Page MenuHomePhabricator

[ssh] Add support for no-more-sessions@openssh.com
Open, WishlistPublic

Description

Add support for no-more-sessions@openssh.com.

Most SSH connections will only ever request a single session, but a attacker may abuse a running ssh client to surreptitiously open
additional sessions under their control. OpenSSH provides a global request "no-more-sessions@openssh.com" to mitigate this attack.

Follows the specification:

connection: disallow additional sessions extension

"no-more-sessions@openssh.com"

Most SSH connections will only ever request a single session, but a
attacker may abuse a running ssh client to surreptitiously open
additional sessions under their control. OpenSSH provides a global
request "no-more-sessions@openssh.com" to mitigate this attack.

When an OpenSSH client expects that it will never open another session
(i.e. it has been started with connection multiplexing disabled), it
will send the following global request:

byte            SSH_MSG_GLOBAL_REQUEST
string          "no-more-sessions@openssh.com"
char            want-reply

On receipt of such a message, an OpenSSH server will refuse to open
future channels of type "session" and instead immediately abort the
connection.

Note that this is not a general defence against compromised clients
(that is impossible), but it thwarts a simple attack.

NB. due to certain broken SSH implementations aborting upon receipt
of this message, the no-more-sessions request is only sent to OpenSSH
servers (identified by banner). Other SSH implementations may be
listed to receive this message upon request.

Event Timeline

asn triaged this task as Wishlist priority.Sep 3 2018, 8:14 AM
asn created this task.

This implements the server part. The patch hasn't been tested!

asn changed the edit policy from "All Users" to "Restricted Project (Project)".Sep 4 2018, 9:46 PM
asn added a project: Restricted Project.
ansasaki updated the task description. (Show Details)Wed, Sep 23, 1:53 PM