--- /dev/null
+config options
+
+TcpRcvBuf=[int]KB client
+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
+maximum socket size allowed by the system. This is useful in situations where
+the tcp receive window is set low but the maximum buffer size is set
+higher (as is typical). This works on a per TCP connection basis. You can also
+use this to artifically limit the transfer rate of the connection. In these
+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
+Default is the current system wide tcp receive buffer size.
+
+TcpRcvBufPoll=[yes/no] client/server
+ enable of disable the polling of the tcp receive buffer through the life
+of the connection. You would want to make sure that this option is enabled
+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
+default is no.
+
+NoneEnabled=[yes/no] client/server
+ enable or disable the use of the None cipher. Care must always be used
+when enabling this as it will allow users to send data in the clear. However,
+it is important to note that authentication information remains encrypted
+even if this option is enabled. Set to no by default.
+
+NoneSwitch=[yes/no] client
+ Switch the encryption cipher being used to the None cipher after
+authentication takes place. NoneEnabled must be enabled on both the client
+and server side of the connection. When the connection switches to the NONE
+cipher a warning is sent to STDERR. The connection attempt will fail with an
+error if a client requests a NoneSwitch from the server that does not explicitly
+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
+interactive (shell) sessions and it will fail silently. Set to no by default.
+
+HPNDisabled=[yes/no] client/server
+ In some situations, such as transfers on a local area network, the impact
+of the HPN code produces a net decrease in performance. In these cases it is
+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
+
+HPNBufferSize=[int]KB client/server
+ This is the default buffer size the HPN functionality uses when interacting
+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
+option as applied to the internal SSH flow control. This value can range from
+1KB to 14MB (1-14336). Use of oversized or undersized buffers can cause performance
+problems depending on the length of the network path. The default size of this buffer
u_int end; /* Offset of last byte containing data. */
} Buffer;
-#define BUFFER_MAX_CHUNK 0x100000
-#define BUFFER_MAX_LEN 0xa00000
-#define BUFFER_MAX_HPN_LEN (2<<29)-1
+#define BUFFER_MAX_CHUNK 0x100000 /*1MB*/
+#define BUFFER_MAX_LEN 0xa00000 /*10MB*/
+
+/* this value for BUFFER_MAX_HPN_LEN is */
+/* still undersized for the faster networks */
+/* it might make sense to have yet another */
+/* MAX_LEN for 10+GB networks. Something closer to */
+/* 128MB or 192MB -cjr*/
+#define BUFFER_MAX_HPN_LEN 0x2000000 /*32MB*/
void buffer_init(Buffer *);
void buffer_clear(Buffer *);
#include "pathnames.h"
#include "bufaux.h"
+
/* -- channel core */
/*
FD_SET(c->sock, writeset);
}
+int channel_tcpwinsz () {
+ u_int32_t tcpwinsz = 0;
+ socklen_t optsz = sizeof(tcpwinsz);
+ int ret = -1;
+ if(!packet_connection_is_on_socket())
+ return(131072);
+ ret = getsockopt(packet_get_connection_in(),
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ if ((ret == 0) && tcpwinsz > BUFFER_MAX_HPN_LEN)
+ tcpwinsz = BUFFER_MAX_HPN_LEN;
+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz, packet_get_connection_in());
+ return(tcpwinsz);
+}
+
static void
channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
{
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
-
+
/* check buffer limits */
- limit = MIN(limit, (BUFFER_MAX_HPN_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
+ if (!c->tcpwinsz)
+ c->tcpwinsz = channel_tcpwinsz();
+ if (c->dynamic_window > 0)
+ c->tcpwinsz = channel_tcpwinsz();
+
+ limit = MIN(limit, 2 * c->tcpwinsz);
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
c->local_window < c->local_window_max/2 &&
c->local_consumed > 0) {
- u_int32_t tcpwinsz = 0;
- socklen_t optsz = sizeof(tcpwinsz);
- int ret = -1;
- u_int32_t addition = 0;
- if (c->dynamic_window) {
- ret = getsockopt(packet_get_connection_in(),
- SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
- if ((ret == 0) && tcpwinsz > BUFFER_MAX_HPN_LEN)
- tcpwinsz = BUFFER_MAX_HPN_LEN;
- }
- if (c->dynamic_window && (ret == 0) &&
- (tcpwinsz > c->local_window_max)) {
- addition = tcpwinsz - c->local_window_max;
+ u_int addition = 0;
+ /* adjust max window size if we are in a dynamic environment */
+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
+ addition = c->tcpwinsz - c->local_window_max;
c->local_window_max += addition;
}
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
static int
channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port,
- const char *host_to_connect, u_short port_to_connect, int gateway_ports)
+ const char *host_to_connect, u_short port_to_connect, int gateway_ports,
+ int hpn_disabled, int hpn_buffer_size)
{
Channel *c;
int sock, r, success = 0, wildcard = 0, is_client;
continue;
}
/* Allocate a channel number for the socket. */
- c = channel_new("port listener", type, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "port listener", 1);
+ /* explicitly test for hpn disabled option. if true use smaller window size */
+ if (hpn_disabled)
+ c = channel_new("port listener", type, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ else
+ c = channel_new("port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
strlcpy(c->path, host, sizeof(c->path));
c->host_port = port_to_connect;
c->listening_port = listen_port;
/* protocol local port fwd, used by ssh (and sshd in v1) */
int
channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port,
- const char *host_to_connect, u_short port_to_connect, int gateway_ports)
+ const char *host_to_connect, u_short port_to_connect, int gateway_ports,
+ int hpn_disabled, int hpn_buffer_size)
{
return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER,
listen_host, listen_port, host_to_connect, port_to_connect,
- gateway_ports);
+ gateway_ports, hpn_disabled, hpn_buffer_size);
}
/* protocol v2 remote port fwd, used by sshd */
int
channel_setup_remote_fwd_listener(const char *listen_address,
- u_short listen_port, int gateway_ports)
+ u_short listen_port, int gateway_ports, int hpn_disabled, int hpn_buffer_size)
{
return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER,
- listen_address, listen_port, NULL, 0, gateway_ports);
+ listen_address, listen_port, NULL, 0, gateway_ports,
+ hpn_disabled, hpn_buffer_size);
}
/*
*/
void
-channel_input_port_forward_request(int is_root, int gateway_ports)
+channel_input_port_forward_request(int is_root, int gateway_ports,
+ int hpn_disabled, int hpn_buffer_size)
{
u_short port, host_port;
char *hostname;
/* Initiate forwarding */
channel_setup_local_fwd_listener(NULL, port, hostname,
- host_port, gateway_ports);
+ host_port, gateway_ports, hpn_disabled, hpn_buffer_size);
/* Free the argument string. */
xfree(hostname);
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
- int single_connection, u_int *display_numberp, int **chanids)
+ int single_connection, u_int *display_numberp, int **chanids,
+ int hpn_disabled, int hpn_buffer_size)
{
Channel *nc = NULL;
int display_number, sock;
*chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
- nc = channel_new("x11 listener",
- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, "X11 inet listener", 1);
+ if (hpn_disabled)
+ nc = channel_new("x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+ 0, "X11 inet listener", 1);
+ else
+ nc = channel_new("x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+ 0, "X11 inet listener", 1);
nc->single_connection = single_connection;
(*chanids)[n] = nc->self;
}
int dynamic_window;
int extended_usage;
int single_connection;
+ u_int tcpwinsz;
char *ctype; /* type */
#define CHAN_EXTENDED_WRITE 2
/* default window/packet sizes for tcp/x11-fwd-channel */
-#define CHAN_SES_PACKET_DEFAULT (32*1024)
-#define CHAN_SES_WINDOW_DEFAULT (0xa00000/2)
-#define CHAN_TCP_PACKET_DEFAULT (32*1024)
-#define CHAN_TCP_WINDOW_DEFAULT (0xa00000/2)
-#define CHAN_X11_PACKET_DEFAULT (16*1024)
-#define CHAN_X11_WINDOW_DEFAULT (0xa00000/2)
+#define CHAN_SES_PACKET_DEFAULT (32*1024)
+#define CHAN_SES_WINDOW_DEFAULT_HPN (160*CHAN_TCP_PACKET_DEFAULT)
+#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
+
+#define CHAN_TCP_PACKET_DEFAULT (32*1024)
+#define CHAN_TCP_WINDOW_DEFAULT_HPN (160*CHAN_TCP_PACKET_DEFAULT)
+#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
+
+#define CHAN_X11_PACKET_DEFAULT (16*1024)
+#define CHAN_X11_WINDOW_DEFAULT_HPN (4*CHAN_X11_PACKET_DEFAULT)
+#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
/* possible input states */
#define CHAN_INPUT_OPEN 0
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
void channel_clear_permitted_opens(void);
-void channel_input_port_forward_request(int, int);
+void channel_input_port_forward_request(int, int, int, int);
int channel_connect_to(const char *, u_short);
int channel_connect_by_listen_address(u_short);
void channel_request_remote_forwarding(const char *, u_short,
const char *, u_short);
int channel_setup_local_fwd_listener(const char *, u_short,
- const char *, u_short, int);
+ const char *, u_short, int, int, int);
void channel_request_rforward_cancel(const char *host, u_short port);
-int channel_setup_remote_fwd_listener(const char *, u_short, int);
+int channel_setup_remote_fwd_listener(const char *, u_short, int, int, int);
int channel_cancel_rport_listener(const char *, u_short);
/* x11 forwarding */
int x11_connect_display(void);
-int x11_create_display_inet(int, int, int, u_int *, int **);
+int x11_create_display_inet(int, int, int, u_int *, int **, int, int);
void x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *);
u_int i, len, env_len, command, flags;
uid_t euid;
gid_t egid;
+ int listen_port = 0;
+ int connect_port = 0;
+ char * listen_host = NULL;
+ char * connect_host = NULL;
/*
* Accept connection on control socket
command = buffer_get_int(&m);
flags = buffer_get_int(&m);
+ if (SSHMUX_FLAG_PORTFORWARD & flags)
+ {
+ listen_host = buffer_get_string(&m,NULL);
+ listen_port = buffer_get_int(&m);
+ connect_host = buffer_get_string(&m,NULL);
+ connect_port = buffer_get_int(&m);
+ }
buffer_clear(&m);
switch (command) {
return;
}
+ if (allowed && (SSHMUX_FLAG_PORTFORWARD & flags) && listen_host && connect_host)
+ {
+ int ret;
+ Forward * fwd;
+
+ fwd = &options.local_forwards[options.num_local_forwards++];
+ fwd->listen_host = xstrdup(listen_host);
+ fwd->listen_port = listen_port;
+ fwd->connect_host = xstrdup(connect_host);
+ fwd->connect_port = connect_port;
+ ret = channel_setup_local_fwd_listener(
+ options.local_forwards[options.num_local_forwards-1].listen_host,
+ options.local_forwards[options.num_local_forwards-1].listen_port,
+ options.local_forwards[options.num_local_forwards-1].connect_host,
+ options.local_forwards[options.num_local_forwards-1].connect_port,
+ options.gateway_ports, options.hpn_disabled, options.hpn_buffer_size);
+
+ }
+
+
+ if (listen_host)
+ xfree(listen_host);
+ if (connect_host)
+ xfree(connect_host);
+
/* Reply for SSHMUX_COMMAND_OPEN */
buffer_clear(&m);
buffer_put_int(&m, allowed);
set_nonblock(client_fd);
- c = channel_new("session", SSH_CHANNEL_OPENING,
- new_fd[0], new_fd[1], new_fd[2],
- CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
-
+ if (options.hpn_disabled)
+ c = channel_new("session", SSH_CHANNEL_OPENING,
+ new_fd[0], new_fd[1], new_fd[2],
+ CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
+ CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+ else
+ c = channel_new("session", SSH_CHANNEL_OPENING,
+ new_fd[0], new_fd[1], new_fd[2],
+ options.hpn_buffer_size, CHAN_SES_PACKET_DEFAULT,
+ CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
/* XXX */
c->ctl_fd = client_fd;
if (local) {
if (channel_setup_local_fwd_listener(fwd.listen_host,
fwd.listen_port, fwd.connect_host,
- fwd.connect_port, options.gateway_ports) < 0) {
+ fwd.connect_port, options.gateway_ports,
+ options.hpn_disabled, options.hpn_buffer_size) < 0) {
logit("Port forwarding failed.");
goto out;
}
xfree(listen_address);
return NULL;
}
- c = channel_new("forwarded-tcpip",
- SSH_CHANNEL_CONNECTING, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
- originator_address, 1);
+ if (options.hpn_disabled)
+ c = channel_new("forwarded-tcpip",
+ SSH_CHANNEL_CONNECTING, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
+ originator_address, 1);
+ else
+ c = channel_new("forwarded-tcpip",
+ SSH_CHANNEL_CONNECTING, sock, sock, -1,
+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
+ originator_address, 1);
xfree(originator_address);
xfree(listen_address);
return c;
sock = x11_connect_display();
if (sock < 0)
return NULL;
- c = channel_new("x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ if (options.hpn_disabled)
+ c = channel_new("x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else
+ c = channel_new("x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
c->force_drain = 1;
return c;
}
sock = ssh_get_authentication_socket();
if (sock < 0)
return NULL;
- c = channel_new("authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
- "authentication agent connection", 1);
+ if (options.hpn_disabled)
+ c = channel_new("authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
+ "authentication agent connection", 1);
+ else
+ c = channel_new("authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
+ "authentication agent connection", 1);
c->force_drain = 1;
return c;
}
#define SSHMUX_COMMAND_OPEN 1 /* Open new connection */
#define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */
#define SSHMUX_COMMAND_TERMINATE 3 /* Ask master to exit */
+#define SSHMUX_COMMAND_PORTFORWARD 4 /* Ask master to portforward */
#define SSHMUX_FLAG_TTY (1) /* Request tty on open */
#define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */
#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */
#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */
+#define SSHMUX_FLAG_PORTFORWARD (1<<4) /* Request portforward */
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"arcfour128,arcfour256,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
- "aes128-ctr,aes192-ctr,aes256-ctr,none"
+ "aes128-ctr,aes192-ctr,aes256-ctr"
+#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
+ ",none"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
+ oHPNBufferSize,
oDeprecated, oUnsupported
} OpCodes;
{ "tunneldevice", oTunnelDevice },
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
+ { "noneenabled", oNoneEnabled },
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
+ { "tcprcvbuf", oTcpRcvBuf },
+ { "noneswitch", oNoneSwitch },
+ { "hpndisabled", oHPNDisabled },
+ { "hpnbuffersize", oHPNBufferSize },
{ NULL, oBadOption }
};
intptr = &options->check_host_ip;
goto parse_flag;
+ case oNoneEnabled:
+ intptr = &options->none_enabled;
+ goto parse_flag;
+
+ case oNoneSwitch:
+ intptr = &options->none_switch;
+ goto parse_flag;
+
+ case oHPNDisabled:
+ intptr = &options->hpn_disabled;
+ goto parse_flag;
+
+ case oHPNBufferSize:
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+
+ case oTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
+
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
goto parse_yesnoask;
+
case oStrictHostKeyChecking:
intptr = &options->strict_host_key_checking;
parse_yesnoask:
intptr = &options->connection_attempts;
goto parse_int;
+ case oTcpRcvBuf:
+ intptr = &options->tcp_rcv_buf;
+ goto parse_int;
+
case oCipher:
intptr = &options->cipher;
arg = strdelim(&s);
options->verify_host_key_dns = -1;
options->server_alive_interval = -1;
options->server_alive_count_max = -1;
- options->none_switch = -1;
options->num_send_env = 0;
options->control_path = NULL;
options->control_master = -1;
options->tun_remote = -1;
options->local_command = NULL;
options->permit_local_command = -1;
+ options->none_switch = -1;
+ options->none_enabled = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
}
/*
options->server_alive_count_max = 3;
if (options->none_switch == -1)
options->none_switch = 0;
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+ if (options->hpn_buffer_size == -1)
+ options->hpn_buffer_size = 2*1024*1024;
+ else {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /*limit the buffer to 7MB*/
+ if (options->hpn_buffer_size > 7168)
+ options->hpn_buffer_size = 7168;
+ options->hpn_buffer_size *=1024;
+ }
+ if (options->tcp_rcv_buf == 0)
+ options->tcp_rcv_buf = 1;
+ if (options->tcp_rcv_buf > -1)
+ options->tcp_rcv_buf *=1024;
if (options->control_master == -1)
options->control_master = 0;
if (options->hash_known_hosts == -1)
* (best). */
int tcp_keep_alive; /* Set SO_KEEPALIVE. */
int tcp_rcv_buf; /* user switch to set tcp recv buffer */
+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
+ int hpn_disabled; /* Switch to disable HPN buffer management */
+ int hpn_buffer_size; /* User definable size for HPN buffer window */
+
LogLevel log_level; /* Level for logging. */
int port; /* Port to connect. */
int enable_ssh_keysign;
int rekey_limit;
- int none_switch;
+ int none_switch; /* use none cipher */
+ int none_enabled; /* Allow none to be used */
int no_host_authentication_for_localhost;
int identities_only;
int server_alive_interval;
addargs(&args, "-oClearAllForwardings yes");
fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246zS:o:F:R:")) != -1)
+ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246zS:o:F:w:")) != -1)
switch (ch) {
/* User-visible flags. */
case '1':
setmode(0, O_BINARY);
#endif
break;
- case 'R':
- addargs(&args, "-r%s", optarg);
- break;
+ case 'w':
+ addargs(&args, "-w%s", optarg);
+ break;
default:
usage();
}
(void) atomicio(vwrite, remout, buf, strlen(buf));
if (response() < 0)
goto next;
- if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
+ if ((bp = allocbuf(&buffer, fd, sizeof(buf))) == NULL) {
next: if (fd != -1) {
(void) close(fd);
fd = -1;
{
(void) fprintf(stderr,
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
- " [-l limit] [-o ssh_option] [-P port] [-R Receive buffer size (Kb)] [-S program]\n"
+ " [-l limit] [-o ssh_option] [-P port] [-w buffer size] [-S program]\n"
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
exit(1);
}
options->authorized_keys_file2 = NULL;
options->num_accept_env = 0;
options->permit_tun = -1;
+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
/* Needs to be accessable in many places */
use_privsep = -1;
void
fill_default_server_options(ServerOptions *options)
{
+
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+
+ if (options->hpn_buffer_size == -1)
+ options->hpn_buffer_size = 2*1024*1024;
+ else {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /* limit the maximum buffer to 7MB */
+ if (options->hpn_buffer_size > 7168)
+ options->hpn_buffer_size = 7168;
+ options->hpn_buffer_size *=1024;
+ }
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
+
+
#ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege "
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
- sUsePrivilegeSeparation,
+ sUsePrivilegeSeparation, sNoneEnabled, sTcpRcvBufPoll,
+ sHPNDisabled, sHPNBufferSize,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
{ "acceptenv", sAcceptEnv },
+ { "noneenabled", sNoneEnabled },
+ { "hpndisabled", sHPNDisabled },
+ { "hpnbuffersize", sHPNBufferSize },
+ { "tcprcvbufpoll", sTcpRcvBufPoll },
{ "permittunnel", sPermitTunnel },
{ NULL, sBadOption }
};
u_int i;
for (i = 0; keywords[i].name; i++)
- if (strcasecmp(cp, keywords[i].name) == 0)
- return keywords[i].opcode;
-
+ if (strcasecmp(cp, keywords[i].name) == 0){
+ debug ("TOKEN IS %s", keywords[i].name);
+ return keywords[i].opcode;}
error("%s: line %d: Bad configuration option: %s",
filename, linenum, cp);
return sBadOption;
intptr = NULL;
charptr = NULL;
opcode = parse_token(arg, filename, linenum);
+
switch (opcode) {
/* Portable-specific options */
case sUsePAM:
*intptr = value;
break;
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
+ goto parse_flag;
+
+ case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
+
+ case sHPNDisabled:
+ intptr = &options->hpn_disabled;
+ goto parse_flag;
+
+ case sHPNBufferSize:
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
char *authorized_keys_file2;
int use_pam; /* Enable auth via PAM */
+ int none_enabled; /* enable NONE cipher switch */
+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
+ int hpn_disabled; /* disable hpn functionality. false by default */
+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
int permit_tun;
} ServerOptions;
xfree(originator);
if (sock < 0)
return NULL;
- c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING,
- sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
- CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1);
+ if (options.hpn_disabled)
+ c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING,
+ sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
+ CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1);
+ else
+ c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING,
+ sock, sock, -1, options.hpn_buffer_size,
+ CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1);
return c;
}
sock = tun_open(tun, mode);
if (sock < 0)
goto done;
- c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ if (options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (mode == SSH_TUNMODE_POINTOPOINT)
c = channel_new("session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
- if (!(datafellows & SSH_BUG_LARGEWINDOW))
+ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled))
c->dynamic_window = 1;
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
} else {
/* Start listening on the port */
success = channel_setup_remote_fwd_listener(
- listen_address, listen_port, options.gateway_ports);
+ listen_address, listen_port, options.gateway_ports,
+ options.hpn_disabled, options.hpn_buffer_size);
}
xfree(listen_address);
} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
packet_disconnect("listen: %.100s", strerror(errno));
/* Allocate a channel for the authentication agent socket. */
+ /* this shouldn't matter if its hpn or not - cjr */
nc = channel_new("auth socket",
SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
break;
}
debug("Received TCP/IP port forwarding request.");
- channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports);
+ channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports,
+ options.hpn_disabled,
+ options.hpn_buffer_size);
success = 1;
break;
*/
if (s->chanid == -1)
fatal("no channel for session %d", s->self);
- channel_set_fds(s->chanid,
- fdout, fdin, fderr,
- fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
- 1,
- CHAN_SES_WINDOW_DEFAULT);
+ if(options.hpn_disabled)
+ channel_set_fds(s->chanid,
+ fdout, fdin, fderr,
+ fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1,
+ CHAN_SES_WINDOW_DEFAULT);
+ else
+ channel_set_fds(s->chanid,
+ fdout, fdin, fderr,
+ fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1,
+ options.hpn_buffer_size);
}
/*
}
if (x11_create_display_inet(options.x11_display_offset,
options.x11_use_localhost, s->single_connection,
- &s->display_number, &s->x11_chanids) == -1) {
+ &s->display_number, &s->x11_chanids,
+ options.hpn_disabled, options.hpn_buffer_size) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
ll = SYSLOG_LEVEL_INFO;
infile = stdin;
- while ((ch = getopt(argc, argv, "1hvCo:s:S:b:B:F:P:R:z")) != -1) {
+ while ((ch = getopt(argc, argv, "1hvCo:s:S:b:B:F:P:R:")) != -1) {
switch (ch) {
case 'C':
addargs(&args, "-C");
optarg);
break;
case 'h':
- case 'z':
- addargs(&args, "-%c", ch);
- break;
default:
usage();
}
usage(void)
{
fprintf(stderr,
-"usage: ssh [-1246AaCfgkMNnqrsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
" [-w tunnel:tunnel] [user@]hostname [command]\n"
-" [-r Receive Buffer Size in K]\n"
);
exit(255);
}
/* Parse command-line arguments. */
host = NULL;
- /* need to set options.tcp_rcv_buf to 0 */
- options.tcp_rcv_buf = 0;
again:
while ((opt = getopt(ac, av,
- "1246ab:c:e:fgi:kl:m:no:p:qrstvxACD:F:I:L:MNO:PR:S:TVw:XYz")) != -1) {
+ "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
case 'F':
config = optarg;
break;
- case 'r':
- options.tcp_rcv_buf = atoi(optarg) * 1024;
- break;
case 'z':
/* make sure we can't turn on the none_switch */
/* if they try to force a no tty flag on a tty session */
options.local_forwards[i].listen_port,
options.local_forwards[i].connect_host,
options.local_forwards[i].connect_port,
- options.gateway_ports);
+ options.gateway_ports, options.hpn_disabled,
+ options.hpn_buffer_size);
}
if (i > 0 && success == 0)
error("Could not request local forwarding.");
debug("Requesting tun.");
if ((fd = tun_open(options.tun_local,
options.tun_open)) >= 0) {
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "tun", 1);
+ if(options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
+ else
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
if (!isatty(err))
set_nonblock(err);
- window = CHAN_SES_WINDOW_DEFAULT;
+ if(options.hpn_disabled)
+ window = CHAN_SES_WINDOW_DEFAULT;
+ else
+ window = options.hpn_buffer_size;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (tty_flag) {
window = 4*CHAN_SES_PACKET_DEFAULT;
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
- if (!tty_flag && (!(datafellows & SSH_BUG_LARGEWINDOW))) {
+ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
c->dynamic_window = 1;
+ debug ("Enabled Dynamic Window Scaling\n");
}
debug3("ssh_session2_open: channel_new: %d", c->self);
flags |= SSHMUX_FLAG_X11_FWD;
if (options.forward_agent)
flags |= SSHMUX_FLAG_AGENT_FWD;
-
+ if (options.num_local_forwards > 0)
+ flags |= SSHMUX_FLAG_PORTFORWARD;
buffer_init(&m);
/* Send our command to server */
buffer_put_int(&m, mux_command);
buffer_put_int(&m, flags);
+ if (options.num_local_forwards > 0)
+ {
+ if (options.local_forwards[0].listen_host == NULL)
+ buffer_put_string(&m,"LOCALHOST",11);
+ else
+ buffer_put_string(&m,options.local_forwards[0].listen_host,512);
+ buffer_put_int(&m,options.local_forwards[0].listen_port);
+ buffer_put_string(&m,options.local_forwards[0].connect_host,512);
+ buffer_put_int(&m,options.local_forwards[0].connect_port);
+ }
if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
fatal("%s: msg_send", __func__);
buffer_clear(&m);
return 0;
}
+/*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
+ * so winscale is negotiated properly -cjr
+ */
+static void
+ssh_set_socket_recvbuf(int sock)
+{
+ void *buf = (void *)&options.tcp_rcv_buf;
+ int sz = sizeof(options.tcp_rcv_buf);
+ int socksize;
+ int socksizelen = sizeof(int);
+
+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
+ }
+ else
+ error("Couldn't set socket receive buffer to %d: %.100s",
+ options.tcp_rcv_buf, strerror(errno));
+}
+
+
/*
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
else
debug("Allocated local port %d.", p);
-
- /* tuning needs to happen after the socket is */
- /* created but before the connection happens */
- /* so winscale is negotiated properly -cjr */
-
- /* Set tcp receive buffer if requested */
- if (options.tcp_rcv_buf)
- {
- if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
- (void *)&options.tcp_rcv_buf,
- sizeof(options.tcp_rcv_buf)) >= 0)
- {
- debug("setsockopt SO_RCVBUF: %.100s", strerror(errno));
- }
- else
- {
- /* coudln't set the socket size to use spec. */
- /* should default to system param and continue */
- /* warn the user though - cjr */
- error("Couldn't set socket receive buffer as requested. Continuing anyway.");
- }
- }
+ if (options.tcp_rcv_buf > 0)
+ ssh_set_socket_recvbuf(sock);
return sock;
}
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0)
error("socket: %.100s", strerror(errno));
- /* tuning needs to happen after the socket is */
- /* created but before the connection happens */
- /* so winscale is negotiated properly -cjr */
-
- /* Set tcp receive buffer if requested */
- if (options.tcp_rcv_buf)
- {
- if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
- (void *)&options.tcp_rcv_buf,
- sizeof(options.tcp_rcv_buf)) >= 0)
- {
- debug("setsockopt SO_RCVBUF: %.100s", strerror(errno));
- }
- else
- {
- /* coudln't set the socket size to use spec. */
- /* should default to system param and continue */
- /* warn the user though - cjr */
- error("Couldn't set socket receive buffer as requested. Continuing anyway.");
- }
- }
+ if (options.tcp_rcv_buf > 0)
+ ssh_set_socket_recvbuf(sock);
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
- }
+ }
+
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
myproposal[PROPOSAL_ENC_ALGS_STOC] =
pubkey_cleanup(&authctxt);
dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
- if ((options.none_switch == 1) && !tty_flag) /* no null on tty sessions */
+ if ((options.none_switch == 1) && (options.none_enabled == 1) && !tty_flag) /* no null on tty sessions */
{
debug("Requesting none rekeying...");
myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (options.none_enabled == 1) {
+ debug ("WARNING: None cipher enabled");
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
#MaxStartups 10
#PermitTunnel no
+# override default of no subsystems
+Subsystem sftp /usr/libexec/sftp-server
+
# no default banner path
#Banner /some/path
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+# the following are HPN related configuration options
+# tcp receive buffer polling. enable in autotuning kernels
+#TcpRcvBufPoll no
+
+# allow the use of the none cipher
+#NoneEnabled no
+
+# disable hpn performance boosts.
+#HPNDisabled no
+
+# buffer size for hpn to non-hn connections
+#HPNBufferSize 2048
+
#define SSH_VERSION "OpenSSH_4.3"
-#define SSH_PORTABLE "p2"
-#define SSH_HPN "-hpn"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+#define SSH_PORTABLE "p2"
+#define SSH_HPN "-hpn"
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+