Re: last-call issues..

To: nisse%lysator.liu.se@localhost (Niels Möller)
Subject: Re: last-call issues..
From: Tero Kivinen <kivinen%mail.niksula.cs.hut.fi@localhost>
Date: Wed, 14 Mar 2001 21:00:55 +0200 (EET)

Niels Möller writes:
> I think he's saying that if filtering is done at the server end,
> clients need not know about it, and it's therefore not a protocol
> issue at all.

I don't want the transport/connection layer server/client to know too
much about the subsystem protocol. The subsystem client/server DO know 
about the subsystem protocol and they CAN detect if the input is valid 
subsystem protocol or not. If it is not, then they can ignore stuff
until they see something familiar....

> If you just use the first SSH_FXP_VERSION packet as the cookie, that's
> no problem (except that lshd doesn't do any filtering).

Yes, I exactly think that SSH_FXP_VERSION would be used as a magic
cookie, but transport/connection layer server/client does not need to
know anything about that. They just let everything through. The other
end sftp client/server will know that the first packet will contain
xxxx xxxx 02 0000 0003 ... and they should ignore everything before
they see that coming from the stdin. 

> A different problem is that the server needs to know how to recognize
> the start of the real communication for each subsystem. That's a
> little painful for those who implement filtering, but I think that is
> the price you have to pay in order to keep the clients from knowing
> about the ugliness. And it shouldn't be too difficult, you can have a
> simple table like

Simply make the client to say:

	while (check_if_valid_subsystem_version_packet(input_packet, len) == FAIL) {
		input_packet++, len--;
		/* Read more data if there isn't enough in the
		  input_buffer. */
	}

and then when succeeds, then start the real protocol code. Both your
server and client MUST do that already, because there can be extra
junk before the SSH-2.0-xxxx version string.

I don't want to put this code to the transport/connection
server/client, I want to put to the subsystem server/client, as it
knows about the subsystem protocol. Also it is not MUST to specify
such thing in the subsystem protocol, but it might be good idea to add 
the text saying so to the subsystem protocol specificiation. 
-- 
kivinen%ssh.fi@localhost                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: last-call issues..
  - From: Niels Möller

References:
- last-call issues..
  - From: Bill Sommerfeld
- last-call issues..
  - From: Tero Kivinen
- Re: last-call issues..
  - From: Markus Friedl
- Re: last-call issues..
  - From: Tero Kivinen
- Re: last-call issues..
  - From: Niels Möller

Prev by Date: subsystem invocation (non-serious message)
Next by Date: Re: last-call issues..
Previous by Thread: Re: last-call issues..
Next by Thread: Re: last-call issues..
Indexes:

Home | Main Index | Thread Index | Old Index