IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: last-call issues..
Niels Möller writes:
> I think he's saying that if filtering is done at the server end,
> clients need not know about it, and it's therefore not a protocol
> issue at all.
I don't want the transport/connection layer server/client to know too
much about the subsystem protocol. The subsystem client/server DO know
about the subsystem protocol and they CAN detect if the input is valid
subsystem protocol or not. If it is not, then they can ignore stuff
until they see something familiar....
> If you just use the first SSH_FXP_VERSION packet as the cookie, that's
> no problem (except that lshd doesn't do any filtering).
Yes, I exactly think that SSH_FXP_VERSION would be used as a magic
cookie, but transport/connection layer server/client does not need to
know anything about that. They just let everything through. The other
end sftp client/server will know that the first packet will contain
xxxx xxxx 02 0000 0003 ... and they should ignore everything before
they see that coming from the stdin.
> A different problem is that the server needs to know how to recognize
> the start of the real communication for each subsystem. That's a
> little painful for those who implement filtering, but I think that is
> the price you have to pay in order to keep the clients from knowing
> about the ugliness. And it shouldn't be too difficult, you can have a
> simple table like
Simply make the client to say:
while (check_if_valid_subsystem_version_packet(input_packet, len) == FAIL) {
input_packet++, len--;
/* Read more data if there isn't enough in the
input_buffer. */
}
and then when succeeds, then start the real protocol code. Both your
server and client MUST do that already, because there can be extra
junk before the SSH-2.0-xxxx version string.
I don't want to put this code to the transport/connection
server/client, I want to put to the subsystem server/client, as it
knows about the subsystem protocol. Also it is not MUST to specify
such thing in the subsystem protocol, but it might be good idea to add
the text saying so to the subsystem protocol specificiation.
--
kivinen%ssh.fi@localhost Work : +358 303 9870
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Home |
Main Index |
Thread Index |
Old Index