From 72224fa6f76ef33fd80eebc46a8661866e6f7f62 Mon Sep 17 00:00:00 2001 From: Lyor Goldstein Date: Sat, 6 Jan 2024 10:20:27 +0200 Subject: [PATCH] Improved documentation + HOWTO for strict KEX management --- docs/howto.md | 38 ++++++++++++++++++++++++++++++++++++++ docs/standards.md | 18 ++++++++++++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/docs/howto.md b/docs/howto.md index 70f0b64e4..af3aad189 100644 --- a/docs/howto.md +++ b/docs/howto.md @@ -23,3 +23,41 @@ In order to achieve this one needs to use a `ReservedSessionMessagesHandler` on The idea is to prevent the normal session establish flow by taking over the initial handshake identification and blocking the initial KEX message from the server. A sample implementation can be found in the `EndlessTarpitSenderSupportDevelopment` class in the *sshd-contrib* package *test* section. + +## Disabling strict KEX + +The current code implements the [strict-kex](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) extension by default. If users want/need to disable it, then +this can be done *programmatically* as follows (the example is for the client, but a similar approach can be implemented for the server): + + +```java +class NoStrictKexSession extends ClientSessionImpl { + NoStrictKexSession(ClientFactoryManager client, IoSession ioSession) throws Exception { + super(client, ioSession); + } + + @Override + protected Map doStrictKexProposal(Map proposal) { + return proposal; + } +} + +class NoStrictKexSessionFactory extends SessionFactory { + NoStrictKexSessionFactory(ClientFactoryManager client) { + super(client); + } + + @Override + protected ClientSessionImpl doCreateSession(IoSession ioSession) throws Exception { + return new NoStrictKexSession(getClient(), ioSession); + } +} + +SshClient client = ...; +SessionFactory factory = new NoStrictKexSessionFactory(client); +client.setSessionFactory(factory); +client.start(); +``` + +If one needs to disable the protocol on a per-session basis, then it is possible to examine the peer's address (e.g., or anything else for that matter) in the `doCreateSession` +or the `doStrictKexProposal` overrides and then invoke the super-class (for continuing with strict KEX) or return immediately (for disabling it). \ No newline at end of file diff --git a/docs/standards.md b/docs/standards.md index d223bda4c..c2d8f28f8 100644 --- a/docs/standards.md +++ b/docs/standards.md @@ -35,7 +35,22 @@ * [OpenSSH support for U2F/FIDO security keys](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f) * **Note:** the server side supports these keys by default. The client side requires specific initialization * [OpenSSH public-key certificate authentication system for use by SSH](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys) -* [OpenSSH strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) +* [OpenSSH 1.9 transport: strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) +* [(Some) OpenSSH SFTP extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) + +**Note:** some implementations may be limited to client-side - i.e., we provide a capability for the client to detect if the server +supports the extension and then use it, but our server does not publish it as being supported. + +| Section | Extension | Client | Server | +| ------- | -------------------------- | ------ | ------ | +| 4.3 | `posix-rename@openssh.com` | Yes | Yes | +| 4.4 | `statvfs@openssh.com` | Yes | Yes | +| 4.4 | `fstatvfs@openssh.com` | Yes | Yes | +| 4.5 | `hardlink@openssh.com` | Yes | Yes | +| 4.6 | `fsync@openssh.com` | Yes | Yes | +| 4.7 | `lsetstat@openssh.com` | Yes | Yes | +| 4.8 | `limits@openssh.com` | Yes | Yes | +| 4.10 | `copy-data` | Yes | Yes | ### SFTP version 3-6 + extensions @@ -50,7 +65,6 @@ * `copy-file`, `copy-data` - [DRAFT 00 - sections 6, 7](https://tools.ietf.org/id/draft-ietf-secsh-filexfer-extensions-00.txt) * `space-available` - [DRAFT 09 - section 9.2](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-09#section-9.2) * `filename-charset`, `filename-translation-control` - [DRAFT 13 - section 6](https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13#section-6) - only client side -* Several [OpenSSH SFTP extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) ### Miscellaneous