Skip to content

Commit

Permalink
Prevent unknown ssh requests from terminating sessions
Browse files Browse the repository at this point in the history 
Instead of returning and aborting a session if an unknown request
is received servers now log the warning and continue on.
  • Loading branch information
@rosstimothy
rosstimothy committed Mar 30, 2023
1 parent 65106a1 commit 70213a1
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 6 deletions.
9 changes: 7 additions & 2 deletions lib/srv/forward/sshserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1135,8 +1135,13 @@ func (s *Server) dispatch(ctx context.Context, ch ssh.Channel, req *ssh.Request,
case sshutils.PuTTYWinadjRequest:
return s.handlePuTTYWinadj(ch, req)
default:
return trace.BadParameter(
"%v doesn't support request type '%v'", s.Component(), req.Type)
s.log.Warnf("%v doesn't support request type '%v'", s.Component(), req.Type)
if req.WantReply {
if err := req.Reply(false, nil); err != nil {
s.log.Errorf("sending error reply on SSH channel: %v", err)
}
}
return nil
}
}

Expand Down
18 changes: 14 additions & 4 deletions lib/srv/regular/sshserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1590,8 +1590,13 @@ func (s *Server) dispatch(ctx context.Context, ch ssh.Channel, req *ssh.Request,
s.Logger.Debugf("%v: deliberately ignoring request for '%v' channel", s.Component(), sshutils.PuTTYSimpleRequest)
return nil
default:
return trace.BadParameter(
"(%v) proxy doesn't support request type '%v'", s.Component(), req.Type)
s.Logger.Warnf("(%v) proxy doesn't support request type '%v'", s.Component(), req.Type)
if req.WantReply {
if err := req.Reply(false, nil); err != nil {
s.Logger.Errorf("sending error reply on SSH channel: %v", err)
}
}
return nil
}
}

Expand Down Expand Up @@ -1688,8 +1693,13 @@ func (s *Server) dispatch(ctx context.Context, ch ssh.Channel, req *ssh.Request,
case sshutils.PuTTYWinadjRequest:
return s.handlePuTTYWinadj(ch, req)
default:
return trace.BadParameter(
"%v doesn't support request type '%v'", s.Component(), req.Type)
s.Logger.Warnf("%v doesn't support request type '%v'", s.Component(), req.Type)
if req.WantReply {
if err := req.Reply(false, nil); err != nil {
s.Logger.Errorf("sending error reply on SSH channel: %v", err)
}
}
return nil
}
}

Expand Down
24 changes: 24 additions & 0 deletions lib/srv/regular/sshserver_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1695,6 +1695,30 @@ func TestEnvs(t *testing.T) {
}
}

// TestUnknownRequest validates that any unknown session
// requests do not terminate the session.
func TestUnknownRequest(t *testing.T) {
t.Parallel()
ctx := context.Background()

f := newFixtureWithoutDiskBasedLogging(t)

se, err := f.ssh.clt.NewSession(ctx)
require.NoError(t, err)
defer se.Close()

// send a random request that won't be handled
ok, err := se.SendRequest(ctx, uuid.NewString(), true, nil)
require.NoError(t, err)
require.False(t, ok)

// ensure the session is still active
require.NoError(t, se.Setenv(ctx, "HOME_TEST", "/test"))
output, err := se.Output(ctx, "env")
require.NoError(t, err)
require.Contains(t, string(output), "HOME_TEST=/test")
}

// TestNoAuth tries to log in with no auth methods and should be rejected
func TestNoAuth(t *testing.T) {
t.Parallel()
Expand Down

0 comments on commit 70213a1

Please sign in to comment.