Attachment 3118 Details for Bug 2830 – Adds support for TCP_USER_TIMEOUT.

[patch] Adds support for TCP_USER_TIMEOUT.

ssh_tcp_user_timeout.patch (text/plain), 11.35 KB, created by Julien Wallior on 2018-02-01 10:08:04 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Julien Wallior

Created: 2018-02-01 10:08:04 AEDT

Size: 11.35 KB

patch

obsolete

>diff --git a/configure.ac b/configure.ac
>index c14f484..9c952c5 100644
>--- a/configure.ac
>+++ b/configure.ac
>@@ -370,6 +370,7 @@ AC_CHECK_HEADERS([ \
> 	maillock.h \
> 	ndir.h \
> 	net/if_tun.h \
>+	netinet/tcp.h \
> 	netdb.h \
> 	netgroup.h \
> 	pam/pam_appl.h \
>diff --git a/readconf.c b/readconf.c
>index 10b57bd..abf36df 100644
>--- a/readconf.c
>+++ b/readconf.c
>@@ -151,7 +151,7 @@ typedef enum {
> 	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
> 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
> 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
>-	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
>+	oCompressionLevel, oTCPKeepAlive, oTCPUserTimeout, oNumberOfPasswordPrompts,
> 	oUsePrivilegedPort, oLogFacility, oLogLevel, oCiphers, oMacs,
> 	oPubkeyAuthentication,
> 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
>@@ -259,6 +259,7 @@ static struct {
> 	{ "compression", oCompression },
> 	{ "tcpkeepalive", oTCPKeepAlive },
> 	{ "keepalive", oTCPKeepAlive },				/* obsolete */
>+	{ "tcpusertimeout", oTCPUserTimeout },
> 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
> 	{ "syslogfacility", oLogFacility },
> 	{ "loglevel", oLogLevel },
>@@ -979,6 +980,10 @@ parse_time:
> 		intptr = &options->tcp_keep_alive;
> 		goto parse_flag;
> 
>+	case oTCPUserTimeout:
>+		intptr = &options->tcp_user_timeout;
>+		goto parse_int;
>+
> 	case oNoHostAuthenticationForLocalhost:
> 		intptr = &options->no_host_authentication_for_localhost;
> 		goto parse_flag;
>@@ -1770,6 +1775,7 @@ initialize_options(Options * options)
> 	options->strict_host_key_checking = -1;
> 	options->compression = -1;
> 	options->tcp_keep_alive = -1;
>+	options->tcp_user_timeout = -1;
> 	options->port = -1;
> 	options->address_family = -1;
> 	options->connection_attempts = -1;
>@@ -2493,6 +2499,7 @@ dump_client_config(Options *o, const char *host)
> 	dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
> 	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
> 	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
>+	dump_cfg_fmtint(oTCPUserTimeout, o->tcp_user_timeout);
> 	dump_cfg_fmtint(oTunnel, o->tun_open);
> 	dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port);
> 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
>diff --git a/readconf.h b/readconf.h
>index 34aad83..0b90873 100644
>--- a/readconf.h
>+++ b/readconf.h
>@@ -52,6 +52,7 @@ typedef struct {
> 	int     strict_host_key_checking;	/* Strict host key checking. */
> 	int     compression;	/* Compress packets in both directions. */
> 	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
>+	int     tcp_user_timeout; /* Set TCP_USER_TIMEOUT */
> 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
> 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
> 	SyslogFacility log_facility;	/* Facility for system logging. */
>diff --git a/scp.1 b/scp.1
>index d6d9d97..d993412 100644
>--- a/scp.1
>+++ b/scp.1
>@@ -174,6 +174,7 @@ For full details of the options listed below, and their possible values, see
> .It ServerAliveCountMax
> .It StrictHostKeyChecking
> .It TCPKeepAlive
>+.It TCPUserTimeout
> .It UpdateHostKeys
> .It UsePrivilegedPort
> .It User
>diff --git a/servconf.c b/servconf.c
>index ff94bbd..7f9e1f2 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -110,6 +110,7 @@ initialize_server_options(ServerOptions *options)
> 	options->xauth_location = NULL;
> 	options->strict_modes = -1;
> 	options->tcp_keep_alive = -1;
>+	options->tcp_user_timeout = -1;
> 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
> 	options->log_level = SYSLOG_LEVEL_NOT_SET;
> 	options->hostbased_authentication = -1;
>@@ -449,7 +450,7 @@ typedef enum {
> 	sListenAddress, sAddressFamily,
> 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
> 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
>-	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
>+	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sTCPUserTimeout,
> 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
> 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
> 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
>@@ -567,6 +568,7 @@ static struct {
> 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
> 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
> 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
>+	{ "tcpusertimeout", sTCPUserTimeout, SSHCFG_GLOBAL },
> 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
> 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
> 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
>@@ -1473,6 +1475,10 @@ process_server_config_line(ServerOptions *options, char *line,
> 		intptr = &options->tcp_keep_alive;
> 		goto parse_flag;
> 
>+	case sTCPUserTimeout:
>+		intptr = &options->tcp_user_timeout;
>+		goto parse_int;
>+
> 	case sEmptyPasswd:
> 		intptr = &options->permit_empty_passwd;
> 		goto parse_flag;
>@@ -2469,6 +2475,7 @@ dump_config(ServerOptions *o)
> 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
> 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
> 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
>+	dump_cfg_fmtint(sTCPUserTimeout, o->tcp_user_timeout);
> 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
> 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
> 	dump_cfg_fmtint(sCompression, o->compression);
>diff --git a/servconf.h b/servconf.h
>index 37a0fb1..ee4f7ba 100644
>--- a/servconf.h
>+++ b/servconf.h
>@@ -104,6 +104,7 @@ typedef struct {
> 	int	permit_user_rc;	/* If false, deny ~/.ssh/rc execution */
> 	int     strict_modes;	/* If true, require string home dir modes. */
> 	int     tcp_keep_alive;	/* If true, set SO_KEEPALIVE. */
>+	int     tcp_user_timeout;	/* Set SO_USER_TIMEOUT. */
> 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
> 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
> 	char   *ciphers;	/* Supported SSH2 ciphers. */
>diff --git a/sftp.1 b/sftp.1
>index 529be7f..e48bff7 100644
>--- a/sftp.1
>+++ b/sftp.1
>@@ -244,6 +244,7 @@ For full details of the options listed below, and their possible values, see
> .It ServerAliveCountMax
> .It StrictHostKeyChecking
> .It TCPKeepAlive
>+.It TCPUserTimeout
> .It UpdateHostKeys
> .It UsePrivilegedPort
> .It User
>diff --git a/ssh.1 b/ssh.1
>index 9de2a11..5929ce4 100644
>--- a/ssh.1
>+++ b/ssh.1
>@@ -525,6 +525,7 @@ For full details of the options listed below, and their possible values, see
> .It StreamLocalBindUnlink
> .It StrictHostKeyChecking
> .It TCPKeepAlive
>+.It TCPUserTimeout
> .It Tunnel
> .It TunnelDevice
> .It UpdateHostKeys
>diff --git a/ssh.c b/ssh.c
>index 8626254..3b423a3 100644
>--- a/ssh.c
>+++ b/ssh.c
>@@ -1301,6 +1301,7 @@ main(int ac, char **av)
> 	if (ssh_connect(ssh, host, addrs, &hostaddr, options.port,
> 	    options.address_family, options.connection_attempts,
> 	    &timeout_ms, options.tcp_keep_alive,
>+	    options.tcp_user_timeout,
> 	    options.use_privileged_port) != 0)
>  		exit(255);
> 
>diff --git a/ssh_config.5 b/ssh_config.5
>index c1bd7df..550a5ef 100644
>--- a/ssh_config.5
>+++ b/ssh_config.5
>@@ -1510,6 +1510,11 @@ This is important in scripts, and many users want it too.
> .Pp
> To disable TCP keepalive messages, the value should be set to
> .Cm no .
>+.It Cm TCPUserTimeout
>+Specifies the value of the TCP_USER_TIMEOUT socket option on the ssh 
>+socket.
>+.Pp
>+The default is to not set that option.
> .It Cm Tunnel
> Request
> .Xr tun 4
>diff --git a/sshconnect.c b/sshconnect.c
>index 4497770..c255bab 100644
>--- a/sshconnect.c
>+++ b/sshconnect.c
>@@ -19,6 +19,9 @@
> #include <sys/wait.h>
> #include <sys/stat.h>
> #include <sys/socket.h>
>+#ifdef HAVE_NETINET_TCP_H
>+#include <netinet/tcp.h>
>+#endif
> #ifdef HAVE_SYS_TIME_H
> # include <sys/time.h>
> #endif
>@@ -413,7 +416,8 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
> static int
> ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
>     struct sockaddr_storage *hostaddr, u_short port, int family,
>-    int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv)
>+    int connection_attempts, int *timeout_ms, int want_keepalive, 
>+    int tcp_user_timeout, int needpriv)
> {
> 	int on = 1;
> 	int sock = -1, attempt;
>@@ -484,6 +488,14 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
> 	    sizeof(on)) < 0)
> 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
> 
>+#if defined(HAVE_NETINET_TCP_H) && defined(SOL_TCP) && defined(TCP_USER_TIMEOUTS)
>+	/* Set SO_TCP_USER_TIMEOUT if requested. */
>+	if (tcp_user_timeout > 0 &&
>+	    setsockopt(sock, SOL_TCP, TCP_USER_TIMEOUT, (void *)&tcp_user_timeout,
>+	    sizeof(tcp_user_timeout)) < 0)
>+		error("setsockopt TCP_USER_TIMEOUT: %.100s", strerror(errno));
>+#endif
>+
> 	/* Set the connection. */
> 	if (ssh_packet_set_connection(ssh, sock, sock) == NULL)
> 		return -1; /* ssh_packet_set_connection logs error */
>@@ -494,12 +506,13 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
> int
> ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs,
>     struct sockaddr_storage *hostaddr, u_short port, int family,
>-    int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv)
>+    int connection_attempts, int *timeout_ms, int want_keepalive, 
>+    int tcp_user_timeout, int needpriv)
> {
> 	if (options.proxy_command == NULL) {
> 		return ssh_connect_direct(ssh, host, addrs, hostaddr, port,
> 		    family, connection_attempts, timeout_ms, want_keepalive,
>-		    needpriv);
>+		    tcp_user_timeout, needpriv);
> 	} else if (strcmp(options.proxy_command, "-") == 0) {
> 		if ((ssh_packet_set_connection(ssh,
> 		    STDIN_FILENO, STDOUT_FILENO)) == NULL)
>diff --git a/sshconnect.h b/sshconnect.h
>index b5029e2..a35f42d 100644
>--- a/sshconnect.h
>+++ b/sshconnect.h
>@@ -35,7 +35,7 @@ struct addrinfo;
> struct ssh;
> 
> int	 ssh_connect(struct ssh *, const char *, struct addrinfo *,
>-	    struct sockaddr_storage *, u_short, int, int, int *, int, int);
>+	    struct sockaddr_storage *, u_short, int, int, int *, int, int, int);
> void	 ssh_kill_proxy_command(void);
> 
> void	 ssh_login(Sensitive *, const char *, struct sockaddr *, u_short,
>diff --git a/sshd.c b/sshd.c
>index a69537b..157fa74 100644
>--- a/sshd.c
>+++ b/sshd.c
>@@ -47,6 +47,9 @@
> #include <sys/types.h>
> #include <sys/ioctl.h>
> #include <sys/socket.h>
>+#ifdef HAVE_NETINET_TCP_H
>+#include <netinet/tcp.h>
>+#endif
> #ifdef HAVE_SYS_STAT_H
> # include <sys/stat.h>
> #endif
>@@ -2025,6 +2028,14 @@ main(int ac, char **av)
> 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
> 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
> 
>+#if defined(HAVE_NETINET_TCP_H) && defined(SOL_TCP) && defined(TCP_USER_TIMEOUTS)
>+	/* Set SO_TCP_USER_TIMEOUT if requested. */
>+	if (options.tcp_user_timeout > 0 && packet_connection_is_on_socket() &&
>+	    setsockopt(sock_in, SOL_TCP, TCP_USER_TIMEOUT, 
>+	    &options.tcp_user_timeout, sizeof(options.tcp_user_timeout)) < 0)
>+		error("setsockopt TCP_USER_TIMEOUT: %.100s", strerror(errno));
>+#endif
>+
> 	if ((remote_port = ssh_remote_port(ssh)) < 0) {
> 		debug("ssh_remote_port failed");
> 		cleanup_exit(255);
>diff --git a/sshd_config.5 b/sshd_config.5
>index 99e4418..11378f9 100644
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -1477,6 +1477,11 @@ This avoids infinitely hanging sessions.
> .Pp
> To disable TCP keepalive messages, the value should be set to
> .Cm no .
>+.It Cm TCPUserTimeout
>+Specifies the value of the TCP_USER_TIMEOUT socket option on the ssh 
>+socket.
>+.Pp
>+The default is to not set that option.
> .It Cm TrustedUserCAKeys
> Specifies a file containing public keys of certificate authorities that are
> trusted to sign user certificates for authentication, or

Actions: View | Diff

Attachments on bug 2830: 3118