(Options * options) Link Here
1215	/* options->hostname will be set in the main program if appropriate */	1301	/* options->hostname will be set in the main program if appropriate */
1216	/* options->host_key_alias should not be set by default */	1302	/* options->host_key_alias should not be set by default */
1217	/* options->preferred_authentications will be set in ssh */	1303	/* options->preferred_authentications will be set in ssh */
		1304	if (options->use_qos[0] == -1)
		1305	options->use_qos[0] = IPTOS_THROUGHPUT;
		1306	if (options->use_qos[1] == -1)
		1307	options->use_qos[1] = IPTOS_LOWDELAY;
1218	}	1308	}
1219		1309
1220	/*	1310	/*

Lines 126-131 typedef struct { Link Here

(-)readconf.h (-2 / +4 lines)
126		126
127	int use_roaming;	127	int use_roaming;
128		128
		129	int use_qos[2];
		130
129	} Options;	131	} Options;
130		132
131	#define SSHCTL_MASTER_NO 0	133	#define SSHCTL_MASTER_NO 0
Lines 136-146 typedef struct { Link Here
136		138
137	void initialize_options(Options *);	139	void initialize_options(Options *);
138	void fill_default_options(Options *);	140	void fill_default_options(Options *);
139	int read_config_file(const char , const char , Options *, int);	141	int read_config_file(const char , const char , Options *, int, int);
140	int parse_forward(Forward , const char , int, int);	142	int parse_forward(Forward , const char , int, int);
141		143
142	int	144	int
143	process_config_line(Options , const char , char , const char , int, int *);	145	process_config_line(Options , const char , char , const char , int, int *, int);
144		146
145	void add_local_forward(Options , const Forward );	147	void add_local_forward(Options , const Forward );
146	void add_remote_forward(Options , const Forward );	148	void add_remote_forward(Options , const Forward );

Lines 40-45 Link Here

(-)servconf.c (-2 / +86 lines)
40	#include "channels.h"	40	#include "channels.h"
41	#include "groupaccess.h"	41	#include "groupaccess.h"
42		42
		43	#include <netinet/in_systm.h>
		44	#include <netinet/in.h>
		45	#include <netinet/ip.h>
		46	#ifndef IPTOS_CLASS_CS0
		47	#include "ipclass.h"
		48	#endif
		49
43	static void add_listen_addr(ServerOptions , char , int);	50	static void add_listen_addr(ServerOptions , char , int);
44	static void add_one_listen_addr(ServerOptions , char , int);	51	static void add_one_listen_addr(ServerOptions , char , int);
45		52
Lines 125-130 initialize_server_options(ServerOptions *options) Link Here
125	options->revoked_keys_file = NULL;	132	options->revoked_keys_file = NULL;
126	options->trusted_user_ca_keys = NULL;	133	options->trusted_user_ca_keys = NULL;
127	options->authorized_principals_file = NULL;	134	options->authorized_principals_file = NULL;
		135	options->use_qos[0] = -1;
		136	options->use_qos[1] = -1;
128	}	137	}
129		138
130	void	139	void
Lines 254-259 fill_default_server_options(ServerOptions *options) Link Here
254	options->permit_tun = SSH_TUNMODE_NO;	263	options->permit_tun = SSH_TUNMODE_NO;
255	if (options->zero_knowledge_password_authentication == -1)	264	if (options->zero_knowledge_password_authentication == -1)
256	options->zero_knowledge_password_authentication = 0;	265	options->zero_knowledge_password_authentication = 0;
		266	if (options->use_qos[0] == -1)
		267	options->use_qos[0] = IPTOS_THROUGHPUT;
		268	if (options->use_qos[1] == -1)
		269	options->use_qos[1] = IPTOS_LOWDELAY;
257		270
258	/* Turn privilege separation on by default */	271	/* Turn privilege separation on by default */
259	if (use_privsep == -1)	272	if (use_privsep == -1)
Lines 287-292 typedef enum { Link Here
287	sUsePrivilegeSeparation, sAllowAgentForwarding,	300	sUsePrivilegeSeparation, sAllowAgentForwarding,
288	sZeroKnowledgePasswordAuthentication, sHostCertificate,	301	sZeroKnowledgePasswordAuthentication, sHostCertificate,
289	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	302	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
		303	sUseQoS,
290	sDeprecated, sUnsupported	304	sDeprecated, sUnsupported
291	} ServerOpCodes;	305	} ServerOpCodes;
292		306
Lines 397-402 static struct { Link Here
397	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },	411	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
398	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	412	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
399	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_GLOBAL },	413	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_GLOBAL },
		414	{ "useqos", sUseQoS, SSHCFG_ALL },
400	{ NULL, sBadOption, 0 }	415	{ NULL, sBadOption, 0 }
401	};	416	};
402		417
Lines 432-437 parse_token(const char cp, const char filename, Link Here
432	return sBadOption;	447	return sBadOption;
433	}	448	}
434		449
		450	struct {
		451	const char *name;
		452	int value;
		453	} qos[] = {
		454	{ "cs0", IPTOS_CLASS_CS0 },
		455	{ "cs1", IPTOS_CLASS_CS1 },
		456	{ "cs2", IPTOS_CLASS_CS2 },
		457	{ "cs3", IPTOS_CLASS_CS3 },
		458	{ "cs4", IPTOS_CLASS_CS4 },
		459	{ "cs5", IPTOS_CLASS_CS5 },
		460	{ "cs6", IPTOS_CLASS_CS6 },
		461	{ "cs7", IPTOS_CLASS_CS7 },
		462	{ "af11", IPTOS_DSCP_AF11 },
		463	{ "af12", IPTOS_DSCP_AF12 },
		464	{ "af13", IPTOS_DSCP_AF13 },
		465	{ "af21", IPTOS_DSCP_AF21 },
		466	{ "af22", IPTOS_DSCP_AF22 },
		467	{ "af23", IPTOS_DSCP_AF23 },
		468	{ "af31", IPTOS_DSCP_AF31 },
		469	{ "af32", IPTOS_DSCP_AF32 },
		470	{ "af33", IPTOS_DSCP_AF33 },
		471	{ "af41", IPTOS_DSCP_AF41 },
		472	{ "af42", IPTOS_DSCP_AF42 },
		473	{ "af43", IPTOS_DSCP_AF43 },
		474	{ "ef", IPTOS_DSCP_EF },
		475	{ "lowdelay", IPTOS_LOWDELAY },
		476	{ "throughput", IPTOS_THROUGHPUT },
		477	{ "reliability", IPTOS_RELIABILITY },
		478	#ifdef IPTOS_LOWCOST
		479	{ "lowcost", IPTOS_LOWCOST },
		480	#endif
		481	#ifdef IPTOS_MINCOST
		482	{ "mincost", IPTOS_MINCOST },
		483	#endif
		484	{ "none", IPTOS_CLASS_CS0 },
		485	{ NULL, -1 },
		486	};
		487
		488	static int parse_qos(const char *cp)
		489	{
		490	u_int i;
		491
		492	for (i = 0; qos[i].name; i++)
		493	if (strcasecmp(cp, qos[i].name) == 0)
		494	return qos[i].value;
		495	return -1;
		496	}
		497
435	char *	498	char *
436	derelativise_path(const char *path)	499	derelativise_path(const char *path)
437	{	500	{
Lines 625-632 process_server_config_line(ServerOptions *options, cha Link Here
625	const char filename, int linenum, int activep, const char *user,	688	const char filename, int linenum, int activep, const char *user,
626	const char host, const char address)	689	const char host, const char address)
627	{	690	{
628	char cp, charptr, arg, *p;	691	char cp, charptr, arg, arg2, p;
629	int cmdline = 0, *intptr, value, n;	692	int cmdline = 0, *intptr, value, value2, n;
630	SyslogFacility *log_facility_ptr;	693	SyslogFacility *log_facility_ptr;
631	LogLevel *log_level_ptr;	694	LogLevel *log_level_ptr;
632	ServerOpCodes opcode;	695	ServerOpCodes opcode;
Lines 1307-1312 process_server_config_line(ServerOptions *options, cha Link Here
1307	case sRevokedKeys:	1370	case sRevokedKeys:
1308	charptr = &options->revoked_keys_file;	1371	charptr = &options->revoked_keys_file;
1309	goto parse_filename;	1372	goto parse_filename;
		1373
		1374	case sUseQoS:
		1375	arg = strdelim(&cp);
		1376	if (arg == NULL \|\| *arg == '\0')
		1377	fatal("%.200s line %d: Missing non-interactive QoS argument.",
		1378	filename, linenum);
		1379
		1380	arg2 = strdelim(&cp);
		1381	if (arg2 == NULL \|\| *arg2 == '\0')
		1382	fatal("%.200s line %d: Missing interactive QoS argument.",
		1383	filename, linenum);
		1384
		1385	value = parse_qos(arg);
		1386	value2 = parse_qos(arg2);
		1387	if (value == -1 \|\| value2 == -1)
		1388	fatal("%.200s line %d: Bad QoS argument.",
		1389	filename, linenum);
		1390
		1391	options->use_qos[0] = value;
		1392	options->use_qos[1] = value2;
		1393	break;
1310		1394
1311	case sDeprecated:	1395	case sDeprecated:
1312	logit("%s line %d: Deprecated option %s",	1396	logit("%s line %d: Deprecated option %s",

Lines 155-160 typedef struct { Link Here

(-)servconf.h (+2 lines)
155	char *revoked_keys_file;	155	char *revoked_keys_file;
156	char *trusted_user_ca_keys;	156	char *trusted_user_ca_keys;
157	char *authorized_principals_file;	157	char *authorized_principals_file;
		158
		159	int use_qos[2];
158	} ServerOptions;	160	} ServerOptions;
159		161
160	void initialize_server_options(ServerOptions *);	162	void initialize_server_options(ServerOptions *);

Lines 587-593 do_exec_no_pty(Session s, const char command) Link Here

(-)session.c (-2 / +2 lines)
587		587
588	s->pid = pid;	588	s->pid = pid;
589	/* Set interactive/non-interactive mode. */	589	/* Set interactive/non-interactive mode. */
590	packet_set_interactive(s->display != NULL);	590	packet_set_interactive(s->display != NULL, options.use_qos);
591		591
592	#ifdef USE_PIPES	592	#ifdef USE_PIPES
593	/* We are the parent. Close the child sides of the pipes. */	593	/* We are the parent. Close the child sides of the pipes. */
Lines 715-721 do_exec_pty(Session s, const char command) Link Here
715		715
716	/* Enter interactive session. */	716	/* Enter interactive session. */
717	s->ptymaster = ptymaster;	717	s->ptymaster = ptymaster;
718	packet_set_interactive(1);	718	packet_set_interactive(1, options.use_qos);
719	if (compat20) {	719	if (compat20) {
720	session_set_fds(s, ptyfd, fdout, -1, 1);	720	session_set_fds(s, ptyfd, fdout, -1, 1);
721	} else {	721	} else {

Lines 176-182 main(int argc, char **argv) Link Here

(-)ssh-keysign.c (-1 / +1 lines)
176		176
177	/* verify that ssh-keysign is enabled by the admin */	177	/* verify that ssh-keysign is enabled by the admin */
178	initialize_options(&options);	178	initialize_options(&options);
179	(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);	179	(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0, 1);
180	fill_default_options(&options);	180	fill_default_options(&options);
181	if (options.enable_ssh_keysign != 1)	181	if (options.enable_ssh_keysign != 1)
182	fatal("ssh-keysign not enabled in %s",	182	fatal("ssh-keysign not enabled in %s",




			dummy = 1;
			line = xstrdup(optarg);
			if (process_config_line(&options, host ? host : "",
			    line, "command-line", 0, &dummy, 0) != 0)
				exit(255);
			xfree(line);
			break;

	 * file if the user specifies a config file on the command line.
	 */
	if (config != NULL) {
		if (!read_config_file(config, host, &options, 0, 0))
			fatal("Can't open user config file %.100s: "
			    "%.100s", config, strerror(errno));
	} else {
		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
		    _PATH_SSH_USER_CONFFILE);
		if (r > 0 && (size_t)r < sizeof(buf))
			(void)read_config_file(buf, host, &options, 1, 0);

		/* Read systemwide configuration file after use config. */
		(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
		    &options, 0, 1);
	}

	/* Fill configuration defaults. */

		}
	}
	/* Tell the packet module whether this is an interactive session. */
	packet_set_interactive(interactive, options.use_qos);

	/* Request authentication agent forwarding if appropriate. */
	check_agent_present();

	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
	    NULL, fileno(stdin), &command, environ);

	packet_set_interactive(interactive, options.use_qos);
}

/* open new channel for a session */

Lines 45-47 Link Here

(-)ssh_config (+1 lines)
45	# PermitLocalCommand no	45	# PermitLocalCommand no
46	# VisualHostKey no	46	# VisualHostKey no
47	# ProxyCommand ssh -q -W %h:%p gateway.example.com	47	# ProxyCommand ssh -q -W %h:%p gateway.example.com
		48	# UseQoS throughput lowdelay




This can be useful when a different user name is used on different machines.
This saves the trouble of
having to remember to give the user name on the command line.
.It Cm UseQoS
Specifies how
.Xr ssh 1
applies IP TOS (type of service) marking to traffic.  It takes two values,
one for non-interactive traffic (\c
.Xr scp 1
or
.Xr ssh 1
being run with a command), and another for interactive traffic.
Values may be
.Dq cs0 ,
.Dq cs1 ,
\&...
.Dq cs7 ,
.Dq af11 ,
.Dq af12 ,
\&...
.Dq af43 ,
.Dq ef ,
.Dq lowdelay ,
.Dq throughput ,
etc.  The default is
.Dq cs0
for both.  In an RFC-4594 environment,
.Dq cs2
and
.Dq af41
would be used, respectively.  Legacy behavior would
.Dq throughput
and
.Dq lowdelay ,
respectively.
.It Cm UserKnownHostsFile
Specifies a file to use for the user
host key database instead of

Lines 97-102 Link Here

(-)sshd_config (+3 lines)
97	# override default of no subsystems	97	# override default of no subsystems
98	Subsystem sftp /usr/libexec/sftp-server	98	Subsystem sftp /usr/libexec/sftp-server
99		99
		100	# traditional ToS (deprecated: consider using af12 and cs2)
		101	#UseQoS throughput lowdelay
		102
100	# Example of overriding settings on a per-user basis	103	# Example of overriding settings on a per-user basis
101	#Match User anoncvs	104	#Match User anoncvs
102	# X11Forwarding no	105	# X11Forwarding no




escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
.It Cm UseQoS
Specifies how
.Xr sshd 8
applies IP TOS (type of service) marking to traffic.  It takes two values,
one for non-interactive traffic (\c
.Xr scp 1
or
.Xr ssh 1
being run with a command), and another for interactive traffic.
Values may be
.Dq cs0 ,
.Dq cs1 ,
\&...
.Dq cs7 ,
.Dq af11 ,
.Dq af12 ,
\&...
.Dq af43 ,
.Dq ef ,
.Dq lowdelay ,
.Dq throughput ,
etc.  The default is
.Dq cs0
for both.  In an RFC-4594 environment,
.Dq cs2
and
.Dq af41
would be used, respectively.  Legacy behavior would
.Dq throughput
and
.Dq lowdelay ,
respectively.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's

Return to bug 1733

Lines 522-528 main(int ac, char **av) Link Here

(-)ssh.c (-6 / +6 lines)
522	dummy = 1;	522	dummy = 1;
523	line = xstrdup(optarg);	523	line = xstrdup(optarg);
524	if (process_config_line(&options, host ? host : "",	524	if (process_config_line(&options, host ? host : "",
525	line, "command-line", 0, &dummy) != 0)	525	line, "command-line", 0, &dummy, 0) != 0)
526	exit(255);	526	exit(255);
527	xfree(line);	527	xfree(line);
528	break;	528	break;
Lines 632-649 main(int ac, char **av) Link Here
632	* file if the user specifies a config file on the command line.	632	* file if the user specifies a config file on the command line.
633	*/	633	*/
634	if (config != NULL) {	634	if (config != NULL) {
635	if (!read_config_file(config, host, &options, 0))	635	if (!read_config_file(config, host, &options, 0, 0))
636	fatal("Can't open user config file %.100s: "	636	fatal("Can't open user config file %.100s: "
637	"%.100s", config, strerror(errno));	637	"%.100s", config, strerror(errno));
638	} else {	638	} else {
639	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,	639	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
640	_PATH_SSH_USER_CONFFILE);	640	_PATH_SSH_USER_CONFFILE);
641	if (r > 0 && (size_t)r < sizeof(buf))	641	if (r > 0 && (size_t)r < sizeof(buf))
642	(void)read_config_file(buf, host, &options, 1);	642	(void)read_config_file(buf, host, &options, 1, 0);
643		643
644	/* Read systemwide configuration file after use config. */	644	/* Read systemwide configuration file after use config. */
645	(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,	645	(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
646	&options, 0);	646	&options, 0, 1);
647	}	647	}
648		648
649	/* Fill configuration defaults. */	649	/* Fill configuration defaults. */
Lines 1095-1101 ssh_session(void) Link Here
1095	}	1095	}
1096	}	1096	}
1097	/* Tell the packet module whether this is an interactive session. */	1097	/* Tell the packet module whether this is an interactive session. */
1098	packet_set_interactive(interactive);	1098	packet_set_interactive(interactive, options.use_qos);
1099		1099
1100	/* Request authentication agent forwarding if appropriate. */	1100	/* Request authentication agent forwarding if appropriate. */
1101	check_agent_present();	1101	check_agent_present();
Lines 1192-1198 ssh_session2_setup(int id, int success, void *arg) Link Here
1192	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),	1192	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
1193	NULL, fileno(stdin), &command, environ);	1193	NULL, fileno(stdin), &command, environ);
1194		1194
1195	packet_set_interactive(interactive);	1195	packet_set_interactive(interactive, options.use_qos);
1196	}	1196	}
1197		1197
1198	/* open new channel for a session */	1198	/* open new channel for a session */

Added Link Here

(-)ipclass.h (+20 lines)
1	/*
2	* Temporarily needed file until glibc 2.12 becomes ubiquitous.
3	*/
4	#ifndef __IPCLASS_H__
5	#define __IPCLASS_H__
6
7	/* in glibc 2.12 */
8	#ifndef IPTOS_CLASS_CS0
9	#define IPTOS_CLASS_CS0 0x00
10	#define IPTOS_CLASS_CS1 0x20
11	#define IPTOS_CLASS_CS2 0x40
12	#define IPTOS_CLASS_CS3 0x60
13	#define IPTOS_CLASS_CS4 0x80
14	#define IPTOS_CLASS_CS5 0xa0
15	#define IPTOS_CLASS_CS6 0xc0
16	#define IPTOS_CLASS_CS7 0xe0
17	#endif
18
19	#endif /* __IPCLASS_H__ */
20

Lines 74-79 Link Here

(-)packet.c (-5 / +4 lines)
74	#include "misc.h"	74	#include "misc.h"
75	#include "ssh.h"	75	#include "ssh.h"
76	#include "roaming.h"	76	#include "roaming.h"
		77	#include "readconf.h"
77		78
78	#ifdef PACKET_DEBUG	79	#ifdef PACKET_DEBUG
79	#define DBG(x) x	80	#define DBG(x) x
Lines 1716-1725 packet_not_very_much_data_to_write(void) Link Here
1716	}	1717	}
1717		1718
1718	static void	1719	static void
1719	packet_set_tos(int interactive)	1720	packet_set_tos(int tos)
1720	{	1721	{
1721	int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT;
1722
1723	if (!packet_connection_is_on_socket() \|\|	1722	if (!packet_connection_is_on_socket() \|\|
1724	!packet_connection_is_ipv4())	1723	!packet_connection_is_ipv4())
1725	return;	1724	return;
Lines 1732-1738 packet_set_tos(int interactive) Link Here
1732	/* Informs that the current session is interactive. Sets IP flags for that. */	1731	/* Informs that the current session is interactive. Sets IP flags for that. */
1733		1732
1734	void	1733	void
1735	packet_set_interactive(int interactive)	1734	packet_set_interactive(int interactive, int qos[2])
1736	{	1735	{
1737	if (active_state->set_interactive_called)	1736	if (active_state->set_interactive_called)
1738	return;	1737	return;
Lines 1745-1751 packet_set_interactive(int interactive) Link Here
1745	if (!packet_connection_is_on_socket())	1744	if (!packet_connection_is_on_socket())
1746	return;	1745	return;
1747	set_nodelay(active_state->connection_in);	1746	set_nodelay(active_state->connection_in);
1748	packet_set_tos(interactive);	1747	packet_set_tos((u_char) (interactive ? qos[1] : qos[0]));
1749	}	1748	}
1750		1749
1751	/* Returns true if the current connection is interactive. */	1750	/* Returns true if the current connection is interactive. */

Lines 1050-1055 Specifies the user to log in as. Link Here

(-)ssh_config.5 (+32 lines)
1050	This can be useful when a different user name is used on different machines.	1050	This can be useful when a different user name is used on different machines.
1051	This saves the trouble of	1051	This saves the trouble of
1052	having to remember to give the user name on the command line.	1052	having to remember to give the user name on the command line.
		1053	.It Cm UseQoS
		1054	Specifies how
		1055	.Xr ssh 1
		1056	applies IP TOS (type of service) marking to traffic. It takes two values,
		1057	one for non-interactive traffic (\c
		1058	.Xr scp 1
		1059	or
		1060	.Xr ssh 1
		1061	being run with a command), and another for interactive traffic.
		1062	Values may be
		1063	.Dq cs0 ,
		1064	.Dq cs1 ,
		1065	\&...
		1066	.Dq cs7 ,
		1067	.Dq af11 ,
		1068	.Dq af12 ,
		1069	\&...
		1070	.Dq af43 ,
		1071	.Dq ef ,
		1072	.Dq lowdelay ,
		1073	.Dq throughput ,
		1074	etc. The default is
		1075	.Dq cs0
		1076	for both. In an RFC-4594 environment,
		1077	.Dq cs2
		1078	and
		1079	.Dq af41
		1080	would be used, respectively. Legacy behavior would
		1081	.Dq throughput
		1082	and
		1083	.Dq lowdelay ,
		1084	respectively.
1053	.It Cm UserKnownHostsFile	1085	.It Cm UserKnownHostsFile
1054	Specifies a file to use for the user	1086	Specifies a file to use for the user
1055	host key database instead of	1087	host key database instead of

Lines 985-990 The goal of privilege separation is to prevent privile Link Here

(-)sshd_config.5 (+32 lines)
985	escalation by containing any corruption within the unprivileged processes.	985	escalation by containing any corruption within the unprivileged processes.
986	The default is	986	The default is
987	.Dq yes .	987	.Dq yes .
		988	.It Cm UseQoS
		989	Specifies how
		990	.Xr sshd 8
		991	applies IP TOS (type of service) marking to traffic. It takes two values,
		992	one for non-interactive traffic (\c
		993	.Xr scp 1
		994	or
		995	.Xr ssh 1
		996	being run with a command), and another for interactive traffic.
		997	Values may be
		998	.Dq cs0 ,
		999	.Dq cs1 ,
		1000	\&...
		1001	.Dq cs7 ,
		1002	.Dq af11 ,
		1003	.Dq af12 ,
		1004	\&...
		1005	.Dq af43 ,
		1006	.Dq ef ,
		1007	.Dq lowdelay ,
		1008	.Dq throughput ,
		1009	etc. The default is
		1010	.Dq cs0
		1011	for both. In an RFC-4594 environment,
		1012	.Dq cs2
		1013	and
		1014	.Dq af41
		1015	would be used, respectively. Legacy behavior would
		1016	.Dq throughput
		1017	and
		1018	.Dq lowdelay ,
		1019	respectively.
988	.It Cm X11DisplayOffset	1020	.It Cm X11DisplayOffset
989	Specifies the first display number available for	1021	Specifies the first display number available for
990	.Xr sshd 8 Ns 's	1022	.Xr sshd 8 Ns 's