T100: [ssh] Add support for no-more-sessions@openssh.com

Description

Originally reported by asn: https://bugs.libssh.org/T100

Add support for no-more-sessions@openssh.com.

Most SSH connections will only ever request a single session, but a attacker may abuse a running ssh client to surreptitiously open additional sessions under their control. OpenSSH provides a global request "no-more-sessions@openssh.com" to mitigate this attack.

Follows the specification:

connection: disallow additional sessions extension "no-more-sessions@openssh.com"

Most SSH connections will only ever request a single session, but a attacker may abuse a running ssh client to surreptitiously open additional sessions under their control. OpenSSH provides a global request "no-more-sessions@openssh.com" to mitigate this attack.

When an OpenSSH client expects that it will never open another session (i.e. it has been started with connection multiplexing disabled), it will send the following global request:

   byte            SSH_MSG_GLOBAL_REQUEST
   string          "no-more-sessions@openssh.com"
   char            want-reply

On receipt of such a message, an OpenSSH server will refuse to open future channels of type "session" and instead immediately abort the connection.

Note that this is not a general defence against compromised clients (that is impossible), but it thwarts a simple attack.

NB. due to certain broken SSH implementations aborting upon receipt of this message, the no-more-sessions request is only sent to OpenSSH servers (identified by banner). Other SSH implementations may be listed to receive this message upon request.

Comments:

asn commented on 2018-09-03 06:16:00 UTC:

This implements the server part. The patch hasn't been tested! no-more-sessions.asn1.patch.txt

---