File openssh-9.6p1-susshi.patch of Package openssh

Overview Repositories Revisions Requests Users Attributes Meta

File openssh-9.6p1-susshi.patch of Package openssh

From da8847bce4841b9ef1810edebb13f92831401a48 Mon Sep 17 00:00:00 2001
From: Oliver Rauscher <oliver.rauscher@rnetx.com>
Date: Fri, 5 Jan 2024 12:36:32 +0100
Subject: Patched version

diff --git a/.gitignore b/.gitignore
index 5e4ae5a..213c399 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.idea/
 Makefile
 buildpkg.sh
 config.h
diff --git a/pathnames.h b/pathnames.h
index f7ca5a7..535b0b0 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -87,7 +87,7 @@
  * volume where root is mapped to nobody, this may need to be world-readable.
  */
 #define _PATH_SSH_USER_CONFFILE		_PATH_SSH_USER_DIR "/config"
-
+#define _PATH_SSH_USER_CONFFILE_SUSSHI	_PATH_SSH_USER_DIR "/susshi_config"
 /*
  * File containing a list of those rsa keys that permit logging in as this
  * user.  This file need not be readable by anyone but the user him/herself,
diff --git a/readconf.c b/readconf.c
index a2282b5..bba3650 100644
--- a/readconf.c
+++ b/readconf.c
@@ -158,6 +158,7 @@ typedef enum {
 	oTCPKeepAlive, oNumberOfPasswordPrompts,
 	oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
 	oPubkeyAuthentication,
+	oSusshiGateway, oSusshiUser, oSusshiProxy,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 	oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
@@ -323,6 +324,9 @@ static struct {
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
+	{ "susshigateway", oSusshiGateway },
+	{ "susshiproxy", oSusshiProxy },
+	{ "susshiuser", oSusshiUser },
 	{ "securitykeyprovider", oSecurityKeyProvider },
 	{ "knownhostscommand", oKnownHostsCommand },
 	{ "requiredrsasize", oRequiredRSASize },
@@ -2353,6 +2357,19 @@ parse_pubkey_algos:
 		}
 		break;
 
+	/* suSSHi options */
+	case oSusshiGateway:
+		charptr = &options->susshi_gateway;
+		goto parse_string;
+
+	case oSusshiProxy:
+		charptr = &options->susshi_proxy;
+		goto parse_string;
+
+	case oSusshiUser:
+		charptr = &options->susshi_user;
+		goto parse_string;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
@@ -2607,6 +2624,10 @@ initialize_options(Options * options)
 	options->tag = NULL;
 	options->channel_timeouts = NULL;
 	options->num_channel_timeouts = 0;
+	/* suSSHi options */
+	options->susshi_user = NULL;
+	options->susshi_gateway = NULL;
+	options->susshi_proxy = NULL;
 }
 
 /*
@@ -3575,6 +3596,11 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_strarray_oneline(oChannelTimeout,
 	    o->num_channel_timeouts, o->channel_timeouts);
 
+	/* suSSHi options */
+	dump_cfg_string(oSusshiGateway, o->susshi_gateway);
+	dump_cfg_string(oSusshiProxy, o->susshi_proxy);
+	dump_cfg_string(oSusshiUser, o->susshi_user);
+
 	/* Special cases */
 
 	/* PermitRemoteOpen */
diff --git a/readconf.h b/readconf.h
index ff7180c..4d5f3bc 100644
--- a/readconf.h
+++ b/readconf.h
@@ -185,6 +185,10 @@ typedef struct {
 	char	**channel_timeouts;	/* inactivity timeout by channel type */
 	u_int	num_channel_timeouts;
 
+	char   *susshi_gateway;
+	char   *susshi_user;
+	char   *susshi_proxy;
+
 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 }       Options;
 
diff --git a/scp.1 b/scp.1
index 54c6fe3..0d1dc00 100644
--- a/scp.1
+++ b/scp.1
@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlMaster
 .It ControlPath
 .It ControlPersist
+.It ForwardAgent
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
 .It GSSAPIDelegateCredentials
@@ -218,6 +219,9 @@ For full details of the options listed below, and their possible values, see
 .It ServerAliveCountMax
 .It SetEnv
 .It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
 .It TCPKeepAlive
 .It UpdateHostKeys
 .It User
diff --git a/scp.c b/scp.c
index 492dace..125b488 100644
--- a/scp.c
+++ b/scp.c
@@ -641,7 +641,7 @@ main(int argc, char **argv)
 	log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
 
 	/* Do this last because we want the user to be able to override it */
-	addargs(&args, "-oForwardAgent=no");
+	/* addargs(&args, "-oForwardAgent=no"); */
 
 	if (iamremote)
 		mode = MODE_SCP;
diff --git a/sftp.1 b/sftp.1
index 68923ae..4bde72d 100644
--- a/sftp.1
+++ b/sftp.1
@@ -243,6 +243,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlMaster
 .It ControlPath
 .It ControlPersist
+.It ForwardAgent
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
 .It GSSAPIDelegateCredentials
@@ -280,6 +281,9 @@ For full details of the options listed below, and their possible values, see
 .It ServerAliveCountMax
 .It SetEnv
 .It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
 .It TCPKeepAlive
 .It UpdateHostKeys
 .It User
diff --git a/sftp.c b/sftp.c
index c609b41..86a6582 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2593,7 +2593,7 @@ main(int argc, char **argv)
 	}
 
 	/* Do this last because we want the user to be able to override it */
-	addargs(&args, "-oForwardAgent no");
+	/* addargs(&args, "-oForwardAgent no"); */
 
 	if (!isatty(STDERR_FILENO))
 		showprogress = 0;
diff --git a/ssh.1 b/ssh.1
index 936c995..807fc52 100644
--- a/ssh.1
+++ b/ssh.1
@@ -93,6 +93,43 @@ The user must prove
 their identity to the remote machine using one of several methods
 (see below).
 .Pp
+.Sh SUSSHI INTEGRATION
+.Nm
+may be used in conjunction with a suSSHi gateway. In this case the
+destination points to the name or IP of a suSSHi gateway and the actual
+ssh target is encoded into the login_name. The login_name is then
+specified in the form gateway_user@target_user@target,
+which results in two forms for the ssh syntax:
+.Pp
+   ssh -l gateway_user@target_user@target susshi-gateway
+.Pp
+or simply
+.Pp
+   ssh gateway_user@target_user@target@susshi-gateway
+.Pp
+If a suSSHi proxy is used, a proxy realm must be added to the target
+so that suSSHi knows which configured proxy can be used to connect:
+.Pp
+   ssh -l gateway_user@target_user@target@proxyrealm susshi-gateway
+.Pp
+or simply
+.Pp
+   ssh gateway_user@target_user@target@proxyrealm@susshi_gateway
+.Pp
+Please take a look at the SusshiGateway, SusshiUser and SusshiProxy
+options described in the
+.Xr ssh_config 5
+man page.
+.Pp
+Please note that other client software also uses the user configuration file
+.Pa ~/.ssh/config
+and may encounter syntax errors when adding the Susshi* options.
+Therefore, you can alternatively include all hosts/options with special Susshi* options in a newly introduced configuration file
+.Pa ~/.ssh/susshi_config
+which is loaded before the default user configuration file
+.Pa ~/.ssh/config .
+.Pp
+.Sh DESCRIPTION (cont.)
 If a
 .Ar command
 is specified,
@@ -239,8 +276,10 @@ If a configuration file is given on the command line,
 the system-wide configuration file
 .Pq Pa /etc/ssh/ssh_config
 will be ignored.
-The default for the per-user configuration file is
-.Pa ~/.ssh/config .
+The default for the per-user configuration files are
+.Pa ~/.ssh/config
+and alternatively
+.Pa ~/.ssh/susshi_config .
 If set to
 .Dq none ,
 no configuration files will be read.
@@ -584,6 +623,9 @@ For full details of the options listed below, and their possible values, see
 .It StreamLocalBindMask
 .It StreamLocalBindUnlink
 .It StrictHostKeyChecking
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
 .It TCPKeepAlive
 .It Tunnel
 .It TunnelDevice
diff --git a/ssh.c b/ssh.c
index 48d93dd..e0711f3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -572,6 +572,15 @@ process_config_files(const char *host_name, struct passwd *pw, int final_pass,
 			fatal("Can't open user config file %.100s: "
 			    "%.100s", config, strerror(errno));
 	} else {
+		/* Alternate (suSSHi) config file */
+		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
+		             _PATH_SSH_USER_CONFFILE_SUSSHI);
+		if (r > 0 && (size_t)r < sizeof(buf))
+			(void)read_config_file(buf, pw, host, host_name,
+			                       &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
+			                                 (final_pass ? SSHCONF_FINAL : 0), want_final_pass);
+
+		/* Standard user config file */
 		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
 		    _PATH_SSH_USER_CONFFILE);
 		if (r > 0 && (size_t)r < sizeof(buf))
@@ -1227,6 +1236,34 @@ main(int ac, char **av)
 	if ((was_addr = is_addr(host)) == 0)
 		lowercase(host);
 
+	/*
+	 * suSSHi Parameters
+	 */
+	if (options.susshi_gateway != NULL) {
+		char *user, *hostname;
+
+		if ((options.proxy_command) || (options.jump_host))
+			fatal("The SusshiGateway option cannot be used simultaneously with ProxyCommand or JumpHost.");
+
+		if (options.susshi_user == NULL)
+			options.susshi_user = xstrdup(pw->pw_name);
+
+		user = xstrdup(options.user == NULL ? pw->pw_name : options.user);
+		hostname = xstrdup(options.hostname == NULL ? host : options.hostname);
+
+		if (options.susshi_proxy)
+			options.user = percent_expand("%u@%r@%h@%p", "u", options.susshi_user,
+			                              "r", user, "h", hostname, "p", options.susshi_proxy, (char *)NULL);
+		else
+			options.user = percent_expand("%u@%r@%h", "u", options.susshi_user,
+			                              "r", user, "h", hostname, (char *)NULL);
+
+		host = options.susshi_gateway;
+		debug3("expanding (suSSHi) User: %s", options.user);
+		free(hostname);
+		free(user);
+	}
+
 	/*
 	 * Try to canonicalize if requested by configuration or the
 	 * hostname is an address.
diff --git a/ssh_config b/ssh_config
index cc56635..427de81 100644
--- a/ssh_config
+++ b/ssh_config
@@ -44,3 +44,6 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+#   SusshiGateway susshi.example.com
+#   SusshiProxy my-proxy.cloud.example.com
+#   SusshiUser automation
\ No newline at end of file
diff --git a/ssh_config.5 b/ssh_config.5
index 4bbdfef..d913805 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -49,6 +49,9 @@ the following order:
 .It
 command-line options
 .It
+user's alternative configuration file
+.Pq Pa ~/.ssh/susshi_config
+.It
 user's configuration file
 .Pq Pa ~/.ssh/config
 .It
@@ -1959,6 +1962,19 @@ has confirmed that is what they really want to do, and
 ssh will refuse to connect to hosts whose host key has changed.
 The host keys of
 known hosts will be verified automatically in all cases.
+.It Cm SusshiGateway
+Specifies the name or IP address of a suSSHi gateway. This option allows
+to continue using the normal ssh syntax for login_name (-l or <login_name>
+@destination) and destination ans still pass the name or IP address of a
+suSSHi gateway.
+.It Cm SusshiProxy
+Specifies a proxy realm used in conjunction with a suSSHi gateway. This
+option allows to continue using the normal ssh syntax for login_name
+(-l or <login_name>@destination) and destination and still pass a suSSHi proxy realm.
+.It Cm SusshiUser
+Specifies the name of a suSSHi gateway user. This option allows to continue
+using the normal ssh syntax for login_name (-l or <login_name>@destination)
+and destination and still pass a suSSHi login name.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr ssh 1 .
-- 
2.43.0

Places

File openssh-9.6p1-susshi.patch of Package openssh

Places