[ Home page ]
Sorry-- I haven't had time to update these lately. They may work with more recent (less buggy) OpenSSHs, but I haven't checked....
Here are some patches against OpenSSH, in version 2.5.1p1 of the `portable' version. This is the most recent version which is currently believed to be free of free-root-shell style security bugs; when such bugs are found in this version, I will probably update the patches to work with the new version. I also have the same patches for 2.3.0p1; I believe that this version is safe, too, though presumably less featureful than the most recent.
This is useful if you frequently use
ssh(1) via connections which
run over masquerading routers or others which time out idle connections. The
patch sends a null message (not SSH_MSG_IGNORE, since apparently that
will crash some servers) at a fixed interval of inactivity, by default three
Many people are distrustful of port-filtering firewalls which rather than
keeping track of active connections simply use the SYN flag to protect from
unauthorised incoming connections. It is typical to configure such firewalls
to only allow connections on a small range of reserved ports near 1023, on
which no well-known services will be running anywhere on the network. This
patch modifies OpenSSH to try to obtain reserved ports at the top of
this range, just like every other piece of networking code which needs a
Thanks to James McKenzie for this patch.
This adds user-level accounting of bandwidth consumed in ssh sessions; it does not attempt to correct for the bandwidth consumed by IP headers, but it is also easier to deal with than the Linux-kernel level user IP accounting patches (and god knows what you do if you need to do accounting on a closed-source UNIX...). I have written some notes on how this is implemented.
Copyright (c) 2001 Chris Lightfoot. All rights reserved.