- djm@cvs.openbsd.org 2008/05/08 12:21:16

     [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@

ChangeLog

@@ -77,6 +77,21 @@
      shouldn't happen in compliant implementations, but it could be
      abused to leak memory.
      ok markus@ (as part of a larger diff)
+   - djm@cvs.openbsd.org 2008/05/08 12:21:16
+     [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
+     [sshd_config sshd_config.5]
+     Make the maximum number of sessions run-time controllable via
+     a sshd_config MaxSessions knob. This is useful for disabling
+     login/shell/subsystem access while leaving port-forwarding working
+     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
+     simply increasing the number of allows multiplexed sessions.
+     Because some bozos are sure to configure MaxSessions in excess of the
+     number of available file descriptors in sshd (which, at peak, might be
+     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
+     on error paths, and make it fail gracefully on out-of-fd conditions -
+     sending channel errors instead of than exiting with fatal().
+     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
+     ok markus@
 
 20080403
  - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@@ -3937,4 +3952,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4922 2008/05/19 05:28:35 djm Exp $
+$Id: ChangeLog,v 1.4923 2008/05/19 05:34:50 djm Exp $

monitor.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.95 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1273,7 +1273,7 @@ mm_session_close(Session *s)
 		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
 		session_pty_cleanup2(s);
 	}
-	s->used = 0;
+	session_unused(s->self);
 }
 
 int

monitor_wrap.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.61 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.62 2008/05/08 12:21:16 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -666,7 +666,20 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 {
 	Buffer m;
 	char *p, *msg;
-	int success = 0;
+	int success = 0, tmp1 = -1, tmp2 = -1;
+
+	/* Kludge: ensure there are fds free to receive the pty/tty */
+	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
+	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
+		error("%s: cannot allocate fds for pty", __func__);
+		if (tmp1 > 0)
+			close(tmp1);
+		if (tmp2 > 0)
+			close(tmp2);
+		return 0;
+	}
+	close(tmp1);
+	close(tmp2);
 
 	buffer_init(&m);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
@@ -711,8 +724,9 @@ mm_session_pty_cleanup2(Session *s)
 	buffer_free(&m);
 
 	/* closed dup'ed master */
-	if (close(s->ptymaster) < 0)
-		error("close(s->ptymaster): %s", strerror(errno));
+	if (s->ptymaster != -1 && close(s->ptymaster) < 0)
+		error("close(s->ptymaster/%d): %s",
+		    s->ptymaster, strerror(errno));
 
 	/* unlink pty from session */
 	s->ttyfd = -1;

servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.179 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_startups_rate = -1;
 	options->max_startups = -1;
 	options->max_authtries = -1;
+	options->max_sessions = -1;
 	options->banner = NULL;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
@@ -237,6 +238,8 @@ fill_default_server_options(ServerOptions *options)
 		options->max_startups_begin = options->max_startups;
 	if (options->max_authtries == -1)
 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+	if (options->max_sessions == -1)
+		options->max_sessions = DEFAULT_SESSIONS_MAX;
 	if (options->use_dns == -1)
 		options->use_dns = 1;
 	if (options->client_alive_interval == -1)
@@ -291,7 +294,7 @@ typedef enum {
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
-	sMaxStartups, sMaxAuthTries,
+	sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -395,6 +398,7 @@ static struct {
 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
+	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
@@ -695,7 +699,7 @@ process_server_config_line(ServerOptions *options, char *line,
 
 	case sServerKeyBits:
 		intptr = &options->server_key_bits;
-parse_int:
+ parse_int:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing integer value.",
@@ -707,7 +711,7 @@ process_server_config_line(ServerOptions *options, char *line,
 
 	case sLoginGraceTime:
 		intptr = &options->login_grace_time;
-parse_time:
+ parse_time:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing time value.",
@@ -776,7 +780,7 @@ process_server_config_line(ServerOptions *options, char *line,
 			fatal("%s line %d: too many host keys specified (max %d).",
 			    filename, linenum, MAX_HOSTKEYS);
 		charptr = &options->host_key_files[*intptr];
-parse_filename:
+ parse_filename:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing file name.",
@@ -819,7 +823,7 @@ process_server_config_line(ServerOptions *options, char *line,
 
 	case sIgnoreRhosts:
 		intptr = &options->ignore_rhosts;
-parse_flag:
+ parse_flag:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing yes/no argument.",
@@ -1155,6 +1159,10 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &options->max_authtries;
 		goto parse_int;
 
+	case sMaxSessions:
+		intptr = &options->max_sessions;
+		goto parse_int;
+
 	case sBanner:
 		charptr = &options->banner;
 		goto parse_filename;
@@ -1382,6 +1390,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);
 	M_CP_INTOPT(x11_use_localhost);
+	M_CP_INTOPT(max_sessions);
 
 	M_CP_STROPT(banner);
 	if (preauth)

servconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */
+/* $OpenBSD: servconf.h,v 1.84 2008/05/08 12:21:16 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,6 +35,7 @@
 #define	PERMIT_YES		3
 
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
+#define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
 
 /* Magic name for internal sftp-server */
 #define INTERNAL_SFTP_NAME	"internal-sftp"
@@ -123,6 +124,7 @@ typedef struct {
 	int	max_startups_rate;
 	int	max_startups;
 	int	max_authtries;
+	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
 	int	use_dns;
 	int	client_alive_interval;	/*