diff options
author | green <green@FreeBSD.org> | 2001-03-20 02:06:40 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2001-03-20 02:06:40 +0000 |
commit | e1c06db9614adac5dbc0db3be048e6d3bb916b61 (patch) | |
tree | fe71e102a08e22c9c3eee0426a45576c1899fff7 /crypto/openssh/channels.c | |
parent | 67cc54d757c106c29d0172b918a9dde0ffa3bddf (diff) | |
download | FreeBSD-src-e1c06db9614adac5dbc0db3be048e6d3bb916b61.zip FreeBSD-src-e1c06db9614adac5dbc0db3be048e6d3bb916b61.tar.gz |
Make password attacks based on traffic analysis harder by requiring that
"non-echoed" characters are still echoed back in a null packet, as well
as pad passwords sent to not give hints to the length otherwise.
Obtained from: OpenBSD
Diffstat (limited to 'crypto/openssh/channels.c')
-rw-r--r-- | crypto/openssh/channels.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index 81bd715..1abc940 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -40,6 +40,7 @@ */ #include "includes.h" +RCSID("$FreeBSD$"); RCSID("$OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $"); #include "ssh.h" @@ -192,6 +193,18 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, c->efd = efd; c->extended_usage = extusage; + /* XXX ugly hack: nonblock is only set by the server */ + if (nonblock && isatty(c->rfd)) { + debug("channel: %d: rfd %d isatty", c->self, c->rfd); + c->isatty = 1; + if (!isatty(c->wfd)) { + error("channel: %d: wfd %d is not a tty?", + c->self, c->wfd); + } + } else { + c->isatty = 0; + } + /* enable nonblocking mode */ if (nonblock) { if (rfd != -1) @@ -722,6 +735,20 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) } return -1; } + if (compat20 && c->isatty) { + struct termios tio; + if (tcgetattr(c->wfd, &tio) == 0 && + !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { + /* + * Simulate echo to reduce the impact of + * traffic analysis. + */ + packet_start(SSH2_MSG_IGNORE); + memset(buffer_ptr(&c->output), 0, len); + packet_put_string(buffer_ptr(&c->output), len); + packet_send(); + } + } buffer_consume(&c->output, len); if (compat20 && len > 0) { c->local_consumed += len; |