Mailing List Archive

[RFC] Add hash token to ControlPath
Hi.

Last night on an irc openssh channel, a user brought up a use
case involving cluster trees and very descriptive (i.e. long)
hierarchical hostnames.

To make a long story short, his ControlPath (~/.ssh/control-master
/%r@%h:%p) was bumping up against UNIX_PATH_MAX.

Attached patch adds a new percent-token (%H) that expands to the
sha1 digest of the concatenation of host (%h) + port (%p) + remote
user (%r). The token's expanded length is a fixed 40 characters
and, barring digest collision, provides uniqueness.

The patch was built against 6.5p1 but applies (with harmless
offsets) to OpenBSD HEAD.

--mancha
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
mancha <mancha1 <at> hush.com> writes:
> Attached patch adds a new percent-token (%H) that expands to the
> sha1 digest of the concatenation of host (%h) + port (%p) + remote
> user (%r). The token's expanded length is a fixed 40 characters
> and, barring digest collision, provides uniqueness.
>
> The patch was built against 6.5p1 but applies (with harmless
> offsets) to OpenBSD HEAD.
>
> --mancha

Apologies but it seems the ML strips attachments. Rather than risk
whitespace debacles with inline patches, I've placed it here:

http://sf.net/projects/mancha/files/misc/openssh-6.5p1-mux-hash.diff




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
On Thu, Mar 06, 2014 at 18:37:21 +0000, mancha wrote:
> Hi.
>
> Last night on an irc openssh channel, a user brought up a use
> case involving cluster trees and very descriptive (i.e. long)
> hierarchical hostnames.
>
> To make a long story short, his ControlPath (~/.ssh/control-master
> /%r@%h:%p) was bumping up against UNIX_PATH_MAX.
>
> Attached patch adds a new percent-token (%H) that expands to the
> sha1 digest of the concatenation of host (%h) + port (%p) + remote
> user (%r). The token's expanded length is a fixed 40 characters
> and, barring digest collision, provides uniqueness.
>
> The patch was built against 6.5p1 but applies (with harmless
> offsets) to OpenBSD HEAD.
>
> --mancha

I suppose the IP address of the destination host is not known at the
time that the socket is created or initially accessed; but if it is,
adding a macro for the IP address might be an alternative approach.

With regard to your suggestion, it might also be worthwhile including
the client hostname in the hash to cover scenarios where the sockets are
created in shared filesystems. I'm also a little hesitant about using
%H; in analogy to %l and %L, %H should be the first component of the
destinations's name. Perhaps %M or %S?

I'm not sure if the work being done to allow OpenSSH to be built without
OpenSSL includes SHA-1 support. I assume that it does, but I haven't
gottent around to looking at the code. If it doesn't, it might be
necessary to use MD5 instead.

--
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
Iain Morgan <imorgan <at> nas.nasa.gov> writes:
>
> On Thu, Mar 06, 2014 at 18:37:21 +0000, mancha wrote:
> > Hi.
> >
> > Last night on an irc openssh channel, a user brought up a use
> > case involving cluster trees and very descriptive (i.e. long)
> > hierarchical hostnames.
> >
> > To make a long story short, his ControlPath (~/.ssh/control-master
> > /%r <at> %h:%p) was bumping up against UNIX_PATH_MAX.
> >
> > Attached patch adds a new percent-token (%H) that expands to the
> > sha1 digest of the concatenation of host (%h) + port (%p) + remote
> > user (%r). The token's expanded length is a fixed 40 characters
> > and, barring digest collision, provides uniqueness.
> >
> > The patch was built against 6.5p1 but applies (with harmless
> > offsets) to OpenBSD HEAD.
> >
> > --mancha
>
> I suppose the IP address of the destination host is not known at the
> time that the socket is created or initially accessed; but if it is,
> adding a macro for the IP address might be an alternative approach.
>
> With regard to your suggestion, it might also be worthwhile including
> the client hostname in the hash to cover scenarios where the sockets are
> created in shared filesystems. I'm also a little hesitant about using
> %H; in analogy to %l and %L, %H should be the first component of the
> destinations's name. Perhaps %M or %S?
>
> I'm not sure if the work being done to allow OpenSSH to be built without
> OpenSSL includes SHA-1 support. I assume that it does, but I haven't
> gottent around to looking at the code. If it doesn't, it might be
> necessary to use MD5 instead.
>

Iain, many thanks for your good comments. I've made the following
changes:

1. Digest is based on lhost(%l) + rhost(%h) + rport(%p) + ruser(%r)
2. Macro is %D
3. ssh_digest_* wrappers are used to future proof

If SHA1 is no longer supported in the future, MD5 can be used by
changing two lines.

Patch:
http://sf.net/projects/mancha/files/misc/openssh-6.5p1-mux-hash.diff

--mancha



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
On Thu, 6 Mar 2014, mancha wrote:

> Apologies but it seems the ML strips attachments. Rather than risk
> whitespace debacles with inline patches, I've placed it here:

The list will pass text/plain and text/x-patch attachements.

> http://sf.net/projects/mancha/files/misc/openssh-6.5p1-mux-hash.diff

You may want to open a bug at https://bugzilla.mindrot.org/

--
Tim Rice Multitalents
tim@multitalents.net


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
On Fri, Mar 7, 2014 at 7:36 AM, mancha <mancha1@hush.com> wrote:
[...]
> 1. Digest is based on lhost(%l) + rhost(%h) + rport(%p) + ruser(%r)
> 2. Macro is %D

Here's the currently implemented % expansions across all the tools
(the intention being to prevent any new conflicts or inconsistencies).

http://www.dtucker.net/openssh/percent_expand_opts.html

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
Darren Tucker <dtucker <at> zip.com.au> writes:
>
> On Fri, Mar 7, 2014 at 7:36 AM, mancha <mancha1 <at> hush.com> wrote:
> [...]
> > 1. Digest is based on lhost(%l) + rhost(%h) + rport(%p) + ruser(%r)
> > 2. Macro is %D
>
> Here's the currently implemented % expansions across all the tools
> (the intention being to prevent any new conflicts or inconsistencies).
>
> http://www.dtucker.net/openssh/percent_expand_opts.html
>

That table was really helpful - thanks.

I've settled on %m (for "message digest") to avoid any confusion.

New patch is up:

http://sf.net/projects/mancha/files/misc/openssh-6.5p1-mux-hash.diff

--mancha


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
On Fri, Mar 07, 2014 at 04:11:17AM +0000, mancha wrote:
> Darren Tucker <dtucker@zip.com.au> writes:
> >
> > On Fri, Mar 7, 2014 at 7:36 AM, mancha <mancha1@hush.com> wrote:
> > [...]
> > > 1. Digest is based on lhost(%l) + rhost(%h) + rport(%p) +
> > > ruser(%r) 2. Macro is %D
> >
> > Here's the currently implemented % expansions across all the tools
> > (the intention being to prevent any new conflicts or
> > inconsistencies).
> >
> > http://www.dtucker.net/openssh/percent_expand_opts.html
> >
>
> That table was really helpful - thanks.
>
> I've settled on %m (for "message digest") to avoid any confusion.
>
> New patch is up:
>
> http://sf.net/projects/mancha/files/misc/openssh-6.5p1-mux-hash.diff
>
> --mancha
>

Hello.

I've updated the mux-hash patch for OpenSSH 6.6p1 (attached & posted at
http://sf.net/projects/mancha/files/misc/openssh-6.6p1-mux-hash.diff).

--mancha
Re: [RFC] Add hash token to ControlPath [ In reply to ]
On Wed, 2 Apr 2014, mancha wrote:

> I've updated the mux-hash patch for OpenSSH 6.6p1 (attached & posted at
> http://sf.net/projects/mancha/files/misc/openssh-6.6p1-mux-hash.diff).

Could you file a bug for this at bugzilla? That's the best way to make
sure it doesn't fall off our radar.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [RFC] Add hash token to ControlPath [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Apr 03, 2014 at 07:57:32AM +1100, Damien Miller wrote:
> On Wed, 2 Apr 2014, mancha wrote:
>
> > I've updated the mux-hash patch for OpenSSH 6.6p1 (attached & posted at
> > http://sf.net/projects/mancha/files/misc/openssh-6.6p1-mux-hash.diff).
>
> Could you file a bug for this at bugzilla? That's the best way to make
> sure it doesn't fall off our radar.

Done. https://bugzilla.mindrot.org/show_bug.cgi?id=2220

Thanks for the suggestion.

- --mamcha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTPkQOAAoJEFdS1BJ1Sb0bHu4QAI6Ai3GmuA5nDhvagfvJjD+N
1mnjwIZDQqBWEpIWJAv1ej4iDVy99NcyfRqF67pr6hQYufnrFq9fTicfxp7gzxaj
XfNJBWvUv9yRffa8cWNfSqQD6JKsJDk+6r4wINx1qu88uC01G27FJGnO87DstlWM
o8uzpz9sFE6jKgXXrt/SpSpOXRJ+4nK8EqgMbOuECXsyuHnv0N/iBKhQkDfx7KXn
/tMzj9KMqcQen3QDFPkc3s8luXpkXvbvz9PrjmBbB8iT2lNtBdrDv7ZAriTU7uUS
k27aXg3dPiAFRoOuyDzGV8g0AVhJC6ayeIxwGYxn5KcqnXZyhi9sYYVd5aEfcHSY
4roefBzgm9ARdR54xRedw0rw2N9Y42Atj4X7V1KuzRnVmgnxuB1GbJ5gt8BjqPwN
uyz1Z6eEC7u95WG4BwZacqstWp9Z2R9eoDZRyCXr0C15lvVh5GPbtqCkEb5zVFcv
6nP+yvPZQp5OMw3GjVSC/BNePawqMzjlFmDDnP0BoiBXkx/V28H/uA74XqA2yEuL
M/e0ho6oCpscZMxZNtCpfBmA/UfwO2b5nLvzBH4NSbxvUPuvAZkqPaz6cKxRc8oK
L1rOuA6Ocx5oi4XiS8KC0/vEzK1H86nWTFP0+42O3ydOGqh0pnkUWCOyxGNxBxv0
NZhgsGPTVkqkaVghmLg9
=p5ZB
-----END PGP SIGNATURE-----

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev