File openssh-8.9p1-susshi.patch of Package openssh
From 8cc08c3dafc364645293e784704db3fa5e238604 Mon Sep 17 00:00:00 2001
From: Oliver Rauscher <Oliver.Rauscher@rnetx.com>
Date: Sun, 30 Oct 2022 11:54:36 +0100
Subject: Patched version
---
pathnames.h | 2 +-
readconf.c | 24 ++++++++++++++++++++++++
readconf.h | 4 ++++
scp.1 | 4 ++++
scp.c | 2 +-
sftp.1 | 4 ++++
sftp.c | 2 +-
ssh.1 | 46 ++++++++++++++++++++++++++++++++++++++++++++--
ssh.c | 27 +++++++++++++++++++++++++++
ssh_config | 3 +++
ssh_config.5 | 16 ++++++++++++++++
11 files changed, 129 insertions(+), 5 deletions(-)
diff --git a/pathnames.h b/pathnames.h
index f7ca5a7..535b0b0 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -87,7 +87,7 @@
* volume where root is mapped to nobody, this may need to be world-readable.
*/
#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
-
+#define _PATH_SSH_USER_CONFFILE_SUSSHI _PATH_SSH_USER_DIR "/susshi_config"
/*
* File containing a list of those rsa keys that permit logging in as this
* user. This file need not be readable by anyone but the user him/herself,
diff --git a/readconf.c b/readconf.c
index f26faba..4e269dd 100644
--- a/readconf.c
+++ b/readconf.c
@@ -155,6 +155,7 @@ typedef enum {
oTCPKeepAlive, oNumberOfPasswordPrompts,
oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
oPubkeyAuthentication,
+ oSusshiGateway, oSusshiUser, oSusshiProxy,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
@@ -318,6 +319,9 @@ static struct {
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
+ { "susshigateway", oSusshiGateway },
+ { "susshiproxy", oSusshiProxy },
+ { "susshiuser", oSusshiUser },
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
@@ -2191,6 +2195,18 @@ parse_pubkey_algos:
*charptr = xstrdup(arg);
break;
+ case oSusshiGateway:
+ charptr = &options->susshi_gateway;
+ goto parse_string;
+
+ case oSusshiProxy:
+ charptr = &options->susshi_proxy;
+ goto parse_string;
+
+ case oSusshiUser:
+ charptr = &options->susshi_user;
+ goto parse_string;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -2438,6 +2454,9 @@ initialize_options(Options * options)
options->hostbased_accepted_algos = NULL;
options->pubkey_accepted_algos = NULL;
options->known_hosts_command = NULL;
+ options->susshi_gateway = NULL;
+ options->susshi_user = NULL;
+ options->susshi_proxy = NULL;
}
/*
@@ -3367,6 +3386,11 @@ dump_client_config(Options *o, const char *host)
dump_cfg_strarray_oneline(oLogVerbose,
o->num_log_verbose, o->log_verbose);
+ /* suSSHi options */
+ dump_cfg_string(oSusshiGateway, o->susshi_gateway);
+ dump_cfg_string(oSusshiProxy, o->susshi_proxy);
+ dump_cfg_string(oSusshiUser, o->susshi_user);
+
/* Special cases */
/* PermitRemoteOpen */
diff --git a/readconf.h b/readconf.h
index ded13c9..df721c4 100644
--- a/readconf.h
+++ b/readconf.h
@@ -176,6 +176,10 @@ typedef struct {
char *known_hosts_command;
+ char *susshi_gateway;
+ char *susshi_user;
+ char *susshi_proxy;
+
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
diff --git a/scp.1 b/scp.1
index c433f71..1519b01 100644
--- a/scp.1
+++ b/scp.1
@@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see
.It ControlMaster
.It ControlPath
.It ControlPersist
+.It ForwardAgent
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
.It GSSAPIDelegateCredentials
@@ -216,6 +217,9 @@ For full details of the options listed below, and their possible values, see
.It ServerAliveCountMax
.It SetEnv
.It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It UpdateHostKeys
.It User
diff --git a/scp.c b/scp.c
index 519bffa..9c13094 100644
--- a/scp.c
+++ b/scp.c
@@ -592,7 +592,7 @@ main(int argc, char **argv)
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
/* Do this last because we want the user to be able to override it */
- addargs(&args, "-oForwardAgent=no");
+ /* addargs(&args, "-oForwardAgent=no"); */
if (iamremote)
mode = MODE_SCP;
diff --git a/sftp.1 b/sftp.1
index 7eebeea..1b8f40a 100644
--- a/sftp.1
+++ b/sftp.1
@@ -240,6 +240,7 @@ For full details of the options listed below, and their possible values, see
.It ControlMaster
.It ControlPath
.It ControlPersist
+.It ForwardAgent
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
.It GSSAPIDelegateCredentials
@@ -276,6 +277,9 @@ For full details of the options listed below, and their possible values, see
.It ServerAliveCountMax
.It SetEnv
.It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It UpdateHostKeys
.It User
diff --git a/sftp.c b/sftp.c
index 8cb5917..fe3a9e3 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2484,7 +2484,7 @@ main(int argc, char **argv)
}
/* Do this last because we want the user to be able to override it */
- addargs(&args, "-oForwardAgent no");
+ /* addargs(&args, "-oForwardAgent no"); */
if (!isatty(STDERR_FILENO))
showprogress = 0;
diff --git a/ssh.1 b/ssh.1
index ce00249..9f7daf1 100644
--- a/ssh.1
+++ b/ssh.1
@@ -91,6 +91,43 @@ The user must prove
their identity to the remote machine using one of several methods
(see below).
.Pp
+.Sh SUSSHI INTEGRATION
+.Nm
+may be used in conjunction with a suSSHi gateway. In this case the
+destination points to the name or IP of a suSSHi gateway and the actual
+ssh target is encoded into the login_name. The login_name is then
+specified in the form gateway_user@target_user@target,
+which results in two forms for the ssh syntax:
+.Pp
+ ssh -l gateway_user@target_user@target susshi-gateway
+.Pp
+or simply
+.Pp
+ ssh gateway_user@target_user@target@susshi-gateway
+.Pp
+If a suSSHi proxy is used, a proxy realm must be added to the target
+so that suSSHi knows which configured proxy can be used to connect:
+.Pp
+ ssh -l gateway_user@target_user@target@proxyrealm susshi-gateway
+.Pp
+or simply
+.Pp
+ ssh gateway_user@target_user@target@proxyrealm@susshi_gateway
+.Pp
+Please take a look at the SusshiGateway, SusshiUser and SusshiProxy
+options described in the
+.Xr ssh_config 5
+man page.
+.Pp
+Please note that other client software also uses the user configuration file
+.Pa ~/.ssh/config
+and may encounter syntax errors when adding the Susshi* options.
+Therefore, you can alternatively include all hosts/options with special Susshi* options in a newly introduced configuration file
+.Pa ~/.ssh/susshi_config
+which is loaded before the default user configuration file
+.Pa ~/.ssh/config .
+.Pp
+.Sh DESCRIPTION (cont.)
If a
.Ar command
is specified,
@@ -236,8 +273,10 @@ If a configuration file is given on the command line,
the system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
will be ignored.
-The default for the per-user configuration file is
-.Pa ~/.ssh/config .
+The default for the per-user configuration files are
+.Pa ~/.ssh/config
+and alternatively
+.Pa ~/.ssh/susshi_config .
If set to
.Dq none ,
no configuration files will be read.
@@ -577,6 +616,9 @@ For full details of the options listed below, and their possible values, see
.It StreamLocalBindMask
.It StreamLocalBindUnlink
.It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It Tunnel
.It TunnelDevice
diff --git a/ssh.c b/ssh.c
index 8ff9788..a4f0bfe 100644
--- a/ssh.c
+++ b/ssh.c
@@ -558,6 +558,15 @@ process_config_files(const char *host_name, struct passwd *pw, int final_pass,
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
+ /* Alternate (suSSHi) config file */
+ r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
+ _PATH_SSH_USER_CONFFILE_SUSSHI);
+ if (r > 0 && (size_t)r < sizeof(buf))
+ (void)read_config_file(buf, pw, host, host_name,
+ &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
+ (final_pass ? SSHCONF_FINAL : 0), want_final_pass);
+
+ /* Standard user config file */
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
if (r > 0 && (size_t)r < sizeof(buf))
@@ -1165,6 +1174,24 @@ main(int ac, char **av)
if ((was_addr = is_addr(host)) == 0)
lowercase(host);
+ /*
+ * suSSHi Parameters
+ */
+ if (options.susshi_gateway != NULL) {
+ if ((options.proxy_command) || (options.jump_host))
+ fatal("The SusshiGateway option cannot be used simultaneously with ProxyCommand or JumpHost.");
+ if (options.susshi_user == NULL)
+ options.susshi_user = xstrdup(pw->pw_name);
+ if (options.susshi_proxy)
+ options.user = percent_expand("%u@%r@%h@%p", "u", options.susshi_user,
+ "r", options.user, "h", host, "p", options.susshi_proxy, (char *)NULL);
+ else
+ options.user = percent_expand("%u@%r@%h", "u", options.susshi_user,
+ "r", options.user, "h", host, (char *)NULL);
+ host = options.susshi_gateway;
+ debug3("expanding (suSSHi) User: %s", options.user);
+ }
+
/*
* Try to canonicalize if requested by configuration or the
* hostname is an address.
diff --git a/ssh_config b/ssh_config
index 842ea86..b2d3bc1 100644
--- a/ssh_config
+++ b/ssh_config
@@ -44,3 +44,6 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+# SusshiGateway susshi.example.com
+# SusshiProxy my-proxy.cloud.example.com
+# SusshiUser automation
\ No newline at end of file
diff --git a/ssh_config.5 b/ssh_config.5
index 6913228..ef53148 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -49,6 +49,9 @@ the following order:
.It
command-line options
.It
+user's alternative configuration file
+.Pq Pa ~/.ssh/susshi_config
+.It
user's configuration file
.Pq Pa ~/.ssh/config
.It
@@ -1819,6 +1822,19 @@ has confirmed that is what they really want to do, and
ssh will refuse to connect to hosts whose host key has changed.
The host keys of
known hosts will be verified automatically in all cases.
+.It Cm SusshiGateway
+Specifies the name or IP address of a suSSHi gateway. This option allows
+to continue using the normal ssh syntax for login_name (-l or <login_name>
+@destination) and destination ans still pass the name or IP address of a
+suSSHi gateway.
+.It Cm SusshiProxy
+Specifies a proxy realm used in conjunction with a suSSHi gateway. This
+option allows to continue using the normal ssh syntax for login_name
+(-l or <login_name>@destination) and destination and still pass a suSSHi proxy realm.
+.It Cm SusshiUser
+Specifies the name of a suSSHi gateway user. This option allows to continue
+using the normal ssh syntax for login_name (-l or <login_name>@destination)
+and destination and still pass a suSSHi login name.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr ssh 1 .
--
2.38.1
