Bugzilla – Attachment 3118 Details for
Bug 2830
Add option to set TCP_USER_TIMEOUT on linux
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Adds support for TCP_USER_TIMEOUT.
ssh_tcp_user_timeout.patch (text/plain), 11.35 KB, created by
Julien Wallior
on 2018-02-01 10:08:04 AEDT
(
hide
)
Description:
Adds support for TCP_USER_TIMEOUT.
Filename:
MIME Type:
Creator:
Julien Wallior
Created:
2018-02-01 10:08:04 AEDT
Size:
11.35 KB
patch
obsolete
>diff --git a/configure.ac b/configure.ac >index c14f484..9c952c5 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -370,6 +370,7 @@ AC_CHECK_HEADERS([ \ > maillock.h \ > ndir.h \ > net/if_tun.h \ >+ netinet/tcp.h \ > netdb.h \ > netgroup.h \ > pam/pam_appl.h \ >diff --git a/readconf.c b/readconf.c >index 10b57bd..abf36df 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -151,7 +151,7 @@ typedef enum { > oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, > oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, > oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, >- oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, >+ oCompressionLevel, oTCPKeepAlive, oTCPUserTimeout, oNumberOfPasswordPrompts, > oUsePrivilegedPort, oLogFacility, oLogLevel, oCiphers, oMacs, > oPubkeyAuthentication, > oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, >@@ -259,6 +259,7 @@ static struct { > { "compression", oCompression }, > { "tcpkeepalive", oTCPKeepAlive }, > { "keepalive", oTCPKeepAlive }, /* obsolete */ >+ { "tcpusertimeout", oTCPUserTimeout }, > { "numberofpasswordprompts", oNumberOfPasswordPrompts }, > { "syslogfacility", oLogFacility }, > { "loglevel", oLogLevel }, >@@ -979,6 +980,10 @@ parse_time: > intptr = &options->tcp_keep_alive; > goto parse_flag; > >+ case oTCPUserTimeout: >+ intptr = &options->tcp_user_timeout; >+ goto parse_int; >+ > case oNoHostAuthenticationForLocalhost: > intptr = &options->no_host_authentication_for_localhost; > goto parse_flag; >@@ -1770,6 +1775,7 @@ initialize_options(Options * options) > options->strict_host_key_checking = -1; > options->compression = -1; > options->tcp_keep_alive = -1; >+ options->tcp_user_timeout = -1; > options->port = -1; > options->address_family = -1; > options->connection_attempts = -1; >@@ -2493,6 +2499,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); > dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking); > dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive); >+ dump_cfg_fmtint(oTCPUserTimeout, o->tcp_user_timeout); > dump_cfg_fmtint(oTunnel, o->tun_open); > dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port); > dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); >diff --git a/readconf.h b/readconf.h >index 34aad83..0b90873 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -52,6 +52,7 @@ typedef struct { > int strict_host_key_checking; /* Strict host key checking. */ > int compression; /* Compress packets in both directions. */ > int tcp_keep_alive; /* Set SO_KEEPALIVE. */ >+ int tcp_user_timeout; /* Set TCP_USER_TIMEOUT */ > int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ > int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ > SyslogFacility log_facility; /* Facility for system logging. */ >diff --git a/scp.1 b/scp.1 >index d6d9d97..d993412 100644 >--- a/scp.1 >+++ b/scp.1 >@@ -174,6 +174,7 @@ For full details of the options listed below, and their possible values, see > .It ServerAliveCountMax > .It StrictHostKeyChecking > .It TCPKeepAlive >+.It TCPUserTimeout > .It UpdateHostKeys > .It UsePrivilegedPort > .It User >diff --git a/servconf.c b/servconf.c >index ff94bbd..7f9e1f2 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -110,6 +110,7 @@ initialize_server_options(ServerOptions *options) > options->xauth_location = NULL; > options->strict_modes = -1; > options->tcp_keep_alive = -1; >+ options->tcp_user_timeout = -1; > options->log_facility = SYSLOG_FACILITY_NOT_SET; > options->log_level = SYSLOG_LEVEL_NOT_SET; > options->hostbased_authentication = -1; >@@ -449,7 +450,7 @@ typedef enum { > sListenAddress, sAddressFamily, > sPrintMotd, sPrintLastLog, sIgnoreRhosts, > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, >- sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, >+ sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sTCPUserTimeout, > sPermitUserEnvironment, sAllowTcpForwarding, sCompression, > sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, >@@ -567,6 +568,7 @@ static struct { > { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, > { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, > { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ >+ { "tcpusertimeout", sTCPUserTimeout, SSHCFG_GLOBAL }, > { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, > { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, > { "allowusers", sAllowUsers, SSHCFG_ALL }, >@@ -1473,6 +1475,10 @@ process_server_config_line(ServerOptions *options, char *line, > intptr = &options->tcp_keep_alive; > goto parse_flag; > >+ case sTCPUserTimeout: >+ intptr = &options->tcp_user_timeout; >+ goto parse_int; >+ > case sEmptyPasswd: > intptr = &options->permit_empty_passwd; > goto parse_flag; >@@ -2469,6 +2475,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); > dump_cfg_fmtint(sStrictModes, o->strict_modes); > dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); >+ dump_cfg_fmtint(sTCPUserTimeout, o->tcp_user_timeout); > dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); > dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); > dump_cfg_fmtint(sCompression, o->compression); >diff --git a/servconf.h b/servconf.h >index 37a0fb1..ee4f7ba 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -104,6 +104,7 @@ typedef struct { > int permit_user_rc; /* If false, deny ~/.ssh/rc execution */ > int strict_modes; /* If true, require string home dir modes. */ > int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ >+ int tcp_user_timeout; /* Set SO_USER_TIMEOUT. */ > int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ > int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ > char *ciphers; /* Supported SSH2 ciphers. */ >diff --git a/sftp.1 b/sftp.1 >index 529be7f..e48bff7 100644 >--- a/sftp.1 >+++ b/sftp.1 >@@ -244,6 +244,7 @@ For full details of the options listed below, and their possible values, see > .It ServerAliveCountMax > .It StrictHostKeyChecking > .It TCPKeepAlive >+.It TCPUserTimeout > .It UpdateHostKeys > .It UsePrivilegedPort > .It User >diff --git a/ssh.1 b/ssh.1 >index 9de2a11..5929ce4 100644 >--- a/ssh.1 >+++ b/ssh.1 >@@ -525,6 +525,7 @@ For full details of the options listed below, and their possible values, see > .It StreamLocalBindUnlink > .It StrictHostKeyChecking > .It TCPKeepAlive >+.It TCPUserTimeout > .It Tunnel > .It TunnelDevice > .It UpdateHostKeys >diff --git a/ssh.c b/ssh.c >index 8626254..3b423a3 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -1301,6 +1301,7 @@ main(int ac, char **av) > if (ssh_connect(ssh, host, addrs, &hostaddr, options.port, > options.address_family, options.connection_attempts, > &timeout_ms, options.tcp_keep_alive, >+ options.tcp_user_timeout, > options.use_privileged_port) != 0) > exit(255); > >diff --git a/ssh_config.5 b/ssh_config.5 >index c1bd7df..550a5ef 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -1510,6 +1510,11 @@ This is important in scripts, and many users want it too. > .Pp > To disable TCP keepalive messages, the value should be set to > .Cm no . >+.It Cm TCPUserTimeout >+Specifies the value of the TCP_USER_TIMEOUT socket option on the ssh >+socket. >+.Pp >+The default is to not set that option. > .It Cm Tunnel > Request > .Xr tun 4 >diff --git a/sshconnect.c b/sshconnect.c >index 4497770..c255bab 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -19,6 +19,9 @@ > #include <sys/wait.h> > #include <sys/stat.h> > #include <sys/socket.h> >+#ifdef HAVE_NETINET_TCP_H >+#include <netinet/tcp.h> >+#endif > #ifdef HAVE_SYS_TIME_H > # include <sys/time.h> > #endif >@@ -413,7 +416,8 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, > static int > ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, > struct sockaddr_storage *hostaddr, u_short port, int family, >- int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) >+ int connection_attempts, int *timeout_ms, int want_keepalive, >+ int tcp_user_timeout, int needpriv) > { > int on = 1; > int sock = -1, attempt; >@@ -484,6 +488,14 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, > sizeof(on)) < 0) > error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); > >+#if defined(HAVE_NETINET_TCP_H) && defined(SOL_TCP) && defined(TCP_USER_TIMEOUTS) >+ /* Set SO_TCP_USER_TIMEOUT if requested. */ >+ if (tcp_user_timeout > 0 && >+ setsockopt(sock, SOL_TCP, TCP_USER_TIMEOUT, (void *)&tcp_user_timeout, >+ sizeof(tcp_user_timeout)) < 0) >+ error("setsockopt TCP_USER_TIMEOUT: %.100s", strerror(errno)); >+#endif >+ > /* Set the connection. */ > if (ssh_packet_set_connection(ssh, sock, sock) == NULL) > return -1; /* ssh_packet_set_connection logs error */ >@@ -494,12 +506,13 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, > int > ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs, > struct sockaddr_storage *hostaddr, u_short port, int family, >- int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) >+ int connection_attempts, int *timeout_ms, int want_keepalive, >+ int tcp_user_timeout, int needpriv) > { > if (options.proxy_command == NULL) { > return ssh_connect_direct(ssh, host, addrs, hostaddr, port, > family, connection_attempts, timeout_ms, want_keepalive, >- needpriv); >+ tcp_user_timeout, needpriv); > } else if (strcmp(options.proxy_command, "-") == 0) { > if ((ssh_packet_set_connection(ssh, > STDIN_FILENO, STDOUT_FILENO)) == NULL) >diff --git a/sshconnect.h b/sshconnect.h >index b5029e2..a35f42d 100644 >--- a/sshconnect.h >+++ b/sshconnect.h >@@ -35,7 +35,7 @@ struct addrinfo; > struct ssh; > > int ssh_connect(struct ssh *, const char *, struct addrinfo *, >- struct sockaddr_storage *, u_short, int, int, int *, int, int); >+ struct sockaddr_storage *, u_short, int, int, int *, int, int, int); > void ssh_kill_proxy_command(void); > > void ssh_login(Sensitive *, const char *, struct sockaddr *, u_short, >diff --git a/sshd.c b/sshd.c >index a69537b..157fa74 100644 >--- a/sshd.c >+++ b/sshd.c >@@ -47,6 +47,9 @@ > #include <sys/types.h> > #include <sys/ioctl.h> > #include <sys/socket.h> >+#ifdef HAVE_NETINET_TCP_H >+#include <netinet/tcp.h> >+#endif > #ifdef HAVE_SYS_STAT_H > # include <sys/stat.h> > #endif >@@ -2025,6 +2028,14 @@ main(int ac, char **av) > setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) > error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); > >+#if defined(HAVE_NETINET_TCP_H) && defined(SOL_TCP) && defined(TCP_USER_TIMEOUTS) >+ /* Set SO_TCP_USER_TIMEOUT if requested. */ >+ if (options.tcp_user_timeout > 0 && packet_connection_is_on_socket() && >+ setsockopt(sock_in, SOL_TCP, TCP_USER_TIMEOUT, >+ &options.tcp_user_timeout, sizeof(options.tcp_user_timeout)) < 0) >+ error("setsockopt TCP_USER_TIMEOUT: %.100s", strerror(errno)); >+#endif >+ > if ((remote_port = ssh_remote_port(ssh)) < 0) { > debug("ssh_remote_port failed"); > cleanup_exit(255); >diff --git a/sshd_config.5 b/sshd_config.5 >index 99e4418..11378f9 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -1477,6 +1477,11 @@ This avoids infinitely hanging sessions. > .Pp > To disable TCP keepalive messages, the value should be set to > .Cm no . >+.It Cm TCPUserTimeout >+Specifies the value of the TCP_USER_TIMEOUT socket option on the ssh >+socket. >+.Pp >+The default is to not set that option. > .It Cm TrustedUserCAKeys > Specifies a file containing public keys of certificate authorities that are > trusted to sign user certificates for authentication, or
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2830
: 3118